Search results

Do we need VPN to comply with GDPR?

No, you don’t need to have VPN for all employees in order to be GDPR or ISO 27001 compliant. 

Regarding GDPR, you must take all necessary technical and organizational measures to ensure appropriate protection for the personal data you process, according to Article 32 GDPR - Security of processing, so deciding whether you need VPN for all employees should be done after evaluating all the risks towards data subjects.

Regarding ISO 27001, the process is similar - you have to assess the relevant risks for your sensitive information, and based on those risks, decide whether to use VPN. 

Please also consult these links:

• Article 32 GDPR - Security of processing: https://advisera.com/gdpr/security-of-processing/
• Can the GDPR trigger better security in a company https://advisera.com/articles/what-is-the-influence-of-the-gdpr-on-security/

Is ISO 17025 needed?

You said “We need to do test that requires that they are doing under a laboratory quality management system compliant to ISO 17025 or alike standards”

I do not have the background whether you are referring to testing medical devices and if you offer contract testing or internal testing of your own medical devices. I suggest you obtain some specific information from the party requiring this, as there are regulatory requirements related to medical devices.

As an overview, ISO 9001 is a general management system not applicable to provide assurance that a laboratory is competent to perform a particular test, from a technical perspective. The ISO 9001 requirements for management are included in ISO 17025, so with your ISO 9001 system certification you can implement the additional ISO 17025 requirements to work in accordance with ISO 17025 and thereafter achieve accreditation. ISO 17025 is specifically applicable to testing and calibration. Both ISO 17025 and ISO 13485 are competency-based standards with some overlap. Typically an medical device manufacturer does not need ISO 17025 accreditation, however when it comes to testing medical devices many of the ISO 71025 practices are beneficial.

For some more information on ISO 17025 see this Q&A reply and links within: https://community.advisera.com/topic/17025-vs-13485/

Impact column in Asset Inventory

Thanks for your answer Rhand.
I don't see the benefit for us while there is also an Impact column in the risk spreadsheet.
Is this an ISO 27001 requirement? i.e., do we have to have this impact column in the inventory of asset?  

Documentation package content

The Documentation Toolkit based on ISO 27001:2022 is organized differently from version 2017 of the toolkit.

Documents based on the controls from ISO 27001:2022 Annex A are located in folder 09 Annex A Security Controls. The documents are not organized considering section 5. Organizational Controls, 6. People Controls, 7. Physical Controls and 8. Technological Controls because most documents cover controls from multiple sections and this kind of organization wouldn’t make sense.

For example:

• the template Clear Desk and Clear Screen Policy covers physical (A.7.7 - Clear desk and clear screen), and technological (A.8.1 - User endpoint devices) controls
• the template Bring Your Own Device (BYOD) Policy covers organizational (A.5.14 - Information transfer), people (A.6.7 - Remote working), and technological (A.8.1 - User endpoint devices) controls

IMS Standards

Yes, you can still use the term "Management Representative" in your documentation, even though the specific role is no longer mentioned in ISO 9001:2015. While the 2015 version of the standard does not require a designated "Quality Management Representative," it does not prohibit using the term in your organization's documentation or procedures.

The term "Management Representative can still be meaningful within the context of your organization's quality management system. It can represent the individual or individuals who are responsible for overseeing the QMS and ensuring its effectiveness

Using the term "Management Representative" can provide clarity and a clear point of contact for QMS-related matters within your organization. However, it's essential to ensure that the responsibilities and roles associated with the "Management Representative" are clearly defined in your documentation (job description, for example). This ensures that everyone understands their responsibilities and facilitates effective communication and coordination in managing the QMS.

Question about SMCA

The proper way to identify which assets (e.g., products and services) you need to consider for ensuring the continuity of your customer process is by performing a Business Continuity analysis (BIA).

The BIA will help you identify how businesses are affected by disruptive events, and from this analysis, you can identify which assets (i.e., your products and services) you need to consider for the recovery efforts. 

For further information, see:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
• How to define activities when implementing business continuity according to ISO 22301 https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/

Controlled documents

Yes, these documents should be in the title of the controlled document. The storage period should first be determined according to the customer's specific requirements.

If there is no request on this subject; you as an organization should determine the retention period.

Apart from this, these test reports should be accessible, the records should be protected against fire, wetting, etc.

Scope (locations and addresses)

For certification purposes, an organization needs to provide at least one physical address (in general, for remote work environments, where management activities are performed). Since you do not want to include the CEO’s home address you should consider an alternative location like renting a small office in a shared workspace, for example.

Identifying Controlled prints/documents

The IATF 16949 standard does not require anything different from ISO 9001 in document management. Having a stamp is not a necessary issue for both.

The important thing is that it is clear who prepares and approves the document, that the revisions are followed systematically, and that the current versions can be found in the places of use.

Your company should establish and implement the revision tracking system, but this does not necessarily mean that it will be stamped.