Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Terminating Employee

    When an employee is part of the ISMS scope, to his employment termination to be compliant with ISO 27001 requirements you should ensure that his access rights are revoked, and information security responsibilities and duties that remain valid after termination of employment are communicated to the employee (e.g., keep the information confidential). This last part of the process is often done through contractual obligations.

    This article will provide you a further explanation about terms and conditions of employment:

  • Translation of IFU

    There is no strict requirement that translation validation must be performed. However, from the ISO 13485 point of view, validation must be performed for all processes where the resulting output cannot be monitored or measured by subsequent monitoring or measurement. Translation validation will ensure that each time translations will be provided in a proper manner and that information provided in the IFU are correct. It should be done once and there is no need for another validation while native speakers do not change.  

  • ISO 27001 implementation

    Unless you have requirements for specific cloud security controls, your information security implementation compliant with ISO 27001 follows the same steps as for a non-cloud environment:
    getting management buy-in for the project;

    1. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
    2. development of risk assessment and treatment methodology;
    3. perform a risk assessment and define the risk treatment plan;
    4. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
    5. people training and awareness;
    6. controls operation;
    7. performance monitoring and measurement;
    8. perform internal audit;
    9. perform management critical review; and
    10. address nonconformities, corrective actions, and opportunities for improvement.

    Regarding your question about which policies, this will depend on the results of risk assessment and identified legal requirements.

    For further information, see:

    This article will provide you a further explanation about ISMS implementation:

    To see how documents compliant with ISO 27001 looks like, please take a look at the free demo of our ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    These materials will also help you regarding the ISO 27001 implementation:

  • Amount of non-conformances that an auditor issue after an audit

    No, there is no ''rule of tumb'' for the amount of non-conformances that an auditor issue after an audit. As a good practice, an auditor should raise all non-conformities determined during an audit.

    Please consider the following information:

  • Requlatory Requirements for a DNA testing lab

    You asked

    I assume accreditation is mandatory for outsourced testing labs.

    Typically, including outsourced testing, the required laboratory quality level is legally determined. For example, government departments such as immigration will only accept DNA test results for immigration and citizenship applications from laboratories accredited by a ILAC member accreditation body. Besides legal requirements, the benefit of accredition is that the competency of a laboratory is shown through their accreditation, so there is assurance in using an accredited laboratory for such tests.

    You also asked

    Is ISO 17025 the relevant accreditation?

    Answer

    Both ISO 17025 (testing and calibration) and ISO 15189 (medical pathology) are applicable quality standards for genetic testing while ISO 17025 is the relevant accreditation for an outsourced laboratory for testing for GMP (Good Manufacturing Practice). ISO 15189 is the accreditation required for diagnostic work on patient material. For certain clinical and preclinical analyses, the referral lab may need to comply / perform the study under OECD GLP, GCLP, ISO/IEC 17025, or ISO 15189 criteria.

    The specific type of testing must be included under the scope of accreditation. For this reason, some laboratories will have both ISO 17025 and ISO 15189 accreditation as they perform general testing and diagnostic testing work. It is therefore important to clarify the needs of your clients.

    For more information on ISO 17025 see ISO 17025 – Main guidelines at https://advisera.com/17025academy/what-is-iso-17025/

  • BYOD

    Such procedures and testing plans can greatly vary according to organizations requirements (i.e., organizations may have different requirements for system engineering and system acceptance), so it is unfeasible to develop templates to cover every possible scenario, and our recommendation, in this case, is that each organization develop their own documentation.

    For further information, see:

  • Is link to LinkedIn private use ?

    Your website is clearly for personal use, so you don’t fall under EU GDPR regulation.

    Here you can find some information about GDPR applicability:

    • Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/

    • Application of GDPR to emailed CVs

      During the retention period, you can store the unsolicited CV, you don't need explicit consent because the legal basis falls under the request of pre-contractual measures on request of the data subjects (Article 6 par. 1 lett. b) GDPR). You need to state in the privacy notice that personal data in CVs will be processed for the purpose of selecting candidates for a job application and that will be stored for 6 months. 

      Here you can find the legal basis in EU GDPR

      • Article 6 GDPR https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/ 

      • How to address the new standard requirement

        In ISO 45001 the previous requirements for identifying hazards and risks are not drastically changed from the OHSAS 18001 requirements, but these previous requirements only address the hazards and the OH&S risks defined in the ISO 45001 clause 6.1 requirements. Along with what is already in place from OHSAS 18001, you also need to identify other risks as well as OH&S opportunities and other opportunities. While it is possible to document these in the HIRA document you already use, it is not required to do so and in many cases you many not want to especially if the HIRA document is mandated by legal requirements.

        So while it might be good to include the OH&S opportunities along with the HIRA document (maybe a new column) as these are related to the hazards, you may want to include the other risks and opportunities of the OHSMS along with other strategic planning risks and opportunities of the company. How they are documented is not dictated in the standard.

         

        You can read a simplified explanation of the new requirements for hazards, risks & opportunities, and how this requirement works, in the article: The basics of ISO 45001 hazards, risks, and opportunities, https://advisera.com/45001academy/blog/2021/02/22/the-basics-of-iso-45001-hazards-risks-and-opportunities/

      • Lead Auditor / Lead Implementer

        1. If someone enrolls for ISO 27001 Lead Auditor/Lead Implementer training at ISO accredited training provider and passes the exam, he/she/they will automatically be eligible to include ISO 27001 Lead Auditor/Lead Implementer at the end of his/her/their complete names?

        Attending the course and passing the exam is not sufficient to be eligible to use the credentials of Lead Auditor / Lead Implementer, because professional and audit/implementing experience may be required. The specific requirements to obtain the qualification vary depending on the organization issuing the certificate.

        2. Related to question #1, how to ensure someone’s else credential in ISO 27001 Lead Auditor/Lead Implementer certification? Any URL to validate it?

        The organization issuing the certification must maintain an available record of their certified members, so you only need to ask the person about his/her certification register and organization issuer, so you can check the validity of the credential.

        These articles will provide you a further explanation:

        These materials will also help you regarding personal certifications:
Page 142-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +