Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Recurring task in Conformio

    The Information Security Policy requires in section 3.3 (Secure engineering principles) that responsible person issues “procedures for secure information system engineering, both for the development of new systems and for the maintenance of the existing systems, as well as set the minimum security standards which must be complied with.” Please note that the mentioned procedures are not included in the policy but need to be developed because of it.

    Considering that, the recurrent task refers to the publication of these required procedures, i.e., you only can set this task as completed when all needed procedures are published. This task is not related to the publication of the Information Security Policy itself.

    Consider this example: when developing this policy, you identify you have a financial system, a production monitoring system, and a mobile app, all developed with different technologies. When the Information Security Policy is implemented, this recurrent task will remember you every 10 days after Information Security Policy implementation date that you need to publish these needed procedures.

    Once these related procedures and standards are published you can mark this task as completed, and the review cycle of these documents will be performed as defined in the document control procedure (e.g., at least annually).

  • Question about Scope of Work

    All departments included in the ISMS scope need to be involved in the risk assessment.

    Regarding risk owners, you should consider the roles with the most interest and authority to treat them. For example, in case you identify risks related to a server, you should consider as the risk owner the IT manager.

    These articles will provide you a further explanation about risk assessment and risk owners:

    These materials will also help you regarding risk management:

  • Recovery site

    1 - Do we need another recovery site?

    Considering that there is a chance that another disruptive scenario can hit your organization at any moment (e.g., fire, flood, storm, etc.), and now, because Covid 19, you will not have recovery space available to fulfill your needs in case of a new disruptive event, then you should consider another recovery site if you still want to achieve continuity objectives defined pre-Covid 19.

    The alternative would be to adjust continuity objectives according to your current operational capacity and situation (e.g., if your initial continuity objective was to work with 50% capacity during disruption, maybe now a possible objective would be only 25%, due to social distancing requirements).

    Just for a mindset adjustment, you should keep thinking of your recovery site as a recovery site, not as a daily office, since it is being used like that only because you are in a disruptive scenario, i.e., social distancing required due to Covid 19.

    2 - If we do, how do I convince management?

    The direct answer is that you need to perform an assessment of your current allocation of continuity resources to identify what you can still use in case of a new disruption hits you (e.g., it is possible to allocate more people in the recovery site, up to the limit defined by social restrictions?).

    With this information in hand, you can go to management and present it to them, making clear what can be achieved in terms of business continuity under the current situation and allocation of resources, so they can make an informed decision between adjusting continuity objectives to feasible ones or allocating more resources for a new recovery site.

     This article will provide you a further explanation about business continuity objectives:

  • Stage 2 Audit and ISMS completion status and Assets listing

    1. I have a situation where the Assets listing is very light on i.e., mainly just a listing. The Risk Assessment and Risk Treatment Register also doesn’t go into Inherent Risk, Controls and Residual Risk. It goes straight into a single risk (residual) rating. Am I correct to be a concerned with the absence of an Inherent risk perspective.

    ISO 27001 does not prescribe the content of an asset list, so organizations are free to define the data they want to record (usually minimal data to be considered are asset name, asset category, and asset owner).

    For further information, see:

     Regarding risk management, it is highly improbable to have a risk assessment with only residual risks (i.e., risks with controls already applied to reduce them to acceptable levels), so you should review your assessment to confirm inf any relevant risk has not been missed (including people which works directly with the situation being assessed is a good way to check that). In the case of risk treatment, the objective is to have all listed risks as residual, i.e., by defining a treatment to them.

     For further information, see:

    2. My question relates to preparing for a Stage 2 audit, in relation to how complete the ISMS needs to be.

    I have been told that if there are many gaps and low level of completion of ISMS, then the Stage 2 auditor will look for work plans that indicate awareness of this, AND review the results of past Internal Audits and Non-Compliances i.e., if there are many non-conformances and controls gaps found, then this is “good news” as it supports the status of non-completion.

    My thought is that the Stage 2 Auditor would expect to see the ISMS mostly completed e.g., at least 90%, accepting that there will always be maintenance and improvement.

    For certification purposes you need to fulfill all requirements from clauses 4 to 10, i.e., they need to be implemented and audited. The auditor will expect a fully implemented ISMS according to the standard's requirements.

    What can be postponed is the implementation of controls related to less relevant risks, and to support this decision you can use management review and work plans to evidence the situation.

    This article will provide you a further explanation about certification audit:

    These materials will also help you regarding ISO 27001 certification:

  • Filling documents

    The purpose of this template is not to define requirements, only to identify where they can be found, who defined them, who are responsible for their implementation, and by which date.

    Requirements are defined by the interested parties (e.g., top management, customers, suppliers, employees, government agencies, etc.) which are relevant to your information security management system (ISMS), and are usually documented as laws, regulations, contracts, agreements, and other similar documents, which are identified in this annex.

    For example, you can have a service contract with your main customers where they require backup to be performed in a certain way and use a defined technology. In this template, you will identify the requirements (backup method and technology to be used), where they can be found (service contract ***), who defined them (customer), and who is responsible for it (e.g., IT manager), and the implementation deadline (e.g., end of October 2021).

    Considering that:
    1 - Requirements for the procurement, commissioning, and approval for the use of non-organizational IT services may be determined by the IT manager together with the key users of such services and documented in the “Appendix 1 – Specification of Information System Requirements”, located in folder 08_Annex_A_Security_Controls >> A.14_System_Acquisition_Development_and_Maintenance
    2 - Requirements for the use of confidentiality agreements when passing on sensitive information may be determined by information owners, and their way of implementation documented in the “Information Classification Policy”, located in folder 08_Annex_A_Security_Controls >> A.8_Asset_Management
    6 - Requirements from business relationships (e.g., reporting obligations to the client) are documented in contracts and service agreements, for which organizations usually already have their own defined templates, and their way of implementation documented in documents which will depend on the requirements defined.
    7 - Requirements for key sovereignty may be determined by the IT manager together with the users of services that use these keys, and their way of implementation documented in the “Policy on the Use of Encryption”, located in folder 08_Annex_A_Security_Controls >> A.10_Cryptography.
    8 - Security-relevant requirements for information security with regard to the handling of event logs, such as B. Requirements from contracts are determined in contracts and service agreements, for which organizations usually already have their own defined templates, and their way of implementation documented in “Security Procedures for IT Department”, located in folder 08_Annex_A_Security_Controls >> A.12_Operations_Security.
    9 - Extended requirements for the control and administration of networks are determined in contracts and service agreements, for which organizations usually already have their own defined templates, and their way of implementation documented in “Security Procedures for IT Department”, located in folder 08_Annex_A_Security_Controls >> A.12_Operations_Security.

    Once requirements are defined and identified in the List of Legal Regulatory Contractual and Other Requirements:
    3 - The procedures for user authentication are documented in the “Access Control Policy”, located in folder 08_Annex_A_Security_Controls >> A.9_Access_Control
    4 - The requirements for development and test environments are documented in the “Secure development policy”, located in folder 08_Annex_A_Security_Controls >> A.14_System_Acquisition_Development_and_Maintenance
    5 - Measures to meet the procurement and license management requirements with regard to intellectual property rights and the use of software products protected by copyright are documented in the “Appendix 1 – Specification of Information System Requirements”, located in folder 08_Annex_A_Security_Controls >> A.14_System_Acquisition_Development_and_Maintenance, and in the “IT Security Policy”, located in folder 08_Annex_A_Security_Controls >> A.8_Asset_Management.

    This article will provide you a further explanation about requirements identification:

  • How can I tag an instrument which is not in use as per ISO norms?

    We assigned an ID for those documents to keep the track where they are, who is responsible for handling, etc., we identified those equipments with the ID and also a red legend of "Just reference";  in our procedure we specified that those type of equipments, can not be used on production floor or in any process where the quality of product or process will be confirmed. 

    We also audit those equipment, to confirm the proper storage and area. No issues during external audits with this process. 

  • Examples of Applicable regulatory requirements

    Each medical device must be designed and manufactured in accordance with the relevant technical standards. Given the variety of medical products (from the spoon for giving antibiotics to the artificial heart), it is clear that the same standards do not apply to all medical products. So it is the responsibility of the manufacturer to determine what the additional standards are that apply to his product. Some of such standards are e.g. EN 12470 for clinical thermometers, or EN 12184 for electrically powered wheelchairs, or EN ISO 11608 for needle-based injection systems.

    Furthermore, certain standards refer to some procedures such as standards covering sterilization. Given the different methods of sterilization, there are dozens of standards associated with sterilization. Again, it is the responsibility of the manufacturer to determine which sterilization standards must be met. 

    According to the Medical device regulation (MDR 2017/745), all manufacturers of medical devices must comply with the so-called harmonized standards or state-of-the-art standards (Article 8 – Use of harmonized standards).

    For more information, see:

    The link to the harmonized standards published in the Official Journal of the European Union 24-03-2020 is following: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2020:090I:TOC

    with an amendment from 14-04-2021: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2021.129.01.0153.01.ENG

    For more information about What are EU harmonized standards please see the following link:

    • What are EU harmonized standards? https://advisera.com/13485academy/blog/2020/06/12/what-are-eu-harmonized-standards/

    • 3.6. Documents of external origin

      1. In the section 3.6 Documents of external origin- in Procedure for document and record control. There is a line saying- “Each external document that is necessary for the planning and operation of the QMS must be recorded in the incoming mail register“ This is basically all emails, from purchase, sales, quality etc etc. basically everyone email that needs to be registered because it can be necessary for the planning and operation of the QMS. This makes it completely inefficient to run the company. What is the absolute minimum to do here?. We have several different systems that track important emails and documents. We have a program for QMS- to handle all documents- we have a ERP system to track all sales/production/shipments. This email registering system will break us. Why do we need it? Please advise.

      No, you do not need a e-mail incoming register. Here, the incoming register meant all those paper documents that come to your company by regular mail (for example, contracts with suppliers, contracts with customers, some correspondence from regulatory institutions, if your orders come by mail). Of course, if everything is via email, then you don’t need this part. That is, describe here exactly what you wrote in your question: „We have several different systems that track important emails and documents. We have a program for QMS- to handle all documents- we have an ERP system to track all sales/production/shipments.“

      What is most important here is that you have control over incoming documents, that you know exactly when which document came and where it was stored or to whom it was forwarded.

      2. In iso 13485. It only states: “ensure that documents of external origin, determined by the organization to be necessary for the planning and operation of the quality management system, are identified and their distribution controlled” SO why does the tookit refer to that we have to have an advanced document email document system.

      Everything has already been answered in the previous question.

    • Recording speakers at events

      "I hope you can assist me and that my previous purchases cover asking questions like this.

       I have a query for you about recording video, taking photographs and other media we record for events / webinars / podcasts etc.The question relates to capturing the presenters and speakers at the events using video / photographs.Do we need to ask for consent under GDPR to process this data?Or do we ask them to sign a release so they are giving us copyright for the recordings / images etc?

      You need to distinguish the contractual side of the relationship with the artist with the privacy compliance profile. When you take photographs, register a podcast, etc. you need to ask the artist to sign a release to give you the copyright for the images/recordings, etc. From a GDPR perspective, the legal basis of the data processing will be the contract, under article 6.1.b.  

      If we ask them to sign a release from so we own copyright of the material, how will this affect their rights under GDPR?For example if they sign a release for a video and then later claim they want it deleted under GDPR – can they do this as we own copyright? Or is there some other way we should process this data under the GDPR without relying on consent?"

      The data subject will be able to exercise all the rights under GDPR which are linked to the management of the agreement. Of course, this will not have any effect on the copyrighted images because in the release they waived such rights.GDPR will allow them to request erasure for personal data which are covered under the legal basis of consent (i.e., newsletter subscription, marketing communication, etc.), but the data controller will be able to continue processing data under the contract.Of course, consider the terms and condition of the copyright release, if the agreement can be terminated and the artist can demand to stop using his/her image/recording it is another aspect which does not involve privacy law but the contract with the artist.

      Here you can find some information about the legal basis:

      If you need to understand how to manage data subjects' rights under GDPR, you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

    • ISMS - In scope or out of scope

      Some information is missing for providing a direct answer, so I’ll provide one considering two possible scenarios.

      In case your company is a small one (i.e., up to 50 employees), it is better to include all your organization in the ISMS scope because the effort to separate elements that are inside the scope from that outside it wouldn’t be worthy.

      In case your company has more than 50 employees, you should evaluate if keeping Sales and Marketing separated from the other divisions is worthy (you would have to treat them like external parties, for which you need to implement controls to separate them from the ISMS scope, at the same time you need to provide access to information in the ISMS scope they need).

      This problem is described in detail in this article:
Page 163-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +