Search results

Conformio questions

Answer: Please note that the Information Security Policy document generated by Conformio is fully compliant with ISO 27001 as it is, so most of the elements you mentioned do not need to be included in the Information Security Policy (some are already included in other low-level policies, or are not needed at all – they would only increase administrative effort unnecessarily). 

About each specific point:

• Exception Handling: exceptions are not mentioned in ISO 27001, and a good practice is either not to define them at all, or to define them for certain processes. For example, you could define an exception for granting access in the Access Control Policy.
• Consequences of Non-Compliance: reference to consequences of non-compliance and violations of security rules are included in the Statement of Acceptance of ISMS Documents
• Links to Other Policies and Procedures: The Policies, Procedures and other documents which supports the ISMS are identified in the Statement of Applicability Module
• External Parties: The external parties are identified in the Register of Requirements Module
• Review Frequency: Of course, the review could be done more often in various cases. However, we found that a large majority of our clients like the documents that are not too lengthy and are simple to read, and this is why we try not to explain such scenarios.
• Audit and Monitoring: Audit and monitoring rules are defined in the Internal Audit Procedure
• Document Storage and Versioning: Storage, versioning rules are defined in the Procedure for Document and Record Control. Who are allowed access to the policy is defined in section 1 of the document – Purpose, scope and users.
• Terminology: Large majority of our clients find the listed terms enough for their purpose; as mentioned before, our clients prefer to have shorter documents and this is why we limited the terms to those that are listed.

In case you want to develop an Information Security Policy with the elements you want, you can use the blank template provided by Conformio, which can be found by clicking on the Documents link in the left panel on the main screen, and after that, the folder Templates for manual editing. 

Definition of a non-conformity

In the context of medical devices, non-conformities refer to instances where a device does not meet the established requirements or standards. These non-conformities are classified into major and minor categories based on their significance and potential impact on patient safety.

Major Non-Conformity: A major non-conformity indicates a significant deviation from the established requirements. It poses a high risk to patient safety and may result in serious harm or adverse events. Major non-conformities typically involve critical aspects of the device's design, manufacturing, performance, or documentation. Correcting major non-conformities is of utmost importance to ensure the safety and effectiveness of the medical device.

Minor Non-Conformity: A minor non-conformity refers to a deviation from the established requirements that has a relatively lower impact on patient safety. While minor non-conformities do not pose an immediate risk to patients, they still need to be addressed to maintain compliance with regulations and standards. Examples of minor non-conformities may include minor labeling issues, documentation errors, or non-critical deviations in manufacturing processes.

It is crucial for manufacturers to properly assess and classify non-conformities as major or minor to ensure appropriate corrective actions are taken. Major non-conformities require immediate attention and remediation, while minor non-conformities should be addressed in a timely manner to maintain compliance and quality in the manufacturing and distribution of medical devices.

Environment and Scope

1 - As a higher education institution, we operate in a hybrid environment encompassing cloud and on-premise resources, third-party services, as well as both in-house and outsourced application development. Our ISMS scope is currently confined to the IT department. Given this, which assets should we include in our ISMS? 

Since the current ISMS scope is confined to the IT department, the assets to be considered for the ISMS should be those directly under the control of the IT department (e.g., on-premise resources, in-house application development, data for SaaS, data and applications for IaaS etc.).

2 - Should it be limited to IT assets such as infrastructure, servers, network systems, applications, data centers, UPS, air conditioning, connectivity, and IT human resources? Or should we extend the scope to include departments like HR and Procurement?

Each company can decide what ISMS scope best fits their needs. This is usually done based on customer requirements - if the customers require only the IT department to be certified, then this is usually enough.

3 - When it comes to setting our ISMS objectives, considering the scope is limited to the IT department, should the security objectives also be confined to IT-related security measures?

Besides the IT-related security objectives, the ISMS objectives should also be considered in terms of added value to the company. For example, to decrease the number of information security incidents by 50% in the next year.

These articles will provide you with further explanation about defining the ISMS scope and objectives:

• All you need to know about setting the ISO 27001 scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

This tool for defining the ISO 27001 ISMS scope can also help you.

ISO 9001 in Maintenance Companies

Implementing ISO 9001 in a company that specializes in maintaining refrigeration systems or installing refrigerators, is certainly possible. ISO 9001 is a quality management system standard that can be applied to various types of organizations, including service providers like maintenance companies.

Apply procedure for document and record control only to information security policies in Conformio?

Please note that there is no need to change the text in the procedure to reflect what is stated in Conformio description of the document.

ISO 27001 requires documents and records related to the ISMS to be controlled, so the procedure needs to have the text "This procedure is applied to all documents and records related to the ISMS" as it is.

If you want to apply the same rules outside of the ISMS, you can do it, but there is no need to change this sentence in the procedure.

Can a company be certified by someone who works for them?

Please note that companies can only be certified by certification bodies (independent organizations that employ their own certification auditors for the process).

For further information, check out the differences in accreditation, certification, and registration in the ISO world.

Environmental Aspects Criteria

When identifying significant environmental aspects for an organization, you don't necessarily have to refer exclusively to ISO 14001 criteria, but ISO 14001 can be a valuable framework to guide your efforts. You can consider, for example:

• Legal and regulatory compliance
• Interested parties expectations
• Risks and Opportunities

You can find more information in:

• Catalogue of environmental aspects
• 4 steps in identification and evaluation of environmental aspects

Create a Performance Mindset

To create a performance mindset in accordance with ISO 9001:2015, business leaders should:

Set Clear Objectives: Define clear and measurable quality objectives aligned with the organization's strategic goals.
Lead by Example: Demonstrate a commitment to quality and continuous improvement through their actions and decisions..
Engage Employees: Involve employees at all levels in quality initiatives, encourage their input, and recognize their contributions.
Provide Resources: Allocate resources, including training and technology, to support quality improvement efforts.
Monitor and Measure: Regularly assess performance using meaningful metrics and key performance indicators (KPIs).
Continuous Improvement: Foster a culture of continuous improvement, where identifying and addressing opportunities for improvement is encouraged.
Communication: Communicate the importance of quality and performance to all stakeholders, both internally and externally.
Feedback Loop: Establish mechanisms for feedback and learning from both successes and failures to drive ongoing improvement.
 

By embracing these leadership efforts and approaches, businesses can cultivate a performance mindset that leads to sustained excellence and quality in their operations and outcomes.

I recommend starting with one or two examples that can be used to set an example and motivate the whole team.

You can find more information:

• Article - How to Write Good Quality Objectives
• Free webinar on-demand - Measurement, Analysis, and Improvement According to ISO 9001:2015
   

Is Statement of Applicability required for ISO 14001?

The statement of applicability is a unique part of ISO 27001 where you identify the controls applied, and this is not required for ISO 14001. Both standards have a scope and policy for the management system, but only ISO 27001 has a statement of applicability.

You can read a bit more on the ISMS statement of applicability in the article:

• Statement of Applicability in ISO 27001 – What is it and why does it matter?

A.15.2.2 Managing changes to supplier services

Control A.15.2.2 Managing changes to supplier services can be implemented by means of a change management process considering the following steps:

1. identification of what needs to be changed (e.g., hardware, software, documentation, etc.) and on which systems;
2. assessment of the criticality of the systems, information, and processes affected by the change;
3. re-assessment of the risks related to the systems, information, and processes affected by the change (e.g., current risks that may change, risks that may arise);
4. formal approval of proposed changes
5. development of an implementation plan, including, when necessary, procedures for aborting and recovering from unsuccessful changes and unforeseen events;
6. testing of the proposed changes before and after deployment of changes in production environment
7. communication of changes performed to all relevant persons.

You can use your change management procedure as a basis to manage changes related to your supplier.  

You can read more about managing changes in an ISMS according to ISO 27001 A.12.1.2 on our blog.