Search results

Changing risk scale in Conformio

ISO 27001 does not prescribe which scale to be adopted, so we adopted a 1-3 scale to make risk assessment simpler and practical (a 1-5 scale will involve more values and alternatives).

These articles will help you:

• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
• 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

By the way, the risk assessment process is also explained in this free online training:

• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Management Representative Role

While AS9100 clause 5.3 does not dictate exactly who is to be appointed the management representative, it does require that it shall be a specific member of the organization’s management, so appointing a non-management person does not meet this requirement. As for Pro’s and Con’s of using a someone who is very low-level management to this position I can’t think of any Pro’s, and the biggest risk is the ability to have the “organizational freedom and unrestricted access to top management to resolve quality management issues” as required by the standard. This would occur if the low-level manager did not have the organizational clout to ensure that managers who are senior to the representative will resolve quality issues to the satisfaction of the quality representative.

You can read more on the quality management representative in the article: Is the management representative still required in AS9100 Rev D?, https://advisera.com/9100academy/blog/2017/05/22/is-the-management-representative-still-required-in-as9100-rev-d/

QA Manual format changes

Thank you Mark. That's helped clarify the situation completely. Very helpful to understand the context of the QA Manual need outside the framework of the standard

Implementation ISO 13485 on making medical materials for medical laboratories

Yes, clinical chemistry reagents are considered to be in vitro diagnostic medical devices, therefore ISO 13485:2016 is apllicable as quality management standard.  

IT Assets Disposal/ Write-Off

First of all, congratulations on your company’s achievement.

Regarding the IT assets disposal, you need to evidence that the applied data deletion method has made the previously stored information unrecoverable and that its application was verified and approved by the data owner.

For example, for a laptop, you can perform full disk encryption two or three times in a row, and at each time encryption is performed you must destroy the related encryption key.

As a proof for auditors you can develop a "Destructio/Deletion Record" containing the information about the asset, the deletion method aplied, date when the procedure was performed, and the signature of the person responsible for the deleted data, as a confirmation that the procedure was successfull.

For technical guidance, you should consider these references:
- ISO/IEC 27040 Information technology — Security techniques — Storage security - https://www.iso.org/obp/ui/#iso:std:iso-iec:27040:ed-1:v1:en
- NIST 800-88 - Guidelines for Media Sanitization https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

Risk managment plan

No, these non-medical devices do not require risk assessment. Of course, you have under the ISO 9001:2015 risk analysis and you can cover any specific risks for these there. 

More about risk management within ISO 9001 you can find on the following links:

• Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
• How to identify risk controls in ISO 9001:2015 https://advisera.com/9001academy/blog/2019/01/21/how-to-identify-risk-controls-in-iso-90012015/
• How to identify risk significance in ISO 9001:2015 https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/

• Conformio - Company Settings and Users

  I am not sure where you’re getting your information, but good topic. I needs to spend some time learning more or understanding more. Thanks for magnificent info I was looking for this info for my mission.

• ISO 27001 Conformio expert question

  First is important to note that ISO 27001 does not require an ISMS manual to be written, neither that documents are organized according to specific sections.

  Considering that, the documents under the Documents module become available after you: finish the templates wizard, or upload your own documents. The template wizards are suggested for the mandatory documents, and for documents related to the results of risk assessment and applicable legal requirements.

  For further information, see:

  • Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
  • List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

• Paper documents found in warehouse

  In a general way, the proper treatment of such information will depend on the results of risk assessment and applicable legal requirements.

  For example, if the risks are low and there are no legal requirements, you do not need to apply specific protections for those documents. On the other hand, you may have a legal requirement (e.g., law, regulation, or contract) requiring the use of safes to protect such information.

  In case you already have the Information Classification Policy implemented, you need to consider the information classification this information has, and the related treatments identified in the policy.

  For further information, see:

  • Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
  • Why is ISO 27001 applicable also for paper-based information? https://advisera.com/27001academy/blog/2019/01/21/why-is-iso-27001-applicable-also-for-paper-based-information/