Search results

ISO 27001 Lead Implementor - need to maintain certification

Thank you for this question, Lee!
After obtaining the certificate, the certificate is valid until the standard itself changes its version officially. Specifically for ISO 27001, minor changes have been made to the standard in 2017, but the current version of the standard remains ISO 27001:2013. From this, we conclude that the standard will not change very soon.

Procedure on personnel

The ISO 17025:2017 clause on personnel is one of the most stringent in terms of mandatory requirements for a procedure and retaining records. The procedure must explain firstly how the personnel needs of the laboratory are determined (6.2.5a). Then the recruitment, training, supervision and authorisation process must be explained (6.2.5 b to e).  You need evidence (records) for each step, including evidence of competence. Only once personnel have the required competence level, can they work on their own.

For further assistance, have  a look at the Advisera Expert Advice Community answers on personnel training (https://community.advisera.com/topic/personnel-training/) and deeming someone competent for more information (https://community.advisera.com/topic/how-training-should-someone-have-before-they-are-deemed-competent-for-a-specific-task/)

The whitepaper Clause-by-clause explanation of ISO 17025:2017 will assist you with overall ISO 17025 awareness for Personnel requirements. It is available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

For more information on competence, have a look at the article How to manage competence in a laboratory according to ISO 17025, available at https://advisera.com/17025academy/blog/2021/05/20/how-to-manage-competence-in-a-laboratory-according-to-iso-17025/.

The Advisera ISO 17025 toolkit includes the mandatory personnel procedure as ISO 17025 document template: Competence, Training and Awareness Procedure along with 4 appendices: Training Program, Training Record and Performance Monitoring, Record of Attendance and Competence. You can preview the template at https://advisera.com/17025academy/documentation/competence-training-and-awareness-procedure/

Article 1÷

Thank you very much.  Your advice and your service here is priceless.  I will check with the UK Commissioner.  I guess as it is not a Data Breach I will not be entitled to any compensation.

I think the Data Processor should also have told me that they were processing my sensitive data or at least checked that the Data Controller had informed me.

Text source about obligation to have IT Security Structure in place on premises

The GDPR only states that the data controller must ensure that data are “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (‘integrity and confidentiality).” (Article 5 paragraph 1, f) GDPR)Article 32 GDPR, among the obligation of the data controller, states that:“Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller, and the processor, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

A) the pseudonymization and encryption of personal data;

B) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

C) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

D) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

Setting access policies and determining roles and responsibilities is considered an organizational security measure and of course there is no indication of what technical security measures must be applied, the aim of GDPR is to be technological neutral but ISO27001 standard on the security of information can be a good guide.

Here you can find some information on security aspects and GDPR:

• Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
• Privacy, cyber security, and ISO 27001 – How are they related? https://info.advisera.com/27001academy/free-download/privacy-cyber-security-and-iso-27001

Email marketing

It depends on the country you are located in. I would choose a consultant from where I'm based in order to have an idea of the privacy legislation which applies to my current situation.

MDR - difference between configurable device and device with accessories

If I understand it correctly, your device will be a system. According to the Definitions in the MDR system (point 10) is a combination of products, either packaged together or not, which are intended to be interconnected or combined to achieve a specific medical purpose.

The question here is: are parts separately certified as medical devices?

For systems that consist of parts that are medical devices, according to Article 22, you need to prepare the statement that will have the following information:

• verified the mutual compatibility of the devices and, if applicable other products, in accordance with the manu­ lecturer's instructions and have carried out their activities in accordance with those instructions
• packaged the system or procedure pack and supplied relevant information to users incorporating the information to be supplied by the manufacturers of the devices or other products which have been put together
• the activity of combining devices and, if applicable, other products as a system or procedure pack was subject to appropriate methods of internal monitoring, verification, and validation.

However, if your parts are not a medical device, that it needs to be certified as a system separately. In that case, you need the involvement of the Notify body, you need to prepare applicable technical documentation according to Annex 2 and 3 of the MDR, and in that case, you will put a CE mark on that system.

For more information, see:

• EU MDR Article 2 – Definitions https://advisera.com/13485academy/mdr/definitions/
• EU MDR Article 22 – Systems and procedure packs https://advisera.com/13485academy/mdr/systems-and-procedure-packs/
• EU MDR Annex 2 – Technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
• EU MDR Annex 3 – Technical documentation on post-market surveillance https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/

• BIA or RA

  Actually, there is no definitive order to perform Risk Assessment (RA) and Business Impact Analysis (BIA), and the choice for one or another will depend on your expectations:

  • By doing BIA first you will have a prioritized list of processes and services that can impact the most of your business in case of disruptive incidents, then you can go to assess the most relevant risks for the most critical processes and services.
  • By doing risk assessment first you will have a prioritized list of risks your organization is most exposed to, i.e., the most potential disruptive incidents, then you can go to assess the impact on business regarding the processes and services affected by those risks.

  Particularly, we prefer to do a risk assessment first, because this way you will have a better impression of which incidents can happen (which risks you’re exposed to), and therefore be better prepared for doing the business impact analysis (which focuses on consequences of those incidents).

  For rating critical services considering the results of a risk assessment, you can consider the value of the risks, or the number of risks, associated with a specific service. For example, you can have a service with two high risks associated with it and other with ten medium risks associated with it. Considering your context, in terms of risks maybe the second service is more critical.

  These articles will provide you a further explanation about risk assessment and BIA:

  • Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
  • How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

  These materials will also help you regarding risk assessment and BIA:

  • Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• ISO 9001 Strategic risk assessment

  In this free webinar on-demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/ - I show some examples of determining risks and then acting on them. ISO 9001:2015 mentions risk about:

  • Context interacting with interested parties (clause 6.1)
  • Products and services (clause 5.1.2 b))
  • Processes (clause 4.4.1) 

  Your organization is a set of interrelated processes. Each process is a set of activities that transform inputs into desired outputs.

  ISO 9000:2015 defines risk as to the effect of uncertainty. Because there is uncertainty, sometimes we don’t have the expected:

  • Inputs
  • Activities
  • Outputs 

  What is a non-conformity? We don’t design processes to deliver non-conformities. So, when a non-conformity happens, we have the manifestation of risk. Non-conformities are potential risks that have materialized. Same for complaints.

  Seen in this way, the risk-based approach is a very effective methodology for developing a plan to control a process and its results. The control will materialize, for example, in operations of control, verification, improvements in the process, in work instructions, in improvements in monitoring, in increasing the competence of the participants.

  You can find more information below about risks.

  • How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
  • How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
  • For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
  • Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (I use a lot of examples based on the risk-based approach)
     

• Declaration of Conformity according to MDR

  thank you so much.