Search results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Register of Legal, Contractual, and Other Requirements

    The content of this register is defined by the interested parties (e.g., top management, customers, suppliers, employees, government agencies, etc.) which are relevant to your information security management system (ISMS), and are usually documented as laws, regulations, contracts, agreements, and other similar documents, which are identified in this document.

    For example, you can have a service contract with your main customers where they require backup to be performed in a certain way and use a defined technology. In this template, you will identify the requirements (backup method and technology to be used), where they can be found (service contract ***), who defined them (customer), and who is responsible for it (e.g., IT manager), and the implementation deadline (e.g., end of October 2021).

    Regarding contracts, you need to consider not only contracts with customers but also with employees and suppliers, i.e., with all parts that are relevant to information security.

    You do not need to list all your customers. You can list only the more relevant ones (e.g., those with the highest values, the strategic ones, etc.), which can be identified by codes to protect privacy.

    If you have signed the same agreements with e.g. customers, you do not need to list each party separately - you can only list them together, e.g. "customers" and specify the security requirements from those standardized agreements.

    This article will provide you a further explanation about requirements identification:
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

  • Basic question on GDPR

    No, there is no international standard that certifies GDPR requirements, although some standards can help you to implement GDPR principles and design correctly policies. I.e,  ISO27001 on information security or ISO17000 on conformity. Therefore, there is no expiration date and you will apply GDPR as soon as it will be enforceable. The previous EU directive had been enforceable for more than 10 years, so the time frame is long.

    In order to verify the requirements to pass the CIPM certification, you should consult the IAPP website.

    Here you can find more information about ISO standards:

    If you want to know how to implement ISO 27001 standards or the EU GDPR, you may consider enrolling in our free online foundations courses:

    • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    • EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course/

       

    • CISSP

      ISO certification of persons works in a different way.

      Accredited ISO training providers comply with ISO 17024 – which provides general requirements for bodies operating certification of persons.

      Provided they fulfill this standard’s requirements, each training provider can have their own sets of questions to use in their exams.

      These articles will provide you a further explanation about ISO 27001 personnel certifications:

      These materials will also help you regarding ISO 27001 personnel certifications:

    • Cyber security certificates that guarantee entry-level work

      Please note that the answer to this question depends on the type of work you are considering (e.g., database security, network security, cloud security, security management, etc.).

      For ISO 27001, the lead ISO standard for information security management, the entry-level certifications would be:

      • ISO 27001 Foundations
      • ISO 27001 Internal Auditor

      More advanced certifications are:

      • ISO 27001 Implementer
      • ISO 27001 Lead Auditor

      These articles will provide you a further explanation about ISO 27001 personnel certifications:

      These materials will also help you regarding ISO 27001 personnel certifications:

    • Error proofing

      I don't think there is a standard for Error-proof devices. But according to article 10.2.4 of the IATF 16949.2016 standard; Both production and product verification methods of error-proof devices must be specified in the control plan. For example, let's assume that there is 100% control of the product on the production line with a camera. You verify this camera with the "NOK" master sample per shift. Here in the control plan, you need to enter the verification of each shift with the "NOK" master sample. 
       

    • Question about training

      1 - I wanted to know for the Security Awareness Training, if we have our own training, can this be used and we just have to log when the training was completed? Who should participate in the training as all employees take this training.

      You can have your own training, but you need more than a log when the training was completed. You need to identify the training content and results achieved (e.g., who has participated, by means of attendance lists, who was approved, by means of exams results or certificates, etc.). In your toolkit, you have a Training and Awareness plan, located in folder 9 Training and awareness, that will help log all information you need to be compliant with ISO 27001 related requirements.

      Regarding whom needs to participate, you need to identify which security competencies need to be fulfilled, so you can identify who needs them. These are the people who need to attend the activities.

      For example, if you need to fulfill a gap related to clean desk and clean screen, may all employees in the scope will need this one. On the other hand, if you need to fulfill a gap in network security, maybe only IT personnel need to attend the activity.

      For further information, see:

      2 - It's from a site KnowBe4. I wanted to know for this part can our employees use this site or they have to use your site for ISO? Do we have to show who has had training?

      ISO 27001 does not prescribe how to perform awareness and training, so organizations can use their own training/awareness material, use a training provider, or adopt a mix of these approaches.

      Regarding training providers, you can use anyone you see fits your needs.

      Regarding records to be kept, the same records you keep when you perform training by yourself need to be kept.

    • Classification

      To my understanding of this equipment, equipment that generates oxygen for medical applications is not a medical device. A medical device is the oxygen tank if that oxygen has a medical device purpose and not as medicine.  

    • Checklist for medical device labeling including advertising and claims

      The best way to prepare the audit checklist is to go through the Annex 1 General safety and performance requirements of the Medical device regulation MDR 2017/745. There in Chapter 3 – Requirements regarding the information supplied with the device you have all requirements that need to be covered in labels and instructions of use

      For more information, see:

      • EU MDR Annex 1 – General safety and performance requirements https://advisera.com/13485academy/mdr/general-requirements/
      • Missing documents

         Please note that controls A.12.4.1 (Event logging) and A.12.4.3 (Administrator and operator logs) are covered in template “Security Procedures for IT Department”, located in folder 08_Annex_A_Security_Controls >> A.12_Operations_Security

        Regarding controls A.12.4.2 (Protection of log information) and A.12.4.4 (Clock synchronization), please note the ISO 27001 does not require every applicable control to be documented, and in such cases, a short explanation about its implementation included in the Statement of Applicability will be enough (you can find documented information about these controls in the SoA template located in folder 06 Applicability of Controls).

        This article will provide you a further explanation about controls documentation:

      • Is ISO 9001 mandatory for company distributing medical devices?

        No, ISO 9001 is not mandatory for the companies distributing medical devices. However, in the ISO 13485: 2016 standard in section 0.1 Introduction - General it is stated that the ISO 13485:2016 standard can be used by an organization involved in one or more stages of the lifecycle of a medical device including design and development, production, storage and distribution and so on.

Page 156-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +