Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Uploading current quality standards/results

    Since such in-company information is actually information, I have not seen it shared much. TS 16949:2019 or IATF 16949:2016 also does not have such a requirement from suppliers.

    However, if it is a potential supplier, such information can be seen in the company during the audit or company visit.

  • ISO 27001 - feedback about some documents

    I’m assuming you are referring to documents 10.1 Internal Audit Program, 10.2 Internal Audit Report, 11.2 Management Review Minutes, and 12.1 Corrective Action Form.

    Considering that, the Internal Audit Program needs to be filled before the internal audits are performed (this is the document that will define how many audits will be needed, covering which topics and their dates).

    The internal audit report needs to be filled in after the conclusion of each planned internal audit.

    The Management Review Minutes are typically filled out after the management review has been completed, but some companies might use Minutes also as a preparation and in such cases you can use a 2-step approach: 1) data required as input for management review is filled in in the Minutes after all ISMS elements to be implemented are defined and as soon as the data is available; and 2) data required as output for management review is filled in after the end of the meeting.

    Corrective action forms are filed at any time a corrective action is required. Please note that corrective action can be originated either as a result of an internal audit or as a result of an incident or operational deviation.

    For further information, see:
    - Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
    - Project checklist for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation

  • Implementing controls

    First is important to note that only controls deemed applicable due to results of risk assessment and applicable legal requirements need to be implemented. So, depending on the organizational context, not all controls from ISO 27001 Annex A may need to be implemented.

    For those controls deemed applicable, not all of them may need to be included in policies or procedures.

    These articles will provide you a further explanation about documenting controls:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    - How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

  • ISO certification questions

    1) Is the risk assessment documents in the toolkit in line with ISO 27005, e.g. we as organization, after we are ISO Certified using the toolkit can say we adhere to ISO 27005?

    The risk assessment documents in the toolkit are compliant with ISO 27005.

    ISO 27005 is a supporting standard to ISO 27001, detailing how to implement risk management for information security (basically covering ISO 27001 clauses 6.1.2 and 6.1.3).

    This article will provide you a further explanation about implementing risk management:

    • ISO 27001 risk assessment & treatment – 6 basic steps https:// advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    2) ISO is international, it would be the same as Canada as it would for New Zealand as an example.
    Your assumption is correct. A standard with the designation “ISO” is the same for every country, so the standard's requirements for Canada will be the same as for New Zealand.

  • BCP

    I would like to know if I have a company with a certified ISO 27001 BCP, if it is in compliance with the BS25999 or ISO 22301 standard. In case yes, you have the standards of those norms.

    ISO 27001 requirements for business continuity are not sufficient to be fully compliant with BS 25999 or ISO 22301, so if you have a BCP compliant with 27001 it may be not enough to ensure it is compliant with BS 25999 or ISO 22301.

    BS 25999 is an outdated standard that was superseded by ISO 22301, which can be bought at ISO site: https://www.iso.org/standard/75106.html

    These articles will provide you a further explanation about ISO 27001 and ISO 22301:

    This material will also help you regarding ISO 27001 and ISO 22301:

  • Asset, Incident and Problem Management

    ISO 27001 does not require documentation of asset management and problem management. For Incident management you can take a look at this template: https://advisera.com/27001academy/documentation/incident-management-procedure/

    For asset management and problem management, I suggest you take a look at these ISO 20000 templates to see if they can fulfill your needs:

    ISO 20000 Documentation Toolkit also has this template for incident management: https://advisera.com/20000academy/documentation/incident-management-process/

  • Quality plan for service or colective

    Start by listing the different types of services provided by your company. Then start an unzooming exercise and try to determine what is common and what is different in terms of risk. For example, a transport company may have a basic service of taking an order from A to B, but it can also provide the same service urgently, or also provide the same service with a guarantee of negative temperatures during transport, it can also provide the same type of transport for foodstuffs with food safety requirements.

    So, for each kind of service, think about clients and other interested parties requirements and compliance obligations, and think about risks for each service, from there develop your quality plans. Perhaps some may be common to several kinds of services and others will be specific.

    The following material will provide you with more information:

  • Best practices in utilizing old clinical studies

    In Article 2 Definitions, in point 12 is stated that “‘intended purpose’ means the use for which a device is intended according to the data supplied by the manufacturer on the label, in the instructions for use or in promotional or sales materials or statements and as specified by the manufacturer in the clinical evaluation“. The intended purpose would be best put together by someone who has experience with a given medical device keeping in mind the intended user (medical professional or patient or other users). It is usually a short two- or three-sentence statement focusing on what the device is intended to be used for. With the intended purpose, it is proven that the product has a medical purpose, in line with the definition of a medical device in paragraph 1 of Article 2.

    The intended purpose must in no way refer to specific features of the product or the specifications of the intended product

    For further information, please see the following:

Page 137-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +