Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Guest
No, you don’t need to have VPN for all employees in order to be GDPR or ISO 27001 compliant.
Regarding GDPR, you must take all necessary technical and organizational measures to ensure appropriate protection for the personal data you process, according to Article 32 GDPR - Security of processing, so deciding whether you need VPN for all employees should be done after evaluating all the risks towards data subjects.
Regarding ISO 27001, the process is similar - you have to assess the relevant risks for your sensitive information, and based on those risks, decide whether to use VPN.
Please also consult these links:
You said “We need to do test that requires that they are doing under a laboratory quality management system compliant to ISO 17025 or alike standards”
I do not have the background whether you are referring to testing medical devices and if you offer contract testing or internal testing of your own medical devices. I suggest you obtain some specific information from the party requiring this, as there are regulatory requirements related to medical devices.
As an overview, ISO 9001 is a general management system not applicable to provide assurance that a laboratory is competent to perform a particular test, from a technical perspective. The ISO 9001 requirements for management are included in ISO 17025, so with your ISO 9001 system certification you can implement the additional ISO 17025 requirements to work in accordance with ISO 17025 and thereafter achieve accreditation. ISO 17025 is specifically applicable to testing and calibration. Both ISO 17025 and ISO 13485 are competency-based standards with some overlap. Typically an medical device manufacturer does not need ISO 17025 accreditation, however when it comes to testing medical devices many of the ISO 71025 practices are beneficial.
For some more information on ISO 17025 see this Q&A reply and links within: https://community.advisera.com/topic/17025-vs-13485/
Thanks for your answer Rhand.
I don't see the benefit for us while there is also an Impact column in the risk spreadsheet.
Is this an ISO 27001 requirement? i.e., do we have to have this impact column in the inventory of asset?
The Documentation Toolkit based on ISO 27001:2022 is organized differently from version 2017 of the toolkit.
Documents based on the controls from ISO 27001:2022 Annex A are located in folder 09 Annex A Security Controls. The documents are not organized considering section 5. Organizational Controls, 6. People Controls, 7. Physical Controls and 8. Technological Controls because most documents cover controls from multiple sections and this kind of organization wouldn’t make sense.
For example:
Yes, you can still use the term "Management Representative" in your documentation, even though the specific role is no longer mentioned in ISO 9001:2015. While the 2015 version of the standard does not require a designated "Quality Management Representative," it does not prohibit using the term in your organization's documentation or procedures.
The term "Management Representative can still be meaningful within the context of your organization's quality management system. It can represent the individual or individuals who are responsible for overseeing the QMS and ensuring its effectiveness
Using the term "Management Representative" can provide clarity and a clear point of contact for QMS-related matters within your organization. However, it's essential to ensure that the responsibilities and roles associated with the "Management Representative" are clearly defined in your documentation (job description, for example). This ensures that everyone understands their responsibilities and facilitates effective communication and coordination in managing the QMS.
The proper way to identify which assets (e.g., products and services) you need to consider for ensuring the continuity of your customer process is by performing a Business Continuity analysis (BIA).
The BIA will help you identify how businesses are affected by disruptive events, and from this analysis, you can identify which assets (i.e., your products and services) you need to consider for the recovery efforts.
For further information, see:
Yes, these documents should be in the title of the controlled document. The storage period should first be determined according to the customer's specific requirements.
If there is no request on this subject; you as an organization should determine the retention period.
Apart from this, these test reports should be accessible, the records should be protected against fire, wetting, etc.
For certification purposes, an organization needs to provide at least one physical address (in general, for remote work environments, where management activities are performed). Since you do not want to include the CEO’s home address you should consider an alternative location like renting a small office in a shared workspace, for example.
The IATF 16949 standard does not require anything different from ISO 9001 in document management. Having a stamp is not a necessary issue for both.
The important thing is that it is clear who prepares and approves the document, that the revisions are followed systematically, and that the current versions can be found in the places of use.
Your company should establish and implement the revision tracking system, but this does not necessarily mean that it will be stamped.