Search results

Implementation duration

We estimate that for companies up to 10 employees it is necessary up to 3 months to implement the quality management system according to the ISO 13485:2016.

Como devo prosseguir com um relatório?

De sua pergunta e do artigo encaminhado para mim (https://advisera.com/27001academy/pt-br/blog/2015/05/20/certificacao-iso-27001-o-que-fazer-apos-receber-o-relatorio-de-auditoria/), presumo que você esteja se referindo a um relatório de auditoria de certificação.

Considerando isso, em resumo, ações decorrentes do relatório de auditoria são:

• envio de plano de ação para o auditor de certificação para tratativa de não conformidades menores (quando identificadas), e implementação do plano dentro das datas definidas
• tratativa pela organização e envio de evidências para o auditor de certificação da tratativa de não conformidades maiores (quando identificadas)
• análise crítica das oportunidades de melhoria pela alta administração e definição de ações a serem tomadas e prazos quando julgado pertinente.

O relatório de auditoria de certificação será usado como referência de consultada para quaisquer dúvidas em relação as ações a serem tomadas.

Data transfers to third countries under BCR umbrella

Article 94 GDPR states that “References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC shall be construed as references to the European Data Protection Board established by this Regulation.”There is continuity between Directive 95/46/EC and the GDPR. The adoption of BCR is a long process involving different stages of exam and approval from Data Protection Authorities and the Working Party (under the Directive 95/46/EC) which became the European Data Protection Board (under GDPR). So, BCRs adopted are still valid.However, you need to check in the BCR which is the Leading Authority, because in July 2020 the European Data Protection Board stated that the BCR having the UK Data Protection Authority (ICOs, or Information Commissioner’s Office) as the Leading Authority needs to be amended because of Brexit.

Here you can find the statement: https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-fifth-plenary-session-information-note-binding_en

If you need to know more about how to transfer data in third countries under the EU GPDR here you can find more information:

• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
• Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

ISO 17025 accrediting

As long as you are able to meet ,sustain and maintain the requirements of ISO 17025 , accreditation can be achieved. But as you have mentioned having no equipments of own and using the rented ones, it would be very challenging to ensure that related requirements of ISO 17025 as rightly mentioned by Tracy evans. It will help greatly if other party which is renting the equipments have accreditation so that most of requirements gets covered at their end and other related ones at your end.

I am afraid that a broad answer only can given to your question.

Internal auditor qualification

ISO 27001 requires that people are competent to perform activities related to the Information Security Management System (ISMS), and for internal audit, this would mean knowledge or experience on ISO 27001 and the audit process.

Considering that, for an internal audit to be an ISO 27001 internal auditor would be sufficient.

These materials will provide you a further explanation about internal auditor qualification:

• Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
• ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
• ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Conformio documentation access

First is important to note that unless you have specific requirements demanding the use of ISO 27017 and ISO 27018 (e.g., laws, regulations, or contracts), controls available in ISO 27001 are sufficient to cover cloud security.

Considering that, please note that the application of ISO 27017 and ISO 27018 controls follow the same principles as for ISO 27001: controls are selected according to the results of risk assessment, applicable legal requirements, or as a top management decision.

As a result, to be compliant with ISO 27001 when using ISO 27017 and ISO 27018:

• you need to implement controls identified as needed to treat relevant risks and defined by legal requirements
• you can skip controls for which you do not have legal requirements or not have relevant risks demanding their implementation
• you can implement the ones top management considers as a good practice.

This article will provide you a further explanation about controls selection:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding controls selection:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Implementation of GDPR & ISO 27001

First of all, sorry for this situation.

By your question, I’m assuming you are also implementing ISO 20000.

Considering that, in case your ISO 20000 scope includes information that is in the scope of the ISO 27001 and GDPR implementation, the best approach would be to use the Information Security Policy from the ISO 27001 & GDPR Integrated toolkit, including the specific information from the ISO 20000 Information Security Policy in it.

If the ISO 20000 scope is not related to the information that is in the scope of the ISO 27001 and GDPR implementation, then you can use separated policies, because this way you would not define too strict limitations in your ISO 20000 implementation.

This article will provide you a further explanation about the integration of ISO 27001 and ISO 20000:

• How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/

These materials will also help you regarding ISO 27001 and ISO 20000:

• How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/
• ISO 27001 vs. ISO 20000 matrix (PDF) https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-20000-matrix

Question about SaaMD

Our ISO 13485:2016 & MDR documentation toolkit covers the requirements required in the standard itself and general requirements from the MDR. It does not cover the requirements of other standards required for a particular type of medical device. Thus, the Toolkit does not cover the documentation requirements of IEC 62304: 2006 Medical device software - Software life cycle processes. 

There are many types of medical products and it is impossible to cover with one toolkit absolutely all the requirements for all types of medical products.

ISMS & BCMS risk assessment

ISO 27001 does not prescribe how to evaluate risks, so you can choose the approach that better fits your needs.

Considering that, you can use different scales for your ERM & BCMS and ISMS. This difference is not a reason to raise a nonconformity, but the auditor may inquire the reason for using a different scale, since using a single scale can make your risk management process easier (you wouldn’t need to convert values to compare risks from different frameworks).

These articles will provide you a further explanation about risk assessment:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

This material will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

How to write a proposal for ISO 27001& 9001 and Partnership

Generally, the proposal is based on terms of time, so you need to calculate the estimated time for the implementation. For the estimation of the time, see:
- How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - you should also note that this is the timing that is needed for companies that use our toolkits

I suggest you use as a basis our free template "Project proposal for ISO 27001 / ISO 22301 implementation" . You can download a copy at this link: https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-iso-22301-implementation-msword), and include some information related to ISO 9001:
- ISO 27001 vs. ISO 9001 matrix https://info.advisera.com/9001academy/free-download/iso-9001-2015-vs-iso-27001-2013-matrix

Additionally, you can prepare a presentation based on the template "Project proposal for ISO 27001 implementation" (you can download a copy at this link: https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-implementation-powerpoint).

This set of documents aimed to help consultants may help you: https://advisera.com/27001academy/consultants/