Search results

Integration of 27001 and 27002 in establishment of guidance

Please note that ISO 27002 is not mandatory to implement ISO 27001, so you only need to use information from ISO 27002 when you find it useful for the controls you need to implement.

These articles will provide you a further explanation about ISO 27001 controls and ISO 27002:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
• A quick guide to ISO 27001 controls from Annex A https://advisera.com/27001academy/iso-27001-controls/
• How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

These materials will also help you regarding ISO 27001 controls:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Risk Assessment Matrix

Please note that ISO 27001 does not prescribe how to determine risk level, only that it needs to be determined, so your risk assessment matrix can be used to fulfill the standard’s requirements.

Only a minor suggestion to be considered (you can keep the current matrix if you like): instead of using “improbable-possible-probable”, adopt “improbable-probable-most probable”, because this way you use the same base word (probable) for the likelihood scale, making it simpler to understand, and at the same time avoiding the use of words “probable” and “possible” in the same scale, since these words can be mistaken as synonyms in some circumstances, creating confusion.

This article will provide you a further explanation about risk analysis:

• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment 

This material will also help you regarding risk assessment:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

27001 questions

1. Please confirm the following versions of the Mandatory Documents the latest/current versions: ISO 27001 – ver 3.9, 2020-02-10

Yes, the version you stated is the latest/current version.

2. Within the ISO 27001 Documentation Toolkit List See attachment 27001A

No. 57, Doc Code 10, Internal Audit Procedure: This does not have a green check mark as a Mandatory Document, however No. 58 and 59 Appendix 1 and 2 has a green check mark for a mandatory document.  Should the Procedure for Internal Audit be checked as a mandatory document?  See attachment 27001A Screenshot 1.
No. 21 – 25, although these are not checked as a Mandatory Document, do we still need to create policies for them and all other documents/appendixes that are not checked as well?  See screenshot 2. This question would apply to ISO 20000 Document Toolkit as well?

Regarding Docs 57 to 59, please note that ISO 27001 does not require an Internal Audit procedure to be documented, only the documentation of the audit program (s) and the audit results.

Regarding Docs 21 to 25, controls related to them only require practices to be implemented, not the development of documentation. For controls related to these documents a brief description in the Statement of Applicability about how they are implemented would be enough. Provided templates are used because most organizations understand consider them good practice, even if they are not mandatory by the standard.

Regarding Doc 26, control A.12.1.1 (Documented operating procedures), covered by this template, requires operating procedures to be implemented, so if this control is applicable in your case you need to document the procedures.

Would ISO 13485 be compliant with 21 CFR part 820?

Yes, our ISO 13485 Documentation toolkit is compliant with 21 CFR part 80. Especially, due to the resolution from fall 2020 where FDA intends to harmonize and modernize the Quality System regulation for medical devices. The revisions will update the existing requirements with the specifications of an international consensus standard for medical device manufacturers, ISO 13485:2016. The revisions are intended to promote the use of more modern risk management principles and reduce regulatory burdens on device manufacturers and importers by harmonizing domestic and international requirements.

More information on this resolution you can find on the following link:

• Harmonizing and Modernizing Regulation of Medical Device Quality Systems https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202010&RIN=0910-AH99

• List of worldwide regulations that require implementation of ISO 13485 https://advisera.com/13485academy/blog/2021/03/09/list-of-worldwide-regulations-that-require-implementation-of-iso-13485/

• Differences and similarities between FDA 21 CFR Part 820 and ISO 13485 https://advisera.com/13485academy/blog/2017/10/05/differences-and-similarities-between-fda-21-cfr-part-820-and-iso-13485/

You can see how our ISO 13495:2016 documentation toolkit is structured and preview of it on the following link: https://advisera.com/13485academy/iso-13485-documentation-toolkit/

Software Requirements

Firstly, how would the pack apply to Software as a Medical Device (SaMD)? Looking at the preview there is a lot that seems unnecessary as it is focused on the development of a physical product?

Yes, you are right, there are some procedures that you do not need as a manufacturer of Software, like Procedure for sterilization, or work environment. However, all other procedures are applicable for you like for any other manufacturer. I understand that your dilemma is whether to buy the whole toolkit or just some of its parts. For advice on which option is best for you in this case, our sales team will let you know.

Secondly, on the software front where would Software Requirements be specified (e.g SRS Doc) is this kept as an external doc and referenced? On a similar line, what about Software Testing (e.g. unit testing, user testing)? Would you again keep an external record and link to it in the “Record of Software Validation”?

Software Requirements can be set as an external document because it is rather specific for each software.

For any software testing that is necessary to be performed due to IEC 62304:2006 Medical device software — Software life cycle processes, we do not have such a template. This Documentation toolkit is concentrated on the requirements from ISO 13485 and general aspects of MDR. Since there is such a variety of medical devices, it was not possible to prepare templates for all kinds of tests.

NPS form - GDPR Rules

If the purpose of processing is the same as that the email was given, you can use the emails. You need to evaluate if your clients can reasonably think that he/she is going to receive those surveys. If the answer is not, you will need consent, otherwise, you can send the NPS survey.

How does German law GDPR apply to online surveys?

EU GDPR is a general regulation that applies all across Europe. However, EU Member States German Data Protection law has implemented the EU GDPR in some specific fields, like employment, health data, children data, consumer protection, etc. You need to consider the purpose of processing and how you will process those data. Are you asking for information about a particular category of personal data? I.e., is the survey on political opinions or sexual orientation?

You need also to consider if the data collected are anonymized, if they are transferred and if there is any personal profiling or automatic decision.

All these elements will have an impact on how the GDPR will apply to the online survey.

Here you can find more information about German data protection law, GDPR, and the data processing

• EU GDPR vs. German Bundesdatenschutzgesetz – Similarities and Differences: https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-vs-german-bundesdatenschutzgesetz-similarities-and-differences/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

If you want to learn how to comply with EU GDPR requirements you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//

Section about intended use

Intended use is covered in the Technical file Integrated and both in the Clinical evaluation plan and Clinical evaluation report.

Relation between ISO 27001 and the IS strategy

Please note that the standard itself states in its introduction that adopting an information security management system (ISMS) is a strategic decision for an organization.

Considering that, using ISO 27001 to implement an ISMS, can be seen as an unfolding of the Information Security (IS) strategy, i.e., as a tactical element (because an ISMS can be implemented using other frameworks like NIST Cyber Security Framework - CSF).

These articles will provide you a further explanation about ISO 27001 application:

• Should information security focus on asset protection, compliance, or corporate governance? https://advisera.com/27001academy/blog/2017/03/13/information-security-focus-asset-protection-compliance-corporate-governance/
• Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Wordage to make the below (EU GDPR) into the UK GDPR equivalent

The wording to be used is the UK General Data Protection Regulation (UK GDPR). It is enforced by the Data Protection Act 2018.

The name is similar because it comes from the EU Withdrawal Act 2018 which allowed the UK Government to retain EU legislation making some adjustments to adapt to the domestic legal system, so they changed any reference to the EU with reference to the UK.