Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Recommendations on Security Awareness and Training

    1 - How do I get this going in my company?

    The first thing you need to do is identify which gaps of incompetence you have (i.e., which knowledge, or skills your employees need to have). Some examples are:

    • Use of passwords
    • Backup operation
    • Software installation and patching
    • Performing of internal audit

    Second, you need to define the method to be applied: training sessions, workshops, newsletters? What will work best for your company? On which frequency to perform them (e.g., weekly, monthly, annually?)

    After that, you need to evaluate if these gaps can be fulfilled by internal personnel, or you will need external support.

    Once you have these answers, you can start defining your training and awareness plan.

    These articles will provide you a further explanation about awareness:

    This material will also help you regarding awareness:

    2 - What will the auditor be looking for in this requirement?

    For clause 7.2 (competence), the auditor will be looking for evidence that you have:

    • determined which security competencies are necessary
    • identified gaps in knowledge, skills, and/or experience in information security related to activities that employees need to perform (e.g., secure development skills for the development team)
    • performed actions to fulfill those gaps (e.g., by means of training attendance lists, certificates, etc.) and verified that those actions were effective.  

    For further information, see:

  • Risks treatment

    Please note that “documents regarding risk treatment” can mean documents related to ISO 27001 clauses 6.1.3 and 8.3), and documents related to ISO 27001 Annex A.

    Documents related to clauses 6.1.3 and 8.3 cannot be ignored because they are mandatory documentation. You need to develop them to be compliant with the standard. You need to document the results of risk treatment, even if you already have implemented controls. Documents required by these clauses are:
    - Risk treatment plan (clauses 6.1.3 e, 6.2, and 8.3)
    - Risk assessment report (clauses 8.2 and 8.3)

    Regarding ISO 27001 Annex A, some controls, when defined as applicable, also require documents to be written:
    - Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
    - Inventory of assets (clause A.8.1.1)
    - Acceptable use of assets (clause A.8.1.3)
    - Access control policy (clause A.9.1.1)
    - Operating procedures for IT management (clause A.12.1.1)
    - Secure system engineering principles (clause A.14.2.5)
    - Supplier security policy (clause A.15.1.1)
    - Incident management procedure (clause A.16.1.5)
    - Business continuity procedures (clause A.17.1.2)
    - Statutory, regulatory, and contractual requirements (clause A.18.1.1)

    In case you have implemented any of the abovementioned controls you need to develop related documents. For other controls no documentation is defined as mandatory, and you do not need to develop documents for them.

    This article will provide you a further explanation about risk management and mandatory documents:
    - ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    These materials will also help you regarding risk management:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

  • Classification of reusable orthopedic instruments used to fit implants

    All surgically invasive instruments can be classified according to Rule 6 and Rule 7 of Annex 8 – Classification rules in the MDR 2017/745. But, before answering your question, I have to state that according to Advisera's policy, we are not authorized to define the classification of medical devices. Therefore, I ask you to consider this answer only as a guideline.

    Reusable surgical instruments are classified in a new class according to the MDR – class Ir.

    Rationale: Rule 6

    All surgically invasive devices intended for transient use are classified as class IIa unless they:

    - are reusable surgical instruments, in which case they are classified as Class I.

    A drill bit or reamer attached to a power drill and jig used in knee surgery is class IIa:

    Rationale: Rule 6 - All surgically invasive devices intended for transient use are classified as class IIa unless they...

    or

    Rule 7 - All surgically invasive devices intended for short-term use are classified as class IIa unless they... 

    Under which rule drill bit or reamer will go depends on how long it is used during the operation - if it is below 60 minutes then Rule 6 is valid, and if it is longer than 60 minutes then rule 7 is valid.

    Retractors, Gouges, forceps are all reusable surgical instruments and goes under the same classification path as any other reusable surgical instruments – so class Ir.

    For more information, see:

    • EU MDR Annex 8 – Classification rules https://advisera.com/13485academy/mdr/classification-rules/

    • Clause 4.2 that will lead to the Mandatory document of control A.18.1.1

      I’m assuming you meant to say “Identification of applicable legislation and contractual requirements” for control A.18.1.1 ( “Inventory of assets” is the control A.8.1.1, and it is not directly related to clause 4.2 - Understanding the needs and expectations of interested parties).

