Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • DR test report template

    To document the results of the conducted Disaster Recovery exercising and testing, I suggest you take a look at this template to see if it can fulfill your needs: https://advisera.com/27001academy/documentation/form-exercising-and-testing-report/

    For further information, see (the general principles are also applied to ISO 27001 Disaster Recovery):

  • Risk Assessment : Which assets to take into account

    Typically, employees' laptops should be considered assets because they are used to maintain and operate your SaaS platform.

    This article will provide you a further explanation about scope definition in cloud environments:
    - Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

  • Declaration of applicability in ISO 27001

    You can update the Statement of Applicability any time you see fit. You only need to inform the certification auditor prior to a surveillance/recertification audit about the SoA update, so he can be aware of the changes and take them into consideration in his audit plan.

    Please note that besides the SoA you also need to ensure that all evidence related to risk assessment and treatment processes are updated accordingly in case of need (e.g., risk assessment, risk treatment, risk treatment plan, etc.)

    This article will provide you with further explanation about risk assessment:
    - ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  • MDR submission

    Samples that are sent for performance testing and biocompatibility must have a final design because there is no point in testing a product that you will then change.

    Brand name, labels, and any instructions for use are not necessary for this kind of testings. But, if you are going for usability testings, then all those elements (brand name, labels, and product descriptions) must be in the final stage. 

  • Applicability of sampling (clause 7.3) to a calibration laboratory

    You asked 

    in what circumstances Sampling (Clause 7.3) is applicable to a calibration lab? In the normal course, a calibration laboratory is supposed to calibrate (within its scope) whatever MI is sent to it by a customer. Is my understanding correct?

    Yes, your understanding is correct. For a laboratory re receiving items for calibration, there is no sampling involved. The lab receives the item/s referred to typically as “unit under calibration”, “unit under test” or “device under test”

    You also asked

    Another view is that calibration lab can apply sampling for its internal quality control purposes. For example, it can randomly sample MI calibrated itself and recalibrate them using another equipment/method/calibration technician etc. Is 7.3 applicable in this case?

    No, clause 7.3 is not applicable in the case described. ISO 17025 clearly refers to sampling as an activity that leads to subsequent testing or calibration. This means, for the purpose of releasing results.

    For more information on the requirements of ISO 17025, download the free White Paper Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025

    You can also have a look at the ISO 17025 document template previews: Sampling Procedure as well as the two appendices, at  https://advisera.com/17025academy/documentation/sampling-procedure/

  • Classification of medical devices

    Yes, you are right. Separately, those elements do not need a medical device file, but, once they are all put together, technical details must be a part of the Medical device file for the X-ray system. It means that at least the following must be covered:

    • technical drawings
    • materials from which it is made of
    • What risks do the elements in question have on the patient, ie on the accuracy of performing the diagnostic procedure
    • any other safety issues

    • VA-PT testing

      Such threats and loopholes are basically the same commonly used as references for VA-PT testing. For example, according to OWASP top 10 for web applications they are:

      • Broken Access Control
      • Cryptographic Failures
      • Injection
      • Insecure Design
      • Security Misconfiguration
      • Vulnerable and Outdated Components
      • Identification and Authentication Failures
      • Software and Data Integrity Failures
      • Security Logging and Monitoring Failures
      • Server-Side Request Forgery

      The main difference in their use is that such threats are applied against zero-day vulnerabilities, which are vulnerabilities either unknown to the organization (i.e., it does not know they should require mitigation) or known but for which a patch has not been developed yet.

      Until the zero-day vulnerabilities are mitigated, hackers can exploit them to compromise information security. For such situations, the application of control 6.1.4 Contact with special interest groups, for earlier identification of zero-day vulnerabilities, is highly recommended.

      These articles will provide you with a further explanation about OWASP and special interest groups:

      This material will also help you regarding OWAPS:

    • Business continuity plans in a larger company

      Please note that department-oriented plans (e.g., IT plan, Facilities plan, HR plan, etc.) are the easiest way for mid-size companies like yours.

      From our experience, the optimal structure for large companies is the following:

      • one top-level document called Business Continuity Plan, where you define the crisis management plan, and the general rules by which all continuity activities will abide, ensuring all plans are aligned.
      • separated Incident Response Plans for describing how you would respond to different incidents, covering related activities required by all areas of the organization.
      • recovery plans for describing how to recover each of your processes/departments/projects in case of a disruption, also covering related activities required by all areas of the organization. For IT operations this plan is commonly known as the Disaster Recovery Plan

      For more information, please see:

      This material will also help you regarding business continuity planning:

    • Cold Email

      Yes, cold emails are allowed under legitimate interest. If you have an email address of the procurement manager of a company that may be interested in your service, you are allowed to send a cold email because publishing the address on the company website as the referral for procurement affairs.

      Here you can find more information about legal basis:

      If you need to understand how to implement EU GDPR you may consider enrolling in our EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

    • Preparing SoA

      ISO 27001 only requires that results of risk assessment are taken into account when defining risk treatment and SoA, not that the majority of controls must have risks as justification for applicability (this is not a common situation, so you should be prepared for some questioning from the auditor).

      Provided that in the SoA you refer to the most relevant identified risks it can be accepted for certification purposes.
Page 124-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +