Search results

ISO 9001 Engineering drawing

Unfortunately, there is no guide.  ISO 9001 has no universal guide for archiving records. It is up to each organization to decide how to do it.

Records are like the memory of an organization. Without memory, learning happens very slowly.

Two things about records: accessibility and protection.

How authorized persons can easily find the records they are searching for: where are they located, how are they compiled (topic), how are they organized (how to search – date, alphabetically, numerically, …), for how long they will be kept?

About protection think about how to guarantee that unauthorized persons have access to them, think about how to protect them from accidents (fire, flood, …)

You can find more information about documentation below:

• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
   

Política de uso de criptografia

Para mais informações sobre o uso de criptografia de acordo com a ISSO 27001, por favor veja:

• How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/

Este material também pode ser útil:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Caso você ainda tenha alguma dúvida específica, você pode fazer uma pergunta em nossa comunidade: https://community.advisera.com/

Encryption Use Policy

For more information on the use of encryption according to ISO 27001, please see:

• How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/

This material will also help you regarding cryptography:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

If you still have a specific question, you can ask a question in our community: https://community.advisera.com/

Additional requirement to ISO13485 that has to be addressed for MDSAP

The Medical Device Single Audit Program (MDSAP) is a program that allows the conduct of a single regulatory audit of a medical device manufacturer’s quality management system that satisfies the requirements of multiple regulatory jurisdictions.

MDSAP is based on ISO 9001:2015 so the following aspects are not covered in the ISO 13485:2016:

• Context of the manufacturer
• Interested parties
• Business risk assessment

What are more differences between ISO 9001:2015 and ISO 13485:2016 you can see on the following link:

• Similarities and differences between ISO 9001:2015 and ISO 13485:2016 https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/

• ISMS Controls

  1 - I would like to know more about the Controls, are there any categories for controls ??

  The 114 controls from ISO 27001 Annex A are organized into 14 sections (domains):

  • A.5 Information security policies – controls on how the policies are written and reviewed
  • A.6 Organization of information security – controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking
  • A.7 Human resources security – controls prior to employment, during, and after the employment
  • A.8 Asset management – controls related to inventory of assets and acceptable use; also for information classification and media handling
  • A.9 Access control – controls for the management of access rights of users, systems, and applications, and for the management of user responsibilities
  • A.10 Cryptography – controls related to encryption and key management
  • A.11 Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, Clear Desk, and Clear Screen Policy, etc.
  • A.12 Operational security – lots of controls related to the management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc.
  • A.13 Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc.
  • A.14 System acquisition, development, and maintenance – controls defining security requirements, and security in development and support processes
  • A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers
  • A.16 Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence
  • A.17 Information security aspects of business continuity management – control requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy
  • A.18 Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security

  For further information, see:

  • A quick guide to ISO 27001 controls from Annex A https://advisera.com/27001academy/iso-27001-controls/

  This material also can help you:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  2 - Important controls / not so important controls ??

  Please note that controls' importance will depend on the results of risk assessment and applicable legal requirements, so before getting this information you should avoid trying to give some importance degree to controls, because you risk super estimating or underestimating controls, and this can negatively impact your risk management process.

  This article will provide you a further explanation about selecting controls:

  • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  This material will also help you regarding risk management:

  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• Business abiding by ISO 27001 when using BYOD policy

  First of all, you have to perform a risk assessment to identify which risks related to BYOD practice you have to treat, and which legal requirements (e.g., clauses of contracts, laws, or regulations) you have to fulfill. After that, you have to identify proper controls to be implemented. In general, to secure BYOD practices you have to consider the following controls:

  • A.6.2.1 Mobile device policy
  • A.6.2.2 Teleworking
  • A.13.2.1 Information transfer policies and procedures
  • A.13.2.3 Electronic messaging

  Normally, these are implemented through a BYOD policy, which you can see how it looks like at this link: https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/

  This article will provide you a further explanation about BYOD policy:

  • How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

  These materials will also help you regarding BYOD policy and for training and awareness:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

• Fulfilling documentation requirements of ISO 13485 and MDR in Quality Management System and demonstrating it in matrix

  MDR requires manufacturers to have implemented a quality management system. Requirements regarding the quality management system are stated in Article 10, clause 9. All requirements from the ISO 13485 are in that clause. However, there are some additional requirements like the requirement to document strategy for regulatory compliance, to document the process of issuing UDI number, and fulfillment of the General safety and performance requirements.

  Therefore, if you have prepared the QMS according to the ISO 13485, all you have to do is:

  • to prepare those additional requirements and put them on the list of documents
  • to define who is responsible for performing those processes.

  For more information, see:

  • EU MDR Article 10 https://advisera.com/13485academy/mdr/general-obligations-of-manufacturers/
  On the following link you can see how our documentation toolkit looks like:
  • ISO 13485 & MDR Integrated Documentation Toolkit https://advisera.com/13485academy/iso-13485-eu-mdr-documentation-toolkit/

  Following link regarding the documentation requirements for both ISO 13485 and MDR can be helpful:

  • EU MDR Checklist of Mandatory Documents https://info.advisera.com/13485academy/free-download/eu-mdr-checklist-of-mandatory-documents

• Electronic File/Folder structure SOP

  ISO 27001, like other ISO management standards, has requirements for document and records management you can use to define how to create, approve, review, distribute, and communicate them, among other things.

  Considering electronic documents and records, if the quantity of them is not so big you can consider organizing them in folders identified by each section of the standard which requires them (e.g., in folder named "Information Security Policy" you can store the Information security policy, in folder "Risk assessment and Treatment" you can store documents and records related to the risk management process, etc.)

  If the quantity of documents is big, you should consider a document management solution (you can see an example of such solution in our platform Conformio at this link: https://advisera.com/conformio/)

  For physical records, you should consider a central cabinet to store them, adopting a folder structure similar to the electronic documents.

  To see how a procedure to control documents and records compliant with ISO 27001, please take a look at the free demo of this template: https://advisera.com/27001academy/documentation/procedure-for-document-and-record-control/

  These articles will provide you a further explanation about document and record management:
  - Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
  - Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

  These materials will also help you regarding document and record management:
  - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• ISO 9001 Warehouses

  ISO 9001:2015 is not about departments but about processes.

  What kind of processes happen at a warehouse?

  • Reception of materials and goods
  • Expedition of materials and goods 

  Reception starts with quality control, then identification, then storage, then supply to production.

  Expedition may start with quality control, then identification, then packaging, then storage, then expedition.

  Clauses related with that can be:

  • 6.1 risks about can happen in the warehouse
  • 7.1.3 maintenance of hardware, software, communications, facilities and transport
  • 7.1.4 relevant requirements about the work environment
  • 7.2 people working at the warehouse is competent
  • 8.4 purchasing information, quality control requirements
  • 8.5.2 identification and traceability
  • 8.5.3 property belonging to clients and external providers
  • 8.5.4 preservation
  • 8.6 quality control
  • 8.7 treating nonconformities 

  You can find more information below:

  • How ISO 9001 improves shipping procedures - https://advisera.com/9001academy/blog/2019/07/09/how-iso-9001-improves-shipping-procedures/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• ISO 9001 Risk Assessment

  ISO 9001:2015 has no mandatory requirements concerning risks and opportunities – please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ . So, whatever the method used by your organization to document and evaluate your risk assessment is valid if it suits your needs. Without knowing your particular approach is very difficult to help you.

  You can find more information below:

  • How to address risks and opportunities in ISO 9001:  https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
  • How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
  • For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/