      To see a document that can fulfill control A.18.1.1, please take a look at this free demo: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/

      These articles will provide you a further explanation about the identification of legal requirements:
      - How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
      - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

    • What ISO Standard does ISO 27001 Auditor follow during Audits?

      ISO 19011 is the standard used for auditing ISO management systems, including ISO 27001. You can find this standard here: https://www.iso.org/standard/70017.html

      For certification audits the ISO 27006 needs to be taken into account. This standard specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS).

      For further information, see:
      - How to perform an internal audit using ISO 19011 (PDF) https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011

      These materials will also help you regarding audits:
      - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
      - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

    • KPIs

      The term Key Performance Indicator refers to measurements you used to determine the performance and effectiveness of the QMS. This is completely up to you, but the main question you need to ask yourself is "What do I need to measure to know that my QMS processes are performing as expected and that they are effective?". KPIs also depend on what is a company’s strategy and competitive advantage.

      For example, the following questions can be asked for defining the KPI for production:How long does it take to produce a product? When you define that time (e.g. 2 hours), then your KPI is to produce by that time or less. If you want the production time to be shorter (eg 1.5 hours), then it is necessary to analyze which step can be shortened without affecting the final quality of the productHow much waste is during production? The KPI is that you want the waste to be around 2% for example.

      For more information regarding the KPI, please see the following article, regardless of what is their mention of the ISO 9001 standard:

      • How to define Key Performance Indicators for a QMS based on ISO 9001 https://advisera.com/9001academy/blog/2016/05/24/define-key-performance-indicators-qms-based-iso-9001/

      • ISO 27001 vs ISO 27002

        The main differences are:

        • ISO 27001 is a certifiable standard that defines the requirements for an Information Security Management System (ISMS), as well as provide, on its Annex A, suggested security controls to be implemented, according to results of risk assessment or legal obligations.
        • ISO 27002 is a non-certifiable standard that provides details and guidance on the implementation of the controls from ISO 27001 Annex A.
        • ISO 27002 is not mandatory to be certified against ISO 27001.

        These articles will provide you a further explanation about ISO 27001 and ISO 27002:

        These materials will also help you regarding ISO 27001 and ISO 27002:

      • Time to prepare and get certified

        For AS9100 implementation, the time duration can be very different for different companies, so giving one estimate is not possible. For the time to learn the standard, there are many AS9100 training courses that take 1 – 2 days if you want to do this rather than independent study. Implementation then will take a varying amount of time depending on many factors such as size of company, complexity of processes, time allowed for implementation personnel, etc. When it comes to certification, after a documentation audit the certification audit often takes 3—4 days (again, depending on the company) as well as any time needed to respond to nonconformances of the processes.

        You can learn a bit more on how to assess the time for implementation in the article: How long does AS9100 implementation take?, https://advisera.com/9100academy/blog/2019/03/26/how-long-does-as9100-implementation-take/

      • Internal Audit

        I don’t know if I understand your question correctly.

        ISO 9001:2015 doesn’t mention departments and has no requirements regarding marketing. So, why are you auditing sales and marketing, if you don’t have that working in your organization? ISO 9001:2015 mentions processes, not departments. Why don’t you audit processes? About sales, use ISO 9001:2015 clause 8.2.

        Another possibility is that your organization has not yet implemented a quality management system. If that is the case, consider doing a gap analysis:

      • Register of Requirements — how detailed should it get?

        Please note that the "cybersecurity requirements" to be included in the register are those defined in the customer contracts (e.g., data backup, need for data segregation, right to audit, etc.). You can either write the requirements in the register or only refer to contract clauses.

        The link between the legal register and the Statement of Applicability will be the ISO 27001 Annex A controls applied to fulfill the contractual requirements. For example:

        • data backup: A.12.3.1 Information backup
        • need for data segregation: A.13.1.3 Segregation in networks
        • right to audit: A.12.7.1 Information systems audit controls

        In Conformio this is performed during risk assessment and treatment when you identify relevant risks of legal requirements compromise and define the necessary controls to be applied for risk treatment (these will be displayed in the SoA).

        Additionally, once security policies and procedures are being written, Conformio reminds users about the relevant requirements from the Register of Requirements.
Page 150-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +