Search results

Are ISO 22716 and ISO 13845 comparable as certification scheme?

ISO 22716:2007 is a standard that covers Good Manufacturing Practices for cosmetic products, while ISO 13485:2016 is a standard that covers requirements for developing quality management for the manufacturers of medical devices. The main principle regarding the production itself is rather similar - both standards require traceability of raw materials, confirmation of the correctness of the entire production process, traceability in the production itself, to maintain the required purity of the product and production (depending on product type), etc. 

Furthermore, the similarity is that both standards require an internal audit, that deviations and nonconformities are managed, and that documentation is managed appropriately. However, in ISO 22716 there is no requirements management review. 

Given this review, it can be said that these two standards are comparable. 

A lot of information about ISO 13485 you can find on the following links:

• What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
• Six key benefits of ISO 13485 implementation https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/
• How to get ISO 13485 certified? https://advisera.com/13485academy/iso-13485-certification/

• ISO 27001 implementation

  The Risk Assessment and Risk Treatment Methodology template included in your toolkit are compliant with ISO 27005.

  Please note that ISO 27005 is a supporting standard to ISO 27001, detailing how to implement risk management for information security (basically covering ISO 27001 clauses 6.1.2 and 6.1.3).

  This article will provide you a further explanation about implementing risk management:

  • ISO 27001 risk assessment & treatment – 6 basic steps: https:// advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

• Need for consent

  "Thanks for your response, I am now clear that if any form of contract or agreement signed between controller and data subject, it does not require specific consent. Specially if bank has signed account opening forms or product and services forms, then specific consent is not required.1 - With this understanding I have another question, is Bank allowed to share/process data via third parties without specifically mentioning in the form/contract at the time of customer on-boarding, to fulfill the contract? Or bank can share a privacy notice on their website that bank will process your data via third parties?

  The bank can share data with third-party processors, but in the privacy notice the bank should mention that data will be shared and for what purpose. The privacy notice should be given with the contract because the data subject should be able to know what data will be processed and how in the contract relationship.

  2 - Is it mandatory for the organization/bank to mention the name/region of third-party data processor specially if it is a non-EU state?

  The bank should declare if data will be transferred outside the EU and what are the legal basis of data transfers and the destination of data. If the destination is several countries they should write to contact them to know the exact list of countries and the safeguards implemented.

  3 - Can any organization mention term "we may share your data to third-party service providers" or it has to be specific by mentioning the service outsourced, name and region of the service provider? And where it has to be clarified at the time of contract or via privacy notice?Thanks and looking forward for your expert opinion"

  The privacy notice is the document where all this information should be given. The controller doesn’t need to be specific if third-party processors are different (they may also change), but the data subject is allowed to contact the controller to know who are the processors.

• Transferring Risk using Insurance

  Yes, in some cases you can transfer the risk to insurance (e.g. for a risk of fire, you can insure your physical assets), however such insurance can only cover a smaller number of your risks. Therefore, you cannot expect to treat all risks through risk transfer using the insurance. 

  For the risks for which you use the insurance, you will not need to perform monitoring and review of supplier services.

• Confidentiality level in Incident Management Procedure

  This kind of procedure is normally classified as 'internal use' because it defines the rules not only for the management of incidents, but also on how employees can identify and report incidents - so due to this nature, it is not necessary for personnel out of the organization to access this procedure.

• how to get iso27001 certification if I have soc2 certification already?

  An organization Soc2 certified means it is compliant with Trust Service Criteria (TSC), which has a high level of alignment with ISO 27001.
  Considering that, most part of the work to achieve ISO 27001 certification will be related to identify and document the evidences required by the standard.

  For example, for ISO 27001 risk assessment and risk treatment approach must be documented, and this is not mandatory for TSC.
  These articles will provide you a further explanation about Soc2 and ISO 27001:

  • List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
  • Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/21/02/02/iso-27001-vs-soc-2/

  These materials will also help you regarding ISO 27001:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Contradictions between Toolkits and video tutorials

  Please note that ISO 27001:2013 defines as the top-level policy the "Information Security Policy", however the old 2005 revision of ISO 27001 called this document "ISMS Policy".

  So, the ISMS Policy and the Information Security Policy are the same document.

  Regarding the elements of GDPR included in this Information Security policy, they do not require customization, so a video tutorial with specific GDPR content for filling in the Integrated ISO 27001 & GDPR Information Security Policy is not required. In case you find any differences between the templates and video tutorials, please consider the template as the most updated version.

  For more information, see:

  • Information security policy - how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
  • One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/

• What role should person doing Internal Audit have?

  An Internal Audit does not need to have an IT Security Job Title or Role.

  ISO 27001 does not prescribe job titles or roles for persons performing internal audits. It only requires that internal audits have the proper knowledge, skills, and experience and that to select internal auditors you ensure the objectivity and the impartiality of the audit process, which means that internal auditors are not directly involved in the process being audited (an auditor should not audit his own work).

  These articles will provide you a further explanation about the Selection of internal auditors:

  • How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
  • Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
  • Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/

  These materials will also help you regarding the Selection of internal auditors:

  • ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Are Microsoft Office 365 and Dynamics 365 GDPR compliant?

  As far as is possible to know Microsoft Office 365 and Dynamics 365 claim to be GDPR compliant and take steps in order to assure their compliance. There is no GDPR certification so it is not possible to know if Microsoft is fully compliant.

  Here you can find their commitment: https://www.microsoft.com/en-ww/trust-center/privacy/gdpr-overview

  If you want to know more about the EU GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// 

• GDPR con 2 Ragioni Sociali

  In parte, oltre ad indicare nell’informativa privacy che i dati raccolti saranno trattati da due titolari (o da un titolare e un responsabile), è necessario anche che il rapporto di contitolarità sia definito da un accordo contrattuale tra le due società che descriva i ruoli e le responsabilità (nel caso di rapporto titolare/responsabile sarà necessaria la nomina a responsabile ai sensi dell’art. 28 GDPR). Naturalmente, tale accordo non andrà pubblicato, ma è necessario che vi sia per dimostrare l’accountability.

  Per ulteriori informazioni, vedi:

  • Il GDPR dell’UE: controllori a confronto con processori – Quali sono le differenze? https://advisera.com/eugdpracademy/it/knowledgebase/il-gdpr-dellue-controllori-a-confronto-con-processori-quali-sono-le-differenze/

  Se vuoi saperne di più sul GDPR, puoi prendere in considerazione l'iscrizione al nostro corso di formazione online gratuito:

  • EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//