Search results

ISMS evidence

About evidence of the Communication Plan for Communications Related to the ISMS, please note that ISO 27001:2013 requires you to define a communication process, although there is no requirement that such a process must be documented.

Considering that, communication is an activity that is performed by many processes in information security according to ISO 27001, with different purposes. So to have a centralized communication procedure would overhead people responsible for communication with activities that may not be a part of their attributions. That’s the reason there isn’t a specific template for clause 7.4.

The main documents in the toolkit that define how communication needs to be done are:

• the Information Security Policy, located in folder 4 General Policies
• the Training and Awareness plan, located in folder 9 Training and Awareness
• the Incident Management Procedure, located in folder 8 Annex A Security Controls >> A.16 Information Security Incident Management
• the Disaster Recovery Plan, located in folder 8 Annex A Security Controls >> A.17 Business Continuity

About evidence of Documented Management Review Process, there is no requirement that such a process must be documented. The rules defining interval and purpose for performing the management review are defined in the Information Security Policy, section 4.4. This template is located in folder 4 General Policies. 

About and Evidence of the Results of the Management Reviews, ISO 27001:2013 requires only the results of the management review to be documented, and for that, you can use the Management Review Minutes template, located in folder 11 Management Review.

Submitting CAPA for NC on opportunities for Improvement

I’m assuming that the opportunity for improvement came from the auditor.

Considering that, first is important to note that Opportunities for Improvement are recommendations of the auditor, and never will be a Non-Conformity.

By pointing an Opportunity for Improvement, the auditor only wants the organization to take a look at a situation to evaluate if it is worthy to take action to achieve suggested benefits. If the organization decides to take no action, there will be no problem at all.

Considering that, an organization may or may not submit an Action Plan for an Opportunity for Improvement. Please note that I used the term Action Plan because Preventive Action is not required by ISO 27001, so the term Corrective and Preventive Action (CAPA) would not be appropriate for this situation.

Cost of IATF 16949 certification

Audit days vary according to the number of people working in the company. In this regard, the calculation table in the IATF rules 5 booklet is used. 

Stage 1 audit takes 1 day, but stage 2 audit varies according to the number of employees. 

Audit daily prices also differ from country to country. 

I recommend that you get a price quote from 3 or 4 certification bodies operating in your country.

ISO 27001

I’m assuming you are referring to templates Risk Assessment Table and Risk Treatment Table.

Considering that, in the field “Number” you need to enter a unique numerical identifier, so each row can be uniquely identified (this is the Risk ID), and a sequential number is one example that can be used.

By the way, included in the toolkit you have access to video tutorials that can explain and help you fill in the Risk Assessment Table and Risk Treatment Table. 

Which bodies are obligate to have ISO 27001 certification?

Please note that ISO 27001 certification is not mandatory, although some countries have established laws and regulations that are easier to be fulfilled by implementing ISO 27001.

On top of this, an increased number of customers are preferring ISO 27001 certified organizations as suppliers because they consider such organizations are more capable to help them.

Considering that, you need to evaluate your legal environment and customers’ needs to see if an ISO certification is interesting to you.

This article will provide you a further explanation about ISO 27001:
- What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
- Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

Audit Checklist

First of all, sorry for this confusion.

Please note that the Internal Audit Checklist included in the toolkit is divided into two sections - the first one for ISO 27001 and the second one for ISO 22301. To audit an ISO 27001 ISMS, you only need the questions in section one (they cover all needed questions to evaluate compliance with ISO 27001 mandatory clauses and applicable controls). There is no need to use or adapt questions related to ISO 22301.

Regarding questions for section 8 of ISO27001, they are the same applied to clauses 6.1.2 and 6.1.3 (the identification of clauses 8.2 and 8.3 are included with clauses 6.1.2 and 6.1.3 in the “Clause” column). You can find these questions on page one of the checklist.

Collect data for environment management purpose

Value of accurate measurement according to environment management regulation

Requirement of Clause 8.1

The toolkit covers clause 8.1 (Operational planning and control) through all the policies and procedures you'll find in the toolkit in folder "08 Annex A".

By the way, in the root folder of your toolkit, you'll find a PDF document called "List of documents" where it is specified which document covers which clause of the standard.

Career in medical devices space

To be in the medical device field, first, you need to have some medical background. For example: completed medical school, work experience in a hospital or other clinical institution, work experience in a medical device factory. In my opinion, without understanding what are the most important elements for medical device safety and performance is not possible to be in this field. 

The benefit is if you have experience in regulatory business, to know how to read and understand different regulatory requirements, and so on. If you are on the market of EU, then knowledge of MDR is mandatory, and if you are from the US market then you need to know the FDA rules for medical device certification. 

There are websites that offer some certifications for consultants, but even that certification is no guarantee that you fully understand the regulatory requirements. So without a lot of self-study of necessary regulations, there is no success in this business. 

The only thing to keep in mind is that there are medical products and a syringe for giving injections, but also an artificial heart. So there is no consultant who has experience in all types of medical products. Some requirements are universal, but again each product has its own specifics that the consultant must take into account. So the mutual communication of the consultant is also important.

Proof of compliance with GDPR & Data Subject Request Register

I assume that you are referring to the compliance to the data subject request to delete personal data.

Compliance with GDPR starts from a good privacy notice where it is clear how data subjects can exercise their rights. It may be implemented by a reply to the data subject's request to exercise its rights, where the data controller explains how the data subject request is handled and the confirmation that the request has been accepted or denied. Of course, the delation of data will refer to data that are processed under consent on a legal basis. If some personal data are necessary to be processed under another legal basis, then the data controller will have the right to keep those data and process for that purpose. For example, the data controller may need to keep the name and some personal information of the data subject to fulfill the obligation on invoicing. You should keep a register of data subjects' requests in order to demonstrate compliance with the obligation of assuring the rights of data subjects.  

Here you can find more information about how to handle data subjects rights:

• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you need to understand how to implement compliance with GDPR you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/