Search results

27001 questions

1. Please confirm the following versions of the Mandatory Documents the latest/current versions: ISO 27001 – ver 3.9, 2020-02-10

Yes, the version you stated is the latest/current version.

2. Within the ISO 27001 Documentation Toolkit List See attachment 27001A

No. 57, Doc Code 10, Internal Audit Procedure: This does not have a green check mark as a Mandatory Document, however No. 58 and 59 Appendix 1 and 2 has a green check mark for a mandatory document.  Should the Procedure for Internal Audit be checked as a mandatory document?  See attachment 27001A Screenshot 1.
No. 21 – 25, although these are not checked as a Mandatory Document, do we still need to create policies for them and all other documents/appendixes that are not checked as well?  See screenshot 2. This question would apply to ISO 20000 Document Toolkit as well?

Regarding Docs 57 to 59, please note that ISO 27001 does not require an Internal Audit procedure to be documented, only the documentation of the audit program (s) and the audit results.

Regarding Docs 21 to 25, controls related to them only require practices to be implemented, not the development of documentation. For controls related to these documents a brief description in the Statement of Applicability about how they are implemented would be enough. Provided templates are used because most organizations understand consider them good practice, even if they are not mandatory by the standard.

Regarding Doc 26, control A.12.1.1 (Documented operating procedures), covered by this template, requires operating procedures to be implemented, so if this control is applicable in your case you need to document the procedures.

Would ISO 13485 be compliant with 21 CFR part 820?

Yes, our ISO 13485 Documentation toolkit is compliant with 21 CFR part 80. Especially, due to the resolution from fall 2020 where FDA intends to harmonize and modernize the Quality System regulation for medical devices. The revisions will update the existing requirements with the specifications of an international consensus standard for medical device manufacturers, ISO 13485:2016. The revisions are intended to promote the use of more modern risk management principles and reduce regulatory burdens on device manufacturers and importers by harmonizing domestic and international requirements.

More information on this resolution you can find on the following link:

• Harmonizing and Modernizing Regulation of Medical Device Quality Systems https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202010&RIN=0910-AH99

• List of worldwide regulations that require implementation of ISO 13485 https://advisera.com/13485academy/blog/2021/03/09/list-of-worldwide-regulations-that-require-implementation-of-iso-13485/

• Differences and similarities between FDA 21 CFR Part 820 and ISO 13485 https://advisera.com/13485academy/blog/2017/10/05/differences-and-similarities-between-fda-21-cfr-part-820-and-iso-13485/

You can see how our ISO 13495:2016 documentation toolkit is structured and preview of it on the following link: https://advisera.com/13485academy/iso-13485-documentation-toolkit/

Software Requirements

Firstly, how would the pack apply to Software as a Medical Device (SaMD)? Looking at the preview there is a lot that seems unnecessary as it is focused on the development of a physical product?

Yes, you are right, there are some procedures that you do not need as a manufacturer of Software, like Procedure for sterilization, or work environment. However, all other procedures are applicable for you like for any other manufacturer. I understand that your dilemma is whether to buy the whole toolkit or just some of its parts. For advice on which option is best for you in this case, our sales team will let you know.

Secondly, on the software front where would Software Requirements be specified (e.g SRS Doc) is this kept as an external doc and referenced? On a similar line, what about Software Testing (e.g. unit testing, user testing)? Would you again keep an external record and link to it in the “Record of Software Validation”?

Software Requirements can be set as an external document because it is rather specific for each software.

For any software testing that is necessary to be performed due to IEC 62304:2006 Medical device software — Software life cycle processes, we do not have such a template. This Documentation toolkit is concentrated on the requirements from ISO 13485 and general aspects of MDR. Since there is such a variety of medical devices, it was not possible to prepare templates for all kinds of tests.

NPS form - GDPR Rules

If the purpose of processing is the same as that the email was given, you can use the emails. You need to evaluate if your clients can reasonably think that he/she is going to receive those surveys. If the answer is not, you will need consent, otherwise, you can send the NPS survey.

How does German law GDPR apply to online surveys?

EU GDPR is a general regulation that applies all across Europe. However, EU Member States German Data Protection law has implemented the EU GDPR in some specific fields, like employment, health data, children data, consumer protection, etc. You need to consider the purpose of processing and how you will process those data. Are you asking for information about a particular category of personal data? I.e., is the survey on political opinions or sexual orientation?

You need also to consider if the data collected are anonymized, if they are transferred and if there is any personal profiling or automatic decision.

All these elements will have an impact on how the GDPR will apply to the online survey.

Here you can find more information about German data protection law, GDPR, and the data processing

• EU GDPR vs. German Bundesdatenschutzgesetz – Similarities and Differences: https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-vs-german-bundesdatenschutzgesetz-similarities-and-differences/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

If you want to learn how to comply with EU GDPR requirements you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//

Section about intended use

Intended use is covered in the Technical file Integrated and both in the Clinical evaluation plan and Clinical evaluation report.

Relation between ISO 27001 and the IS strategy

Please note that the standard itself states in its introduction that adopting an information security management system (ISMS) is a strategic decision for an organization.

Considering that, using ISO 27001 to implement an ISMS, can be seen as an unfolding of the Information Security (IS) strategy, i.e., as a tactical element (because an ISMS can be implemented using other frameworks like NIST Cyber Security Framework - CSF).

These articles will provide you a further explanation about ISO 27001 application:

• Should information security focus on asset protection, compliance, or corporate governance? https://advisera.com/27001academy/blog/2017/03/13/information-security-focus-asset-protection-compliance-corporate-governance/
• Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Wordage to make the below (EU GDPR) into the UK GDPR equivalent

The wording to be used is the UK General Data Protection Regulation (UK GDPR). It is enforced by the Data Protection Act 2018.

The name is similar because it comes from the EU Withdrawal Act 2018 which allowed the UK Government to retain EU legislation making some adjustments to adapt to the domestic legal system, so they changed any reference to the EU with reference to the UK. 

ISO 27001, ISO 20000, ISO 9001 question

1. Is there a possibility to integrate ISO 9001 with 20000 or this is not recommendable? If this is not recommendable, how will the usage of the three management systems according to the three standards (9001, 20000, 27001) be facilitated?

ISO 27001, ISO 20000, and ISO 9001 share some common requirements that can be fulfilled by the same documents with minor adjustments (this makes integration highly recommendable), like document control procedure, internal audit, and management review. For requirements specific to each standard, you will need to develop specific documents.

There is no specific procedure for such integration, but broadly speaking you can follow the steps to implement ISO 27001 and use the following material to identify  when common requirements can be integrated:

• ISO 27001 vs. ISO 9001 matrix (PDF) https://info.advisera.com/9001academy/free-download/iso-9001-2015-vs-iso-27001-2013-matrix
• ISO 27001 vs. ISO 20000 matrix (PDF) https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-20000-matrix

For further information, see:

• Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
• How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
• How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/

2. What outcomes could be expected within the certification process provided that we have developed the systems in compliance with the applicable standards:

       a. One integrated management system?

       b. Separate systems for each of the three standards?

       c. One system for 27001 and one system integrating 9001 and 20000, each of them with different scope?

Please note that this answer will depend on your chosen certification body because some of them are able to perform integrated systems certification audits.

Considering that, you need to contact your chosen certification body so you can clarify this information with them.

This article will provide you a further explanation about certification audit:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

These materials will also help you regarding certification audit:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
• ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

Describing assessment of confidentiality

1 - Doesn't ISO 27001 have to describe an assessment of confidentiality, integrity and availability? In the risk analysis, I only evaluate according to threat and weakness. These have an effect on confidentiality, integrity and availability.

Please note that ISO 27001 does not prescribe any approach for risk assessment so organizations can choose the method that better suits their needs.

Considering that, if your chosen method complies with the requirements of clause 6.1.2 (Information security risk assessment) it is acceptable by standard’s requirements.

In your case, if you assess threats and weaknesses in terms of loss of confidentiality, integrity, and availability of information, then your approach is compliant with this requirement of the standard.

In case you are looking for a reference for information security risk assessment and treatment, you can consider ISO 27005, the ISO standard for information security risk management.

To see how a risk assessment and treatment methodology compliant with ISO 27001 looks like, please access the free demo of this template: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/

This article will provide you a further explanation about risk assessment:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding information security risk management:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

2 - For example, I find the Business Impact Analysis at the BSI. Don't I have to do this in ISO 27001 as well?

Please note that ISO 27001 does not require Business Impact Analysis to be performed. ISO 27001 core processes are risk assessment and risk treatment. Business Impact Analysis is a requirement for ISO 22301, the ISO standard for the management of business continuity.

For further information, see:

• Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/