Search results

ISO 9001 and ISO 13485 PMS

No, when performing PMS/PSUR, you need to cover only medical devices.

ISO 9001 for Law firms

Requirements for ISO 9001:2015 certification of a law firm is similar to any other organization. Having a quality management system designed and implemented according to the standard.

First, I would decide the scope of the quality management system. Is it applicable to all areas and services or just for some?

If you are starting a project to implement ISO 9001:2015:

Setup a project sponsor, a project manager, and a project team. Ensure top management support, get training about the standard. Designing and implementing a quality management system implies being knowledgeable about ISO 9001:2015.
As a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis, you can develop your Project Plan, listing what needs to be done, by whom, until when.

From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

To speed up the process you can use our Documentation Toolkit for the implementation of ISO 9001:2015 here - https://advisera.com/9001academy/iso-9001-documentation-toolkit/ and check the free previews. You can also watch this free webinar on-demand - How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/

Time to implement from scratch and be certified, with our Toolkit Documentation, can take:

Companies of up to 10 employees - up to 3 months
Up to 50 employees – up to 3 to 6 months
Up to 200 employees – up to 6 to 10 months
More than 200 employees – up to 10 to 20 months
 

This is a very short description of the journey but below you can find more detailed information:

You can find more information below:

• How ISO 9001 improves shipping procedures - https://advisera.com/9001academy/blog/2019/07/09/how-iso-9001-improves-shipping-procedures/
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
• Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
  Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• How to budget an ISO 9001 implementation project - https://info.advisera.com/9001academy/free-download/how-to-budget-an-iso-9001-implementation-project?utm_source=script-for-iso-9001-lead-implementer-course&utm_medium=downloaded-content&utm_content=lang-en&utm_campaign=free-downloads-9001
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

ISO 13485 and cleaning process

Cleaning is covered in the ISO 13485 in the following requirements: 6.4.1 Work environment and 6.4.2 Contamination control. There is no instruction how cleaning should be performed, there is even criteria which would be the required level of cleanliness for a particular product.  It is manufacturer responsibility  to define the requirements for health, cleanliness, clothing of personnel, contamination control.

For more information on this topic, please see following article:

• Managing cleanliness of a product and contamