Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Register of Legal, Contractual, and Other Requirements - how detailed?

    1 - Do I list each requirement separately or put all 30 of the items in the "Description of the requirement" field?

    The way of handling this situation will depend on who will be responsible for fulfilling the requirements. If a single role will be responsible for all requirements, then you can include a single register. In case the specific requirements are to be treated by different roles (e.g., there are privacy requirements, continuity requirements, compliance, requirements, etc.), that it is better to split the requirements into different records.

    To not make the description excessively long, you can only identify a clause instead of including all of its text.

    2 - Do I limit the items to just those that are security related ?

    For ISO 27001 compliance purposes you only need to include the requirements related to information security.

    3 - Most of our customers are banks , and we fill out a SIG that has 100's of security related questions, it seems impractical to list all of these in the register for each customer.

    Suggestions?

    In cases like this one you only need to refer to the customer Standardized Information Gathering (SIG). You do not need to include in the platform each question, only the reference to the document that contains them so that the person responsible for fulfilling them can know where to find them.

  • Recommendations on Security Awareness and Training

    1 - How do I get this going in my company?

    The first thing you need to do is identify which gaps of incompetence you have (i.e., which knowledge, or skills your employees need to have). Some examples are:

    • Use of passwords
    • Backup operation
    • Software installation and patching
    • Performing of internal audit

    Second, you need to define the method to be applied: training sessions, workshops, newsletters? What will work best for your company? On which frequency to perform them (e.g., weekly, monthly, annually?)

    After that, you need to evaluate if these gaps can be fulfilled by internal personnel, or you will need external support.

    Once you have these answers, you can start defining your training and awareness plan.

    These articles will provide you a further explanation about awareness:

    This material will also help you regarding awareness:

    2 - What will the auditor be looking for in this requirement?

    For clause 7.2 (competence), the auditor will be looking for evidence that you have:

    • determined which security competencies are necessary
    • identified gaps in knowledge, skills, and/or experience in information security related to activities that employees need to perform (e.g., secure development skills for the development team)
    • performed actions to fulfill those gaps (e.g., by means of training attendance lists, certificates, etc.) and verified that those actions were effective.  

    For further information, see:

  • Risks treatment

    Please note that “documents regarding risk treatment” can mean documents related to ISO 27001 clauses 6.1.3 and 8.3), and documents related to ISO 27001 Annex A.

    Documents related to clauses 6.1.3 and 8.3 cannot be ignored because they are mandatory documentation. You need to develop them to be compliant with the standard. You need to document the results of risk treatment, even if you already have implemented controls. Documents required by these clauses are:
    - Risk treatment plan (clauses 6.1.3 e, 6.2, and 8.3)
    - Risk assessment report (clauses 8.2 and 8.3)

    Regarding ISO 27001 Annex A, some controls, when defined as applicable, also require documents to be written:
    - Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
    - Inventory of assets (clause A.8.1.1)
    - Acceptable use of assets (clause A.8.1.3)
    - Access control policy (clause A.9.1.1)
    - Operating procedures for IT management (clause A.12.1.1)
    - Secure system engineering principles (clause A.14.2.5)
    - Supplier security policy (clause A.15.1.1)
    - Incident management procedure (clause A.16.1.5)
    - Business continuity procedures (clause A.17.1.2)
    - Statutory, regulatory, and contractual requirements (clause A.18.1.1)

    In case you have implemented any of the abovementioned controls you need to develop related documents. For other controls no documentation is defined as mandatory, and you do not need to develop documents for them.

    This article will provide you a further explanation about risk management and mandatory documents:
    - ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    These materials will also help you regarding risk management:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

  • Classification of reusable orthopedic instruments used to fit implants

    All surgically invasive instruments can be classified according to Rule 6 and Rule 7 of Annex 8 – Classification rules in the MDR 2017/745. But, before answering your question, I have to state that according to Advisera's policy, we are not authorized to define the classification of medical devices. Therefore, I ask you to consider this answer only as a guideline.

    Reusable surgical instruments are classified in a new class according to the MDR – class Ir.

    Rationale: Rule 6

    All surgically invasive devices intended for transient use are classified as class IIa unless they:

    - are reusable surgical instruments, in which case they are classified as Class I.

    A drill bit or reamer attached to a power drill and jig used in knee surgery is class IIa:

    Rationale: Rule 6 - All surgically invasive devices intended for transient use are classified as class IIa unless they...

    or

    Rule 7 - All surgically invasive devices intended for short-term use are classified as class IIa unless they... 

    Under which rule drill bit or reamer will go depends on how long it is used during the operation - if it is below 60 minutes then Rule 6 is valid, and if it is longer than 60 minutes then rule 7 is valid.

    Retractors, Gouges, forceps are all reusable surgical instruments and goes under the same classification path as any other reusable surgical instruments – so class Ir.

    For more information, see:

Page 150-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +