Search results

ISO 14001 communication procedure lacking in ISO 13485

In ISO 13485:2016 there are no requirements that communication within the company must have documented procedure. In requirement 5.5.3 Internal communication is stated that top management must ensure that appropriate communication within the company must be established.

In our toolkit, internal communication is mentioned in the Quality Manual, chapter 5.5.3 Internal communication. In the comment, you can see that we put “Adapt to organization practice”. Here you can describe whether you have bulletin boards, what information is placed and communicated on these powerful boards, whether you have a policy until when emails may be sent during the day, how quickly you need to respond to an e-mail, how important paper information travel around the company etc.

Removing approved risks in Conformio

From your question I’m assuming you want to remove some threats and vulnerabilities associated with an asset once the risk assessment and treatment process is concluded.

It is not possible to remove threats or vulnerabilities, but it is possible to make the risk not relevant any more - for that purpose  you have to enter the Risk Register, find the risk and decrease its likelihood and/or impact so that it becomes acceptable. Please note that this change will initiate changes in the Statement of Applicability and the Risk Treatment Plan, i.e. you will start a whole cycle of risk management. Therefore, we recommend these changes are made every 6 months.

In case the risk management process is not concluded, you can simply roll back the steps to eliminate/alter the risk.

Vendor/third party risk management/assessment

Yes, for vendor/third party risk management you should use the templates for risk assessment and risk treatment included in your toolkit, in folder 5 Risk assessment and risk treatment - these are the same templates as for assessing the risks for your own company, since the assessment process is the same.

This article will provide you with further explanation about supplier security:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

Project Plan in ISO 17025 toolkit

The project plan is a tool to use as you see best fits your need. You can modify it as you works best for you, adding new tables even if that is of benefit.  List the current processes and documentation in place for ISO 13485 which are applicable, and then the additional required by or needing customisation for ISO 17025. This way you can track your progress.

Using messages as evidence

Yes, if the organization uses the messages it is considered processing of personal data under the EU GDPR.However, the processing of personal data to defend a right in a legal claim is a legal basis for data processing.In particular, Article 6 par. 1 lett. f) GDPR refers to the legitimate interest of the data controller and defending a right follow in the notion of legitimate interest. So your organization does not need consent to process that personal data.

Article 6 paragraph 2 GDPR has also a link to the Chapter IX of the EU GDPR where, in Article 88 GDPR, there is a reference to data processing in the workplace. Data processing in the workplace and in court trials are devolved to the Member State legislation, so the practical possibility to use the message as evidence in a judicial trial will depend on your specific legal system.For example, in Italy, where I am located, the Italian implementation privacy law the controller could use the message as evidence.

Here is some information about consent and data processing in the workplace:

• Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• How the GDPR could impact your HR department https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/

If you need to understand more about EU GDPR, you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

ISO 27001 audits

Thank you Rhand, your answers are helpful.

Asset inventory

The Asset Inventory spreadsheet and the Risk Assessment spreadsheet do not need to be exactly the same as long as you can relate the information between them, like the way you exemplified.

Typically, Asset inventory (especially for mid-sized and larger companies) will be more detailed than the list of assets in the risk assessment. In case you have assets with similar risks you can add a category to group them to make the risk assessment easier. For example, instead of identifying each laptop individually, you can define a group called "company-owned laptops" and assign it to the laptop models included I your asset inventory.

For smaller companies it makes no sense to have Asset Inventory since all the assets are already recorded in the Risk assessment.

This article will provide you a further explanation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Data Backup and Restore

According to ISO 27001, the need for encryption of backup tapes will depend on the results of risk assessment and identified legal requirements.

If you do not have risks, or legal requirements, that justify the implementation of encryption, you do not need to implement it.

These articles will provide you a further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/

Control diversification

Indeed, for such small companies, this column is not practical, and it would be better for you to create a shortlist of objectives in the Information security policy or develop a separate document with them.

Besides decreasing incidents occurrence, you can also define some controls objectives like:

• cost reduction of fines related to legal breaches (e.g., to controls A.18.1.4 Privacy and protection of personally identifiable information and A.18.1.5 Regulation of cryptographic controls)
• increase in information systems uptime (e.g., to controls A.16.1.5 Response to information security incidents and A.17.1.2 Implementing information security continuity)
• increase in process effectiveness/efficiency (e.g., to controls A.12.1.3 Capacity management and A.14.1.1 Information security requirements analysis and specification)

Regarding security incidents objectives, you do not need to define one for every clause. You can define a single objective for all the ISMS (e.g., at most 3 incidents for a year).

For further information, see:

• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

10.1.2 Key management

To audit control 10.1.2 Key management you need to identify the defined requirements for generating, storing, archiving, retrieving, distributing, retiring, and destroying keys. Once these are identified you can start verifying if the implemented processes are being performed according to the requirements.

Examples of evidence are:

• requests for key generation
• records of key delivery to users
• records of key revocation

This article will provide you further explanation about key management:

• How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/