Search results

Purchasing information

As part of our ISO 13485 Documentation toolkit, we have prepared two types of quality agreements: one for critical suppliers and a quality agreement for subcontractors.  The subcontractor is a company who produces something especially for you like in your example. Critical suppliers are all those suppliers which can have a significant impact on the quality and/or safety of your product.

Preview of those two contracts you can see on the following links:

• Quality Agreement for Subcontractor https://advisera.com/13485academy/documentation/quality-agreement-for-subcontractor/
• Quality Agreement for Critical Supplier https://advisera.com/13485academy/documentation/quality-agreement-for-critical-supplier/

Of course, these contracts cover all mandatory parts, but it is possible that you add important points to you.

Question about ISO22301 template

1 - I am looking for an example of a process dependency matrix. 

Considering ISO 22301, I suggest you take a look at our Business Impact Analysis Questionnaire template at this link: https://advisera.com/27001academy/documentation/business-impact-analysis-questionnaire/

The purpose of this document is to gather all required information for the development of the business continuity strategy, including the relationship between business processes.

For further information, see:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

2 - I am also buys with a very big clients BCP. They have quite a few emergency and evacuation and other plans (SHE, Fire) being a power station. How does one integrate these into the BCP and how do I link this to the Incident management process?

Please note that the Business Continuity Plan (BCP) can be composed of several plans (e.g., incident response plans, recovery plans, disaster recovery plans, etc.) according to the considered scenario.

The integration of a BCP with the Incident management process is by defining in the Incident management process when an incident is critical enough so activation of the BCP needs to be considered.

Regarding the integration of these plans with the BCP, from our experience, you should consider:

• one top-level document called Business Continuity Plan, where you define the crisis management plan, and the general rules by which all continuity activities will abide, ensuring all plans are aligned.
• separated Incident Response Plans for describing how you would respond to different incidents, covering related activities required by all areas of the organization.
• recovery plans for describing how to recover each of your processes/departments/projects in case of a disruption, also covering related activities required by all areas of the organization. For IT operations this plan is commonly known as the Disaster Recovery Plan.

For more information, please see:

• How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

These materials will also help you regarding business continuity planning:

• Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Specific policy/procedure alongside our scope

According to the link you shared the requirement is ISO 17025 accreditation. The specific tests would use to test a random number generator (RMG)  would depend on industry standards. The ISO 17025 toolkit is suitable to assist all testing laboratories implement ISO 17025 for accreditation purposes. Yes, you are correct the technical aspects and the selection of test methods is not within the scope of the toolkit. Note too that there are certification bodies that provide recognition for the Gambling sector. These certification programs would have specific requirements that will also need to be met. in addition to ISO 17025

For more information on ISO 17025 see

The Whitepaper Clause-by-clause explanation of ISO 17025:2017, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

and ISO 17025 Documentation Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

Software Password Storage

I’m assuming you want to know where to record the information about where passwords/keys are stored.

Considering that, please note that the Password policy has an item which defines that “files containing passwords must be stored separately from the application's system data”. 

Since the Password policy does not have a section for record management, I suggest you use Access Control Policy for this purpose.

This Access control policy Integrates the use of the Password Policy in section 3.8, and from this section you can include in its section 4 - Managing records kept on the basis of this document, a record describing how you implement this storage.

In Vivo Test Requirement

For biocompatibility, in vivo testing are necessary considering the type of the product. In ISO 10993-1:2018, there is a table that guides what tests are necessary depending on the type of the product: is it a surface device, external communicated device, or implantable device. So, which kind of tests are necessary for you, you need to go through that table. 

For more information, see this link: https://www.iso.org/standard/68936.html
 

GDPR

Since you offer IaaS and PaaS services to an EU company, you will have access to personal data. You should be a data processor unless you have autonomy in the way you process personal data. According to Chapter V in GDPR, you need to do the data transfer via one of the accepted transfer mechanisms: adequacy decision (Art 45 GDPR), binding corporate rules (Art 47 GDPR), standard contractual clauses, approved code of conduct, approved certification mechanism (Art 46 GDPR) or Derogations (Art 49 GDPR). My recommendation is to use the new EU Standard Contractual Clauses for Controller to Processor, adding the necessary additional technical and organizational measures to offer the same level of protection for transferred personal data as it is offered under GDPR in the EU.

Please read more details:

• Chapter V GDPR - Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
• Article 45– Transfers on the basis of an adequacy decision: https://advisera.com/gdpr/transfers-on-the-basis-of-an-adequacy-decision/
• Article 46– Transfers subject to appropriate safeguards: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
• Article 47– Binding corporate rules: https://advisera.com/gdpr/binding-corporate-rules/
• Article 49– Derogations for specific situations: https://advisera.com/eugdpracademy/gdpr/derogations-for-specific-situations/
• Cross Border Personal Data Transfer Procedure: https://advisera.com/eugdpracademy/documentation/cross-border-personal-data-transfer-procedure/
• EU GDPR Toolkit (containing all documentation for GDPR Compliance): https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

Clause 4.3: ISMS scope

ISO 27001 ISMS scope can be defined in terms of information, processes, or location to be protected. Considering that, you can make your scope more precise by defining information (e.g., customer information, sales, information, research, and development information, etc.), processes (e.g., software development processes, production processes, etc.), or location (information in the company building, in the finance floor, etc.).

This article will provide you a further explanation about ISMS scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

This material can also be helpful:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

Confidentially statement

Please note that the controls related to the Information Classification Policy do not require any documentation to be written, so you can have a Policy for Handling Classified Information implemented only as a set of practices that everyone knows and follows. For example, you can simply define that all your information is classified as restricted and include this information in the Statement of Applicability, as an implementation method, without the need to write a specific policy document.

This article will provide you a further explanation about information classification:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

These materials will also help you regarding information labeling:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
   

NIST 800-53 vs ISO 27001

You should first study information security regulations for financial organizations in the countries you operate to evaluate whether 27001 or NIST is closer to the requirements the requirements you need to fulfill. For example, in most European countries 27001 is more appropriate.

These articles will provide you a further explanation about ISO 27001 and NIST:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/