Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Stage 2 Audit and ISMS completion status and Assets listing

    1. I have a situation where the Assets listing is very light on i.e., mainly just a listing. The Risk Assessment and Risk Treatment Register also doesn’t go into Inherent Risk, Controls and Residual Risk. It goes straight into a single risk (residual) rating. Am I correct to be a concerned with the absence of an Inherent risk perspective.

    ISO 27001 does not prescribe the content of an asset list, so organizations are free to define the data they want to record (usually minimal data to be considered are asset name, asset category, and asset owner).

    For further information, see:

     Regarding risk management, it is highly improbable to have a risk assessment with only residual risks (i.e., risks with controls already applied to reduce them to acceptable levels), so you should review your assessment to confirm inf any relevant risk has not been missed (including people which works directly with the situation being assessed is a good way to check that). In the case of risk treatment, the objective is to have all listed risks as residual, i.e., by defining a treatment to them.

     For further information, see:

    2. My question relates to preparing for a Stage 2 audit, in relation to how complete the ISMS needs to be.

    I have been told that if there are many gaps and low level of completion of ISMS, then the Stage 2 auditor will look for work plans that indicate awareness of this, AND review the results of past Internal Audits and Non-Compliances i.e., if there are many non-conformances and controls gaps found, then this is “good news” as it supports the status of non-completion.

    My thought is that the Stage 2 Auditor would expect to see the ISMS mostly completed e.g., at least 90%, accepting that there will always be maintenance and improvement.

    For certification purposes you need to fulfill all requirements from clauses 4 to 10, i.e., they need to be implemented and audited. The auditor will expect a fully implemented ISMS according to the standard's requirements.

    What can be postponed is the implementation of controls related to less relevant risks, and to support this decision you can use management review and work plans to evidence the situation.

    This article will provide you a further explanation about certification audit:

    These materials will also help you regarding ISO 27001 certification:

  • Filling documents

    The purpose of this template is not to define requirements, only to identify where they can be found, who defined them, who are responsible for their implementation, and by which date.

    Requirements are defined by the interested parties (e.g., top management, customers, suppliers, employees, government agencies, etc.) which are relevant to your information security management system (ISMS), and are usually documented as laws, regulations, contracts, agreements, and other similar documents, which are identified in this annex.

    For example, you can have a service contract with your main customers where they require backup to be performed in a certain way and use a defined technology. In this template, you will identify the requirements (backup method and technology to be used), where they can be found (service contract ***), who defined them (customer), and who is responsible for it (e.g., IT manager), and the implementation deadline (e.g., end of October 2021).

    Considering that:
    1 - Requirements for the procurement, commissioning, and approval for the use of non-organizational IT services may be determined by the IT manager together with the key users of such services and documented in the “Appendix 1 – Specification of Information System Requirements”, located in folder 08_Annex_A_Security_Controls >> A.14_System_Acquisition_Development_and_Maintenance
    2 - Requirements for the use of confidentiality agreements when passing on sensitive information may be determined by information owners, and their way of implementation documented in the “Information Classification Policy”, located in folder 08_Annex_A_Security_Controls >> A.8_Asset_Management
    6 - Requirements from business relationships (e.g., reporting obligations to the client) are documented in contracts and service agreements, for which organizations usually already have their own defined templates, and their way of implementation documented in documents which will depend on the requirements defined.
    7 - Requirements for key sovereignty may be determined by the IT manager together with the users of services that use these keys, and their way of implementation documented in the “Policy on the Use of Encryption”, located in folder 08_Annex_A_Security_Controls >> A.10_Cryptography.
    8 - Security-relevant requirements for information security with regard to the handling of event logs, such as B. Requirements from contracts are determined in contracts and service agreements, for which organizations usually already have their own defined templates, and their way of implementation documented in “Security Procedures for IT Department”, located in folder 08_Annex_A_Security_Controls >> A.12_Operations_Security.
    9 - Extended requirements for the control and administration of networks are determined in contracts and service agreements, for which organizations usually already have their own defined templates, and their way of implementation documented in “Security Procedures for IT Department”, located in folder 08_Annex_A_Security_Controls >> A.12_Operations_Security.

    Once requirements are defined and identified in the List of Legal Regulatory Contractual and Other Requirements:
    3 - The procedures for user authentication are documented in the “Access Control Policy”, located in folder 08_Annex_A_Security_Controls >> A.9_Access_Control
    4 - The requirements for development and test environments are documented in the “Secure development policy”, located in folder 08_Annex_A_Security_Controls >> A.14_System_Acquisition_Development_and_Maintenance
    5 - Measures to meet the procurement and license management requirements with regard to intellectual property rights and the use of software products protected by copyright are documented in the “Appendix 1 – Specification of Information System Requirements”, located in folder 08_Annex_A_Security_Controls >> A.14_System_Acquisition_Development_and_Maintenance, and in the “IT Security Policy”, located in folder 08_Annex_A_Security_Controls >> A.8_Asset_Management.

    This article will provide you a further explanation about requirements identification:

  • How can I tag an instrument which is not in use as per ISO norms?

    We assigned an ID for those documents to keep the track where they are, who is responsible for handling, etc., we identified those equipments with the ID and also a red legend of "Just reference";  in our procedure we specified that those type of equipments, can not be used on production floor or in any process where the quality of product or process will be confirmed. 

    We also audit those equipment, to confirm the proper storage and area. No issues during external audits with this process. 

  • Examples of Applicable regulatory requirements

    Each medical device must be designed and manufactured in accordance with the relevant technical standards. Given the variety of medical products (from the spoon for giving antibiotics to the artificial heart), it is clear that the same standards do not apply to all medical products. So it is the responsibility of the manufacturer to determine what the additional standards are that apply to his product. Some of such standards are e.g. EN 12470 for clinical thermometers, or EN 12184 for electrically powered wheelchairs, or EN ISO 11608 for needle-based injection systems.

    Furthermore, certain standards refer to some procedures such as standards covering sterilization. Given the different methods of sterilization, there are dozens of standards associated with sterilization. Again, it is the responsibility of the manufacturer to determine which sterilization standards must be met. 

    According to the Medical device regulation (MDR 2017/745), all manufacturers of medical devices must comply with the so-called harmonized standards or state-of-the-art standards (Article 8 – Use of harmonized standards).

    For more information, see:

    The link to the harmonized standards published in the Official Journal of the European Union 24-03-2020 is following: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2020:090I:TOC

    with an amendment from 14-04-2021: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2021.129.01.0153.01.ENG

    For more information about What are EU harmonized standards please see the following link:

    • What are EU harmonized standards? https://advisera.com/13485academy/blog/2020/06/12/what-are-eu-harmonized-standards/

    • 3.6. Documents of external origin

      1. In the section 3.6 Documents of external origin- in Procedure for document and record control. There is a line saying- “Each external document that is necessary for the planning and operation of the QMS must be recorded in the incoming mail register“ This is basically all emails, from purchase, sales, quality etc etc. basically everyone email that needs to be registered because it can be necessary for the planning and operation of the QMS. This makes it completely inefficient to run the company. What is the absolute minimum to do here?. We have several different systems that track important emails and documents. We have a program for QMS- to handle all documents- we have a ERP system to track all sales/production/shipments. This email registering system will break us. Why do we need it? Please advise.

      No, you do not need a e-mail incoming register. Here, the incoming register meant all those paper documents that come to your company by regular mail (for example, contracts with suppliers, contracts with customers, some correspondence from regulatory institutions, if your orders come by mail). Of course, if everything is via email, then you don’t need this part. That is, describe here exactly what you wrote in your question: „We have several different systems that track important emails and documents. We have a program for QMS- to handle all documents- we have an ERP system to track all sales/production/shipments.“

      What is most important here is that you have control over incoming documents, that you know exactly when which document came and where it was stored or to whom it was forwarded.

      2. In iso 13485. It only states: “ensure that documents of external origin, determined by the organization to be necessary for the planning and operation of the quality management system, are identified and their distribution controlled” SO why does the tookit refer to that we have to have an advanced document email document system.

      Everything has already been answered in the previous question.

    • Recording speakers at events

      "I hope you can assist me and that my previous purchases cover asking questions like this.

       I have a query for you about recording video, taking photographs and other media we record for events / webinars / podcasts etc.The question relates to capturing the presenters and speakers at the events using video / photographs.Do we need to ask for consent under GDPR to process this data?Or do we ask them to sign a release so they are giving us copyright for the recordings / images etc?

      You need to distinguish the contractual side of the relationship with the artist with the privacy compliance profile. When you take photographs, register a podcast, etc. you need to ask the artist to sign a release to give you the copyright for the images/recordings, etc. From a GDPR perspective, the legal basis of the data processing will be the contract, under article 6.1.b.  

      If we ask them to sign a release from so we own copyright of the material, how will this affect their rights under GDPR?For example if they sign a release for a video and then later claim they want it deleted under GDPR – can they do this as we own copyright? Or is there some other way we should process this data under the GDPR without relying on consent?"

      The data subject will be able to exercise all the rights under GDPR which are linked to the management of the agreement. Of course, this will not have any effect on the copyrighted images because in the release they waived such rights.GDPR will allow them to request erasure for personal data which are covered under the legal basis of consent (i.e., newsletter subscription, marketing communication, etc.), but the data controller will be able to continue processing data under the contract.Of course, consider the terms and condition of the copyright release, if the agreement can be terminated and the artist can demand to stop using his/her image/recording it is another aspect which does not involve privacy law but the contract with the artist.

      Here you can find some information about the legal basis:

      If you need to understand how to manage data subjects' rights under GDPR, you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

    • ISMS - In scope or out of scope

      Some information is missing for providing a direct answer, so I’ll provide one considering two possible scenarios.

      In case your company is a small one (i.e., up to 50 employees), it is better to include all your organization in the ISMS scope because the effort to separate elements that are inside the scope from that outside it wouldn’t be worthy.

      In case your company has more than 50 employees, you should evaluate if keeping Sales and Marketing separated from the other divisions is worthy (you would have to treat them like external parties, for which you need to implement controls to separate them from the ISMS scope, at the same time you need to provide access to information in the ISMS scope they need).

      This problem is described in detail in this article:

    • Does ISO 45001 cover electrical and fire or just medical?

      The ISO 45001 provides requirements for companies to implement a management system to prevent injury and ill health in their employees; this does not certify the products and services that are provided by the company against any OH&S requirements. So, if you are purchasing a piece of equipment from an ISO 45001 certified company, this has nothing to do with the safety of that equipment.

      However, the ISO organization has over 23000 standards, and many of these are used to provide requirements to certify equipment. It may be possible that you are purchasing a piece of equipment that is ISO certified for electrical and fired building codes to an ISO standard, however, you would need to compare the requirements of this standard against your NRTL certification requirements to ensure they are equivalent.

      You can learn a bit more on what the requirements of ISO 45001 for an Occupational Health & Safety management system are in the whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

    • ISO 9001 Certification Documentation

      Plese find below the answers to your questions:

      @Guest user

      Can I appear as General Manager even if I am not in the Chamber of Commerce registration? If you need an engagement letter for certification purposes?

       I would not include you in the organizational chart yet, since you are not officially in the company. You can include your position as a planned change in your QMS, and when you enter the company in 2022 your role must be included as well as your tasks and competence needed. 

      @Guest user

      The administration is a service that we buy partly from a professional and partly from the accountant which of the cited? do we have to put names or is it enough the role that can then be played by different people?

      You will need to include these services as outsourced services and you should specify that in the scope. Therefore, these services will need to be evaluated according to the criteria for the evaluation of suppliers. In addition, you won´t need to put their names and roles since they are outsourced suppliers and their companies are the ones that should do that.

      @Guest user

      Can we omit the organization chart or make a simplified one?

      You can make a simplified one, as long as you can show how your organization is structured as well as their respective roles and responsabilities are described.

      @Guest user

      RGQ in our case of coinciding with AD?

      It does not need to be the same person, there are not such requirements in ISO 9001:2015.

      @Guest user

      Are all the chapters and sub-chapters of the manual mandatory? If someone does not belong to us or we have nothing to say, do we put n / a? For example, we do not have offices but we work either digitally from home (especially in the last year and a half) or on-site by the customer.

      Firstly you need to know that the Manual is no longer a mandatory document. Having said this, you can adapt to your own organization and delete those parts that don´t apply to your company. 

      @Guest user

      Can we use Teams and Office 365 as a repository?

      You can, as long as you can control your documents and records and keep the confidenciality of the documentation. 

       

      For more information about ISO 9001 certification, you can see the following materials: 

      - QMS change management in 7 steps: https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/

      - How to document roles and responsibilities according to ISO 9001: https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/

      - How to evaluate supplier performance according to ISO 9001:2015: https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/

      - Tips to make document controles more useful in your QMS: https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/

      - Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

      - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

       

    • Generating reports as security manager

      I’m considering your question based on the information about the purchase of a documentation toolkit.

      Considering that, you should create a spreadsheet file (e.g., Excel) containing the information you want to evaluate available in the incident log template (e.g., incident ID, date, affected asset, etc.)

      From this database of incidents metadata, you can generate the date for your report.

      The incident log template can be found in folder 08_Annex_A_Security_Controls >> A.16_Information_Security_Incident_Management

      Alternatively, you can take a look at our Conformio solution, to see if its Report Module features can fulfill your needs. You can access Conformio (online tool for ISO 27001) at this link: https://advisera.com/conformio/
Page 163-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +