Search results

What does it mean to have security classification in a document?

To have a security classification in a document means that this document requires to be protected according to a set of rules, depending on the security classification level.

For example, considering the confidentiality point of view, top-secret documents need to be protected against loss of confidentiality, while public documents do not require such protection.

This article will provide you with a further explanation about information classification:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

This material will also help you regarding information classification:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Conformio - Justification in SoA

ISO 27001 requires a justification for all applicable controls (clause 6.1.3 “d”), so if you are adding controls in the Statement of Applicability you need to fill in the ‘justification’ field to be compliant with the standard.  

This article will provide you a further explanation about the Statement of Applicability:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Environmental Standard Maintenance

No. A new version makes previous versions obsolete.

So, if you are about to start working with ISO 14001:2015 perhaps the following information may be useful for you.

• Project checklist for ISO 14001 implementation - https://info.advisera.com/14001academy/free-download/project-checklist-for-iso-14001-implementation
• ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Project Plan for ISMS Implementation

A mentor is someone closer to an advisor, i.e., he gives suggestions on matters related to the project (e.g., project management, information security, ISO 27001, etc.) and provides experience about previous situations he had encountered, so that the project team can have more information to make a decision on how to act, while a consultant can also have a more direct role in the project, carrying out tasks.

About where to find a mentor, in general, he is someone who already works in the organization. In case such a person is not available in your organization, you can seek one on work-oriented social networks, like LinkedIn.

Chemistry

A competent ISO 9001 auditor should have the necessary auditing skills to assess conformance of management requirements of any quality management system, thus in ISO 17025 all the clauses of Clause 8. This is because the management requirements are based on ISO 9001, and the auditor would use an ISO 17025 checklist and your own documented procedures as the criteria. 

The shortfall is that an ISO 9001 auditor would not be able to audit the technical requirements of 17025 – in fact, many ISO 17025 lead auditors would not be able to either, if they have no technical knowledge of ISO 17025 and the test methods. It requires knowledge of techniques and method risks.

The following will provide more information on Internal Audits:

How to perform an internal audit using ISO 19011 at https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011
ISO 17025 document template: Internal Audit Procedure at https://advisera.com/17025academy/documentation/internal-audit-procedure/
Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/
Book - ISO internal audit: A plain English guide at https://advisera.com/books/iso-internal-audit-plain-english-guide/

DR test report template

To document the results of the conducted Disaster Recovery exercising and testing, I suggest you take a look at this template to see if it can fulfill your needs: https://advisera.com/27001academy/documentation/form-exercising-and-testing-report/

For further information, see (the general principles are also applied to ISO 27001 Disaster Recovery):

• How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/

Risk Assessment : Which assets to take into account

Typically, employees' laptops should be considered assets because they are used to maintain and operate your SaaS platform.

This article will provide you a further explanation about scope definition in cloud environments:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

Declaration of applicability in ISO 27001

You can update the Statement of Applicability any time you see fit. You only need to inform the certification auditor prior to a surveillance/recertification audit about the SoA update, so he can be aware of the changes and take them into consideration in his audit plan.

Please note that besides the SoA you also need to ensure that all evidence related to risk assessment and treatment processes are updated accordingly in case of need (e.g., risk assessment, risk treatment, risk treatment plan, etc.)

This article will provide you with further explanation about risk assessment:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

MDR submission

Samples that are sent for performance testing and biocompatibility must have a final design because there is no point in testing a product that you will then change.

Brand name, labels, and any instructions for use are not necessary for this kind of testings. But, if you are going for usability testings, then all those elements (brand name, labels, and product descriptions) must be in the final stage. 

Applicability of sampling (clause 7.3) to a calibration laboratory

You asked 

in what circumstances Sampling (Clause 7.3) is applicable to a calibration lab? In the normal course, a calibration laboratory is supposed to calibrate (within its scope) whatever MI is sent to it by a customer. Is my understanding correct?

Yes, your understanding is correct. For a laboratory re receiving items for calibration, there is no sampling involved. The lab receives the item/s referred to typically as “unit under calibration”, “unit under test” or “device under test”

You also asked

Another view is that calibration lab can apply sampling for its internal quality control purposes. For example, it can randomly sample MI calibrated itself and recalibrate them using another equipment/method/calibration technician etc. Is 7.3 applicable in this case?

No, clause 7.3 is not applicable in the case described. ISO 17025 clearly refers to sampling as an activity that leads to subsequent testing or calibration. This means, for the purpose of releasing results.

For more information on the requirements of ISO 17025, download the free White Paper Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025

You can also have a look at the ISO 17025 document template previews: Sampling Procedure as well as the two appendices, at  https://advisera.com/17025academy/documentation/sampling-procedure/