Search results

Home / Search

Category:
Select
Select

11271 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Software Development Templates

    Please note that such templates are not mandatory for ISO 27001 neither they are commonly adopted by organizations in general.

    The closest templates we can suggest you check to see if they can fulfill your needs are these ISO 9001 templates:

    For further information, see:

  • 4.2.4 and 4.2.5

    1. How would we know what regulation is applicable if they have never stated?

    If you are on the EU market, then each manufacturer of a medical device or its components must be in compliance with Harmonised or state of the art standards (Article 8 of the Medical device regulation MDR 2017/745).

    Those standards you can find on the following links:

    Basically, besides ISO 13485:2016, all manufacturers must also be in compliance with ISO 14971:2019 (Risk management for medical devices),  EN ISO 15223-1:2021 (for symbols), and EN ISO 20417:2021 - Information to be supplied by the manufacturer. Is there any other technical standard it would depend on the type of components: is it metal, is it plastic, or something else.

    For more information, see:

    2. Can the toolkit ISO 13485:2016 be combined with the ISO 9001:2015?

    Yes, it can, several requirements are very similar like internal audit process, corrective actions management, non-conformity process, and document management. At the end of the standard ISO 13485:2016 you have Table B1 Correspondence between ISO 13485:2016 and ISO 9001:2015, and Table B2 Correspondence between ISO 9001:2015 and ISO 13485:2016, therefore from both sides.

    3. We don’t have to report to the authorities if we have a customer complaint. How would we right this in our procedure or would we leave this alone? Would we use the form also and if so how would we use this?

    This just depends on whether or not your product is registered somewhere as a medical device separately. If not, then you do not have to communicate with regulators.

  • Question about ISO 27001 and ISO 22301

    Implementing ISO 27001 and ISO 22301 considering only internal needs is acceptable for certification purposes. In this case, the “customers” can be some of the organization’s own internal departments (e.g., Projects department as a customer of IT department, Accounting department as a customer of the Sales department, etc.).

    Later, when and if you identify the need, you can expand the certification scope to cover the organization’s Customer’s security and Service availability requirements.

    These articles will provide you a further explanation about the scoped definition and interested parties:

  • Annex A Controls in Conformio

    1. Seems like you are informing me through Conformio that I should prepare Policies with Annex A controls to incorporate into them (as seems in Project Plan). In example Title : Incident Response Policy, we will mention the annex A controls in it. Shouldn't we just have a folder A.16 Incident Security Incident Management and files A.16.1 Responsibilities, A.16.1.2 Reporting Information Security Events, A.16.1.3 Reporting Information Security Weaknesses, A .16.1.4 Assessment of and Decision on Information Security Events, etc.?

    Please note that organizing documents as you suggest only makes them more difficult to read and maintain.

    Considering your example, instead of a single document defining how incident management is implemented you would have to keep seven independent documents.

    Additionally, when you have a document that refers to controls from different sections (e.g., the Supplier Security Policy refers to controls from sections A.7, A.8., A.14, and A.15), reading and maintenance become even more difficult.

     For further information, see:

    2. Is there a Tool JUST on Risk Assessment?

    To perform just risk assessment we have the Risk Assessment Toolkit (https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/) which comprises of the following documents:

    • Risk Assessment and Risk Treatment Methodology
    • Risk Assessment Table
    • Risk Treatment Table
    • Risk Assessment and Treatment Report
    • Statement of Applicability
    • Risk Treatment Plan

    This article will provide you a further explanation about risk assessment:

    These materials will also help you regarding risk assessment:

  • Using ISO 27001 for implementing ISO 9001

    1 - Do you have a presentation that shares some insight on the opposite route - Using ISO 27001 for implementing ISO 9001?

    These materials can give you the insights you are looking for:

    2 - And would there be any value in going down that route, given our customers do not normally require ISO 9001?

     Please note that besides benefits for the customer (which are the main drive for ISO 9001), the organization itself can benefit from implementing ISO 9001:

    • Better process integration
    • Improve your evidence for decision making
    • Create a continual improvement culture
    • Engagement of employees

    So, even if customers do not require it, implementing ISO 9001 can bring value to the organization.

    For further information, see:

  • Documents - Classification plan & storage for process documents like policies

    1 - Here is the practice I've found (part 1) : After reading one of your article (https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/) I found that I just had to cut thinks in smaller pieces. Your article is also a nice argument since the architect manager had told me he prefers bible documents, and my manager doesn't like the idea at all. That article really is a great help for me. Thanks for writing it. You're the only expert to provide such information on policies organization. After reading an article from another expert  I've also decided to cut the documents per Management System and to respect an integration logic. Here are the systems to integrate at the document level I've already listed : QMS, SMS, ISMS, PMS, UMS, CMS, OHSMS, FSMS, EMS. I hope this is the good logic since your article is not covering the integration aspect of policy management. What's your opinion ?

    Your logic is sound because you are separating the systems according to their core processes.

    Regarding integration of policy management, ISO management systems have a lot of requirements in common, which allow using single documents with minor adjustments to cover core issues from several management systems (e.g., document and record control, internal audit, management review, corrective actions, etc.).

    For further information, see:

    Here is where I'm stuck : For the moment I've found that documents storage should be organized with a classification plan that should reflect the processes logic. It sounds quite reasonable even if it is hard to visualize a SharePoint site design per processes. I've also found that policies are produced by pilot processes. So OK but policies are also used by operational managers as entry points when designing their own processes. From that on I'm stuck. How do classification plans manage the documents that are shared between processes owners ? I've not been able to find example of IT documentation storage yet to help me find the answer to that question or to find out if the "process logic" was the correct goal for IT processes document classification. Is there something about classification plans of processes documents in security standards ? Can you give me hints or advice so I can start writing a classification plan that can be used by SharePoint experts to build a nice & secured documentation site to host the old documents and the new policies ? Thanks.

    If I understood correctly, you are asking about access control management. ISO 27001 does not prescribe how to do that, only main guidelines on what you need to achieve, so you can use any logic that fits the organization's needs.  

    Considering that, to build the structure you need to allow people to have access only to the documents they need to do their work, you should consider developing access control profiles according to required needs. In this case, you should:  

    1. list all documents that need to be accessed
    2. identify which roles/persons need to access each document, and with which rights
    3. group documents that have similar access requirements in profiles

    As for roles/persons you can have, for example, developers, managers, architects, a specific person, etc. As for access rights you can have, for example, read access and edit access.

    As for the idea of “process logic”, you can use them as a base for your profiles. Something like:

    • Pilot processes: roles/persons that need to develop/edit all documents
    • Pilot processes – step 1: roles/persons that need to develop/edit documents related to step 1
    • Pilot processes – step 2: roles/persons that need to develop/edit documents related to step 2
    • Pilot processes – step n: roles/persons that need to develop/edit documents related to step n
    • Operational processes: roles/persons that need only read access to all documents
    • Operational processes – step 1: roles/persons that need only read access to documents related to step 1
    • Operational processes – step 2: roles/persons that need only read access to documents related to step 2
    • Operational processes – step n: roles/persons that need only read access to documents related to step n

    Since you’ve mentioned international access, you can further detail profiles by classifying them according to countries (e.g., Operational processes – step n – country m)

    To see how this can be defined in terms of a policy, please take a look at this template: https://advisera.com/27001academy/documentation/access-control-policy/

    For further information, see:

  • DPO questions

    1.Can DPO have another role in the company except this one?

    Yes, as long as the role is not in a conflict of interest with the DPO role. Namely, the DPO shouldn’t approve his or her own processing operations. The DPO cannot be someone from marketing, or from sales, or from operations, or from legal department and so on. This is mentioned in article 38 – Position of the data protection officer – in GDPR, paragraph 6: “such tasks and duties do not result in a conflict of interests”.

    2.Can a DPO be an external consultant/contactor

    Yes. Article 37 - Designation of the data protection officer – paragraph 6 mentions that “The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.”

    You can find more details at these links:

  • Resource Requirements

    You asked

    about Resource Requirements, 5.5 Metrological Traceability. As we are testing laboratory and not offering any calibration services does 5.5 need to stay in our Quality Manual or can I delete this?

    No, you cannot delete clause 6.5. Metrological traceability relates to measurement results, i.e in your case, your test results. All testing laboratories must establish and maintain metrological traceability of their measurement results. This is done via a documented unbroken chain of calibrations. For example, when you weigh a sample on a laboratory balance, the balance must  have a calibration with certificate where the calibration was performed according to ISO 17025 calibration requirements (e.g traceable weight set).This is one link in the chain.

    I suggest you read through the standard carefully – especially clause 6.4, 6.5 and Annex A and have a look at a similar question at https://community.advisera.com/topic/preparing-procedure-on-meteorological-traceability/. There are some links there that will help you.

    You also Asked

    17025 clause 8.1.3 Option B, our lab complies with option B so does that mean I can delete 7.2-7.9 from my Quality manual?"

    No, you can not delete clauses 7.2 to 7.9. If the laboratory already has ISO 9001 certification, then Option B applies. Clause 8.1.3 states two things. 

    Because an ISO 9001 QMS is in place, at least the intent of the management system requirements of ISO 17025, specified in 8.2 to 8.9 is met. The laboratory must include the management of tests on their scope in the 8.2 to 8.9 process, e.g. audit your test methods, and manage nonconformances and corrective actions as per your established (or modified) processes.
    The laboratory must also establish and demonstrate the consistent fulfilment of the requirements of Clauses 4 to 7. i.e add the requirements of clauses 4 to 7 to the existing ISO 9001 QMS.

    For more information and resource links, see a similar question and reply to ISO 17025 Quality Manual Option B at https://community.advisera.com/topic/iso-17025-quality-manual-option-b/

  • QMS Preventive Actions

    ISO 9001:2015 does not explicitly mention the term preventive action. However, the standard includes, in practice, the development of preventive actions by introducing the concept of the risk-based approach. When you assess the risks of a product or a process, and you decide to act, you are actually taking preventive action.

    You can find more information below:

  • Certification for some of the company's departments

    year enlarge that scope. For example, many hospitals do it. They start with a service like blood analysis, and then enlarge with radiology, and then with urology, and so on.

    So, if you use the word departments in this way, your company can do it.

    You can find more information below:
Page 111-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +