Search results

Rules for visitors

Please note that section 3.4 of the "Procedure for working in secure areas" covers the access of visitors. You can edit the first paragraph of this section to explain the general rules for visitor access to common areas.

Additionally, you should also consider defining a visitor profile in the Access Control Policy, since this policy is referred to in section 3.4.

This article will provide you a further explanation about access control:

• How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

Departments Involved in ISO 27001

For organizations up to 50 employees, it is better to include all organization in the Information Security Management System, because the effort to separate what is in from what is out of your ISMS will not be worthy.

Considering that, all departments included in your Information Security Management System scope need to be listed in Conformio.

These articles will provide you a further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Next steps for certification

Once templates are completed, they need to be approved and implemented (i.e., you need to ensure that everyone complies with policies and procedures), and the defined records need to be created and stored.

Once you have the records, you need to perform an internal audit and management review, starting any corrective measures deemed necessary.

During this time, you need to choose your certification body and make the arrangements for the certification audit.

These articles will provide you a further explanation about certification:

- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

These materials will also help you regarding certification process:
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

Can I perform blood testing in my LAB with ISO 17025 accreditation?

If you're referring to human blood testing, the answer is no. Any human blood testing falls under medical pathology testing and requires for the laboratory to be ISO 15189 compliant and in most situations (depending on national legislation) accredited.

Typically veterinary labs are 17025 accredited and animal blood testing falls within their scope of work.

MDR and Contract Manufacturer

The main question here is who certified the medical devices (in your case dental instruments). Who has the CE certificate? You mentioned that you do not sell by your own name. In that case, the comment from the EU Ar company is right. EU AR can be a representative only for the products and the company that puts the products on the market.

If I understand your situation correctly, you are outsourced production for the company that puts dental instruments on the market. In that case, you do not need an EU representative. 

Yes, on the label you can state that *** is a contract manufacturer or a place of production (using the white factory symbol).

GDPR Compliance questions

I agree with you, the organizational side can make the difference in increasing compliance and awareness about security and GDPR requirements. Setting an access policy determining the level of confidentiality of documents and persons allowed to access or modify them is a good security measure.

Another organizational measure is to set the rules of data processing for your employees with a data protection policy and also an IT security policy in order to define some technical aspect like software that is not allowed in your organization's IT system.

Thinking about the storage you mentioned, keeping all data on your laptop can expose you to a data breach in case the laptop stops working or something happens to data, so that if you decide to follow this path implement some backup solution.

Another approach is to keep data on cloud setting access levels to your employees and increase the possibility to work from anywhere. In this case, consider installing a VPN in order to protect access and navigation and, of course, set access levels for your employees.   

Here you can find some information about starting the compliance process:

• 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
• How cybersecurity solutions can help with GDPR compliance: https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/
• Privacy, cyber security, and ISO 27001 – How are they related?: https://info.advisera.com/27001academy/free-download/privacy-cyber-security-and-iso-27001

If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course/

Document for monitoring

I’m assuming you are referring to an ISO 27001 certified information security management system.

Considering that, you should consider looking at these templates:

• Measurement Report (it summarizes the objectives for your ISMS, the measurement method, the frequency of measurement, and the results.): https://advisera.com/27001academy/documentation/measurement-report/
• Management Review Minutes (it documents the results of management review): https://advisera.com/27001academy/documentation/management-review-minutes/

These articles will provide you a further explanation about measurement and management review:

• How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

Working from home

I have a query. ISO has a standard that links information security to Teleworking or Home Working?

ISO 27001, the ISO standard for information security management systems, has information security controls that can be applied to Teleworking or Home Working. Additionally, there is ISO 27002, a supporting standard that provides guidelines and guidance on the implementation of such controls.

To see how a document covering Teleworking or Home Working based on ISO 27001 looks like, please access the free demo at this link: https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/

These articles will provide you a further explanation about telework:

• How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
• What to include in an ISO 27001 remote access policy https://advisera.com/27001academy/blog/2019/04/23/iso-27001-remote-access-policy-how-to-develop-it/

ISO 27017 and ISO 27018

You need to confirm this information with your certification body, but if the ISO 27017 ISO 27018 controls were audited during your ISO 27001 certification audit this information can be included in your customer certificate.

These articles can provide further information:

• ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
• ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

Is there a difference between ISO 27002 and Annex A?

The difference between ISO 27001 Annex A and ISO 27002 is that while ISO 27001 Annex A defines control objectives, ISO 27002 provides orientation and guidance on how to implement the controls listed in ISO 27001 Annex A (the controls objectives are exactly the same in both standards).

This article will provide you a further explanation about ISO 27001 and ISO 27002:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

This material can also provide additional information:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/