Search results

External Documents and the acceptable handling thereof

1 - Do I need to keep an explicit record, or may I argue that I can request any registered document from our Service desk? 
I require advice which external documents are required for the ISMS. Your colleague wrote:
“Examples of external documents are laws and regulations you need to comply with, documentation sent by your customers or suppliers, etc.
The identification of such documents can be made during identification of ISMS requirements and risk assessment.” 
The only external documents that we identified as pertaining to our ISMS might be the auditors reports and certificates.

Answer: Please note that if you can ensure the availability of registered documents stored in your Service Desk you do not need to keep a record on your own.

2 - Which “identification of ISMS requirements and risk assessment.” Is your colleague referring to?

I leave my questions at that. I am looking forward to some clarification and will continue from that.

Answer: Please note that “identification of ISMS requirements and risk assessment” are mandatory steps in the implementation of your ISO 27001 ISMS, and during these steps, you can identify needs to keep specific records.

For example, when identifying ISMS requirements, you may find that you need to comply with a law (e.g., EU GDPR), and for that, you need to keep some records (e.g., user consent for data processing). Additionally, during risk assessment, for the controls you find applicable, you will need to identify records to be kept for evidencing controls implementation (e.g., backup test report).

For further information, see:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Requirements for ISO 27001 Certification

Please note that the required time for the ISMS to be operating before the certification audit is different from one certification body to the other - some require you to have ISMS in full operation for at least 3 months, while others do not have such criteria. The best would be if you ask for proposals from a couple of certification bodies, and ask them this specific question.

These articles may also help you:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
• Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

These materials can also help you:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

How a repair under the ISO 13485 can be deemed acceptable?

If the repair process is not certified at the OEM, it means that the original manufacturer has to have control over that process. It is usually carried out that the original manufacturer prepares the necessary documents for repair and necessary forms that will be proof that some repair has been conducted and give those documents to the OEM. In a Quality agreement between manufacturer and OEM, this should be stated together with the description of the control that the manufacturer will perform over the OEM repair process. One way to control the repair process is to conduct an audit at the OEM, so-called supplier audit.

Information on performing a supplier audit according to ISO 13485, you can find in the following link:

• How to perform a supplier audit according to ISO 13485 https://advisera.com/13485academy/blog/2021/03/29/how-to-perform-a-supplier-audit-according-to-iso-13485/

• ISO 14001 Clause 4.2

  Each organization decides who are their interested parties. According to my experience, interested parties include more than just suppliers. For example, customers, neighbors, local authority, and government. For these groups, it makes more sense to think about their needs and expectations. For example, neighbors want peace and quiet, local authorities want jobs, and compliance with compliance obligations, customers want things like competitive price, delivery times met, a product with the agreed quality, guarantee of supply, (quality control system, respect for the environment, environmental certification).

  You can also include suppliers, in that case perhaps their needs and expectations are around things like orders, quantity minimums, timely payment, new products/services.

  Although about ISO 9001, perhaps the technique that I use and present in this free webinar on-demand - Context of the organization, interested parties, and scope - - may be useful for you.

  The following material will provide you more information:

  • How to determine interested parties according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-determine-interested-parties-according-to-iso-140012015/
  • Enroll for free in the course - ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
     

• Secure System Engineering Principles

  For ISO 27001, secure engineering principles are the high-level rules defined to apply security in software development (e.g., Assure information protection in processing, transit, and storage). This standard defines the control A.14.2.5 Secure system engineering principles to be implemented if you have relevant risks or legal requirements to justify its implementation.

  Regarding the required documentation level, ISO 27001 does not prescribe any documentation level, so organizations are free to use the document level that best suits their needs. For example, you can define security principles as statements in a policy (e.g., security must be considered in business, data, application, and technological layers, security must balance protection and accessibility needs, etc. ), or you can provide them as detailed engineering procedures on how they must be implemented.

  To see an example of a document that covers this control in a policy, I suggest you take a look at the free demo of this template: https://advisera.com/27001academy/documentation/secure-development-policy/

  These articles will provide you a further explanation about secure engineering principles:

  • How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
  • What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/

• ISMS Risk Survey

  The most common way to perform ISO 27001 risk assessment is through the asset-threat-vulnerability approach, which can also be applicable to other business processes, because it is based on assets (elements with value to the organizations), and this concept can be applied to other processes in the organization. For example, you can use an asset called management report to identity risks for your ISMS and other processes that uses such asset (e.g., financial management report).

  To see a list of threats and vulnerabilities you can use not only for ISMS risk assessment, but also for other business processes, see:
  - Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

  To see how to perform a risk assessment compliant with ISO 27001, see:
  - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

  The template for Risk assessment has examples of assets, threats and vulnerabilities you can use.

  To see how documents to perform a risk assessment compliant with ISO 27001 looks like, please see: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

  This material will also help you regarding ISO 27001 risk assessment:
  - https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process.

• Critical non-conformities

  Nonconformance is not necessarily a bad thing because each non-conformance is an opportunity for improvement. ISO 13485 in sections 8.3 Control of non-conforming products and 8.5.2 Corrective action include clear and in-depth guidance on how to respond to any nonconformity discovered through your processes, connected with customer complaints, or conducted audits (both external and internal). 

  The potential impact of non-conformity on your organization depends on the size and type of the nonconformance. When critical issues are discovered in the production process this may lead to the product of an unsafe medical device. Un-safe medical devices present both risks for the patient/end-user, but also for your company because your company’s rating can be compromised. 

  If Top management needs to be involved in solving critical non-conformities by ensuring certain resources (financial, infrastructure, or human), they must be aware of the consequences that may have not solving non-conformities.

  So, prepare a full explanation of what the consequences are if you do not resolve the nonconformity and provide that evidence Top management. If Top management has no ear for this, you can always contact the Board of Directors, the owner, or some other entity that is above your boss.

• MDR classification

  Rule 9 is considering active therapeutic devices s intended to administer or exchange energy, while lung ventilators are monitoring devices. According to the MDR, active monitoring devices of vital physiological processes are covered in Rule 10.

• È necessario il DPO?

  Dipende dal tipo di dati che tratti. Se il tuo software tratta le particolari categorie di dati (i cosiddetti dati sensibili, come quelli sulla salute, l’orientamento sessuale, le opinioni politiche, ecc.) potresti aver bisogno di un DPO, altrimenti non rientri nelle ipotesi indicate nell’Art. 37 GDPR.

  Qui puoi approfondire la figura del DPO:

  • Il ruolo del Responsabile della Protezione dei Dati alla luce del Regolamento Generale sulla Protezione dei Dati https://advisera.com/eugdpracademy/it/knowledgebase/il-ruolo-del-responsabile-della-protezione-dei-dati-alla-luce-del-regolamento-generale-sulla-protezione-dei-dati/
  • How to hire the right DPO? https://advisera.com/eugdpracademy/blog/2018/08/27/how-to-hire-the-right-dpo/

  Se vuoi approfondire l’applicazione del GDPR puoi iscriverti al nostro corso online gratuito EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//,

  Per conoscere i requisiti per il DPO, puoi iscriverti al nostro corso online gratuito EU GDPR Data Protection Officer Course https://advisera.com/training/eu-gdpr-data-protection-officer-course/

   

• Information security policy

  ISO 27001 mentions the following policies: 

  - Information Security Policy
  - Mobile device policy
  - Access control policy
  - Policy on the use of cryptographic controls
  - Clear desk and clear screen policy
  - Secure development policy
  - Information security policy for supplier relationships

  According to ISO 27001, only the Information Security Policy must be approved by the top management (clause 5.2) - all the other mentioned policies are operational policies that are almost never approved by the top management.

  You might try to change the names of operational policies to "procedures", however then you risk having problems at the certification audit. The name of the Information Security Policy should not be changed to procedure because the auditor would certainly raise a nonconformity for that.