Search results

ISO for reputation management

ISO has not released any new information about a standard for reputation management, but by searching on its site we found three standards that may help you:

• ISO 10668:2010 Brand valuation — Requirements for monetary brand valuation (https://www.iso.org/standard/46032.html): this published standard can help you evaluate your brand and report the results of such valuation.
•  ISO 20671, Brand evaluation – Principles and fundamentals (https://www.iso.org/standard/68786.html): specifies the fundamentals and principles for brand evaluation, including an integrated framework for brand evaluation containing necessary brand input elements, output dimensions, and sample indicators.  
•  ISO/CD 22361 Security and resilience — Crisis Management — Guidelines for developing a strategic capability (https://www.iso.org/standard/50267.html): under evaluation, this standard will help you manage situations that can impact the brand value.

For more information, please read: 

• What’s in a Brand? Quite a bit, actually https://www.iso.org/news/ref2486.html

Necessity of MDD and MDR for contract manufacturing companies

Sorry for the misunderstanding.

If you are a contract manufacturer, you need to have implemented ISO 13485. The question here is who certified the medical device. If your marketer is responsible for the CE marking of the medical device, then there is supposed to be a Quality agreement between you and your marketer. In that agreement must be stated mutual responsibilities.

Template of that agreement you can find in our documentation toolkit on the following link:

• Quality Agreement for Subcontractor https://advisera.com/13485academy/documentation/quality-agreement-for-subcontractor/

There are no strict requirements that you need to be certified according to the ISO 13485, but your marketer as CE mark holder must be.

Comprehensive Information Security Implementation

Please note that ISO 27701, like ISO 27001, are management systems standards, i.e., they define management systems requirements and controls for privacy information management and information security management, respectively, and other standards from ISO 27xxx series, like ISO 27002, ISO 27035, etc., provide orientation and guidance for their implementation (either for main requirements and security controls).

Considering that, they can make your implementation of ISO 27701 easier, but they are not mandatory for the implementation of ISO 27701.

These articles will provide you further explanation about ISO 27001 and ISO 27701:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/

These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
 - ISO 27001 vs. ISO 27701 matrix (PDF) https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-27701-matrix

External Documents and the acceptable handling thereof

1 - Do I need to keep an explicit record, or may I argue that I can request any registered document from our Service desk? 
I require advice which external documents are required for the ISMS. Your colleague wrote:
“Examples of external documents are laws and regulations you need to comply with, documentation sent by your customers or suppliers, etc.
The identification of such documents can be made during identification of ISMS requirements and risk assessment.” 
The only external documents that we identified as pertaining to our ISMS might be the auditors reports and certificates.

Answer: Please note that if you can ensure the availability of registered documents stored in your Service Desk you do not need to keep a record on your own.

2 - Which “identification of ISMS requirements and risk assessment.” Is your colleague referring to?

I leave my questions at that. I am looking forward to some clarification and will continue from that.

Answer: Please note that “identification of ISMS requirements and risk assessment” are mandatory steps in the implementation of your ISO 27001 ISMS, and during these steps, you can identify needs to keep specific records.

For example, when identifying ISMS requirements, you may find that you need to comply with a law (e.g., EU GDPR), and for that, you need to keep some records (e.g., user consent for data processing). Additionally, during risk assessment, for the controls you find applicable, you will need to identify records to be kept for evidencing controls implementation (e.g., backup test report).

For further information, see:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Requirements for ISO 27001 Certification

Please note that the required time for the ISMS to be operating before the certification audit is different from one certification body to the other - some require you to have ISMS in full operation for at least 3 months, while others do not have such criteria. The best would be if you ask for proposals from a couple of certification bodies, and ask them this specific question.

These articles may also help you:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
• Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

These materials can also help you:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

How a repair under the ISO 13485 can be deemed acceptable?

If the repair process is not certified at the OEM, it means that the original manufacturer has to have control over that process. It is usually carried out that the original manufacturer prepares the necessary documents for repair and necessary forms that will be proof that some repair has been conducted and give those documents to the OEM. In a Quality agreement between manufacturer and OEM, this should be stated together with the description of the control that the manufacturer will perform over the OEM repair process. One way to control the repair process is to conduct an audit at the OEM, so-called supplier audit.

Information on performing a supplier audit according to ISO 13485, you can find in the following link:

• How to perform a supplier audit according to ISO 13485 https://advisera.com/13485academy/blog/2021/03/29/how-to-perform-a-supplier-audit-according-to-iso-13485/

• ISO 14001 Clause 4.2

  Each organization decides who are their interested parties. According to my experience, interested parties include more than just suppliers. For example, customers, neighbors, local authority, and government. For these groups, it makes more sense to think about their needs and expectations. For example, neighbors want peace and quiet, local authorities want jobs, and compliance with compliance obligations, customers want things like competitive price, delivery times met, a product with the agreed quality, guarantee of supply, (quality control system, respect for the environment, environmental certification).

  You can also include suppliers, in that case perhaps their needs and expectations are around things like orders, quantity minimums, timely payment, new products/services.

  Although about ISO 9001, perhaps the technique that I use and present in this free webinar on-demand - Context of the organization, interested parties, and scope - - may be useful for you.

  The following material will provide you more information:

  • How to determine interested parties according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-determine-interested-parties-according-to-iso-140012015/
  • Enroll for free in the course - ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
     

• Secure System Engineering Principles

  For ISO 27001, secure engineering principles are the high-level rules defined to apply security in software development (e.g., Assure information protection in processing, transit, and storage). This standard defines the control A.14.2.5 Secure system engineering principles to be implemented if you have relevant risks or legal requirements to justify its implementation.

  Regarding the required documentation level, ISO 27001 does not prescribe any documentation level, so organizations are free to use the document level that best suits their needs. For example, you can define security principles as statements in a policy (e.g., security must be considered in business, data, application, and technological layers, security must balance protection and accessibility needs, etc. ), or you can provide them as detailed engineering procedures on how they must be implemented.

  To see an example of a document that covers this control in a policy, I suggest you take a look at the free demo of this template: https://advisera.com/27001academy/documentation/secure-development-policy/

  These articles will provide you a further explanation about secure engineering principles:

  • How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
  • What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/

• ISMS Risk Survey

  The most common way to perform ISO 27001 risk assessment is through the asset-threat-vulnerability approach, which can also be applicable to other business processes, because it is based on assets (elements with value to the organizations), and this concept can be applied to other processes in the organization. For example, you can use an asset called management report to identity risks for your ISMS and other processes that uses such asset (e.g., financial management report).

  To see a list of threats and vulnerabilities you can use not only for ISMS risk assessment, but also for other business processes, see:
  - Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

  To see how to perform a risk assessment compliant with ISO 27001, see:
  - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

  The template for Risk assessment has examples of assets, threats and vulnerabilities you can use.

  To see how documents to perform a risk assessment compliant with ISO 27001 looks like, please see: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

  This material will also help you regarding ISO 27001 risk assessment:
  - https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process.