Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Question about IT Security Policy
Thank you very much for the clarification Rhand, after turning the points so much I realized that they are problems in the Spanish translation.
In my case and as a contribution to you, I finally translated them as follows:
Utilizar herramientas criptográficas (encriptado) sobre ordenadores locales sin la correspondiente autorización de Tecnologías de Información (TI).
Descargar e instalar programas, aplicaciones y/o software desde dispositivos de almacenamiento externos personales o no suministrados por Tecnologías de Información (TI). -
Replacement for Directive 93/42/EEC
Each manufacturer that produces medical devices under the MDR will have an audit and if he can prove to the notified body that his medical device is in compliance with MDR 2017/745, then notify body will issue a certificate. After this certificate, the manufacturer will be allowed to place a CE mark on the medical device.
-
Procedure for Identification of Requirements
1 - We have two Business units. One located in site A and the other here in the site B.
The unit that will be certified will be that of the site B. Do I need to include information from site A as well, such as laws and regulations?
You only need to include legal requirements from your site A that may define information security requirements for your site B.
For example, if both sites exchange information, and a customer contract signed with site A states that information needs to be protected in a specific way (e.g., by using a specific cryptographic technology), then a reference to this contract need to be included in the list of legal requirements of site B, the one to be certified.
For further information, see:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
2 - Another question, do we need to specify names and type of customer contract?
ISO 27001 does not prescribe which information needs to be recorded in a list of requirements, so you can define the information that better suits your needs. You can either use type of contract, when you have, for example, many contracts which follow the same model, or naming them specifically, when it is important to track the requirements of a specific customer.
-
Toolkit question
The ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit you bought can be used to implement only ISO 27001 on non-cloud environments, because it also includes the templates used for implementing only ISO 27001.
Included in the toolkit you bought there is a List of documents file which shows which documents are related to each standard. In case you want to implement only ISO 27001 on non-cloud environments you can use only the templates marked in the ISO 27001 standard column in this file.
For further information, see:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Relation of ISMS with CMM level
Dear Dejan,
Thank you for your response.
Your knowledge sharing has boosted my confidence in this standard.
-
Converting numeric revision
ISO standards do not prescribe specifics about version management (only requires version control), so organizations are free to adopt any approach that better fits their needs, and converting numeric revision upon approval is an acceptable approach.
This article will provide you a further explanation about document management:- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
-
Question on identifying organization’s customer
If you are producing for your automotive customer and your customer wants you to get IATF 16949; You can apply the certification audit by doing the necessary work for the IATF 16949:2016 standard.
-
Clauses related to engineering and production
Need one clarity like what are the clauses related to engineering in IATF.
Product, process design, and development clause of IATF 16949: 2016 standard is also related to engineering. This is related to articles 8.1 and 8.3 of the standard.
And what are the clauses related to production?
The production-related articles of the IATF standard are as follows. 8.5 complete -8.6-8.6.1 -8.6.3-8.6.6-8.7.1.1-8.7.1.2-8.7.1.3-8.7.1.4-8.7.1.5-9.1.1.1-9.1.1.2-9.1.1.3-10.2 .2-10.3.1 b) -10.3.2.
-
Training in the company
According to requirement 6.2 Human resources, the following documents are required: documented requirements for establishing competencies, providing the needed training, and ensuring awareness of personnel.
This means that you need to documents what are competencies needed for each job position (this is usually called Job systematization), what kind of training do you have (for example internal training, external training, self-education), how the training will be conducted (how the person can ask to go to certain training, how the management will define the budget for the education, what kind of records there will be); and how the effectiveness of the education will be conducted (will it be for each education or just for the educations that have the most impact on the business of product quality, how the effectiveness will be checked: by oral or written exam, monitoring the everyday work, or something else).
Usually, the responsible person is the head of the human resource department. However, very often the head of each department is responsible to decide to which training it is necessary for the employee to go and to define the method of the effectiveness check.
On the following links, you can see with which documents we cover this topic in our ISO 13485:2016 Documentation toolkit:
- Procedure for Human Resources https://advisera.com/13485academy/documentation/procedure-for-human-resources-iso-13485-2016/
- Training Program https://advisera.com/13485academy/documentation/training-program-iso-13485-2016/
- Training Record https://advisera.com/13485academy/documentation/training-record-iso-13485-2016/
- Record of Attendance https://advisera.com/13485academy/documentation/record-of-attendance-iso-13485-2016/