Search results

Documentation of requirements

Please note that our ISO 27001 Documentation Toolkit covers all mandatory documents and some documents that are not mandatory. Many of the clauses and controls you mentioned do not need to be documented according to the standard, and in our opinion, it would be an overhead to document each and every one of them in a small company. 

Our toolkit is created specifically for smaller companies that want to implement ISO 27001 in a quick way, without unnecessary paperwork; for larger companies that require more documents, we recommend getting some other solution.

This article will also help you:

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ 

What is EQA Test in ISO17025

EQA stands for “External Quality Assurance” and refers to the ISO 17025 requirements in clause 7.7 Ensuring the validity of results, for a laboratory to  monitor its performance by comparison with results of other laboratories. How a laboratory does this depends on the type of testing and the type of comparison that is available and appropriate. This can be participation in proficiency testing or other means, for example, is appropriate bi-lateral comparisons or use of certified reference material. I suggest you contact your accreditation body and obtain their rules for Proficiency Testing and other comparison programme requirements for ISO 17025 accredited facilities in your sector. See too the ILAC P9:06/2014 ILAC Policy for Participation in Proficiency Testing Activities (the policy for accreditation bodies on the use of proficiency testing activities in the accreditation process), available from https://ilac.org/publications-and-resources/ilac-policy-series/

For more information, have a look at previously answered topic Documentation and PT program https://community.advisera.com/topic/documentation-and-pt-program/

For more information on what is required for ISO 17025, read the whitepaper Clause-by-clause explanation of ISO 17025:2017 available for download from https://advisera.com/17025academy/free-downloads/ and preview the Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ which includes the Quality Assurance Procedure and the Proficiency Testing Record.

Scope of ISMS

The paper archive will need to be part of the ISMS scope if it contains information you want your Information Security Management System to protect.

For example, if the paper archive contains employees’ information, and you want the ISMS to protect only customer information, then the paper archive does not need to be part of the ISMS scope.

These articles will provide you a further explanation about defining the ISMS scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

This material can also provide more information:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

Terminating Employee

When an employee is part of the ISMS scope, to his employment termination to be compliant with ISO 27001 requirements you should ensure that his access rights are revoked, and information security responsibilities and duties that remain valid after termination of employment are communicated to the employee (e.g., keep the information confidential). This last part of the process is often done through contractual obligations.

This article will provide you a further explanation about terms and conditions of employment:

• What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

Translation of IFU

There is no strict requirement that translation validation must be performed. However, from the ISO 13485 point of view, validation must be performed for all processes where the resulting output cannot be monitored or measured by subsequent monitoring or measurement. Translation validation will ensure that each time translations will be provided in a proper manner and that information provided in the IFU are correct. It should be done once and there is no need for another validation while native speakers do not change.  

ISO 27001 implementation

Unless you have requirements for specific cloud security controls, your information security implementation compliant with ISO 27001 follows the same steps as for a non-cloud environment:
getting management buy-in for the project;

1. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
2. development of risk assessment and treatment methodology;
3. perform a risk assessment and define the risk treatment plan;
4. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
5. people training and awareness;
6. controls operation;
7. performance monitoring and measurement;
8. perform internal audit;
9. perform management critical review; and
10. address nonconformities, corrective actions, and opportunities for improvement.

Regarding your question about which policies, this will depend on the results of risk assessment and identified legal requirements.

For further information, see:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

This article will provide you a further explanation about ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ 

To see how documents compliant with ISO 27001 looks like, please take a look at the free demo of our ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

These materials will also help you regarding the ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

Amount of non-conformances that an auditor issue after an audit

No, there is no ''rule of tumb'' for the amount of non-conformances that an auditor issue after an audit. As a good practice, an auditor should raise all non-conformities determined during an audit.

Please consider the following information:

• Environmental Nonconformity Management: How is ISO 14001 different from ISO 9001 - https://advisera.com/14001academy/blog/2014/10/08/environmental-nonconformity-management-iso-14001-different-iso-9001/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Requlatory Requirements for a DNA testing lab

You asked

I assume accreditation is mandatory for outsourced testing labs.

Typically, including outsourced testing, the required laboratory quality level is legally determined. For example, government departments such as immigration will only accept DNA test results for immigration and citizenship applications from laboratories accredited by a ILAC member accreditation body. Besides legal requirements, the benefit of accredition is that the competency of a laboratory is shown through their accreditation, so there is assurance in using an accredited laboratory for such tests.

You also asked

Is ISO 17025 the relevant accreditation?

Answer

Both ISO 17025 (testing and calibration) and ISO 15189 (medical pathology) are applicable quality standards for genetic testing while ISO 17025 is the relevant accreditation for an outsourced laboratory for testing for GMP (Good Manufacturing Practice). ISO 15189 is the accreditation required for diagnostic work on patient material. For certain clinical and preclinical analyses, the referral lab may need to comply / perform the study under OECD GLP, GCLP, ISO/IEC 17025, or ISO 15189 criteria.

The specific type of testing must be included under the scope of accreditation. For this reason, some laboratories will have both ISO 17025 and ISO 15189 accreditation as they perform general testing and diagnostic testing work. It is therefore important to clarify the needs of your clients.

For more information on ISO 17025 see ISO 17025 – Main guidelines at https://advisera.com/17025academy/what-is-iso-17025/

BYOD

Such procedures and testing plans can greatly vary according to organizations requirements (i.e., organizations may have different requirements for system engineering and system acceptance), so it is unfeasible to develop templates to cover every possible scenario, and our recommendation, in this case, is that each organization develop their own documentation.

For further information, see:

• What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/
• How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

Is link to LinkedIn private use ?

Your website is clearly for personal use, so you don’t fall under EU GDPR regulation.

Here you can find some information about GDPR applicability:

• Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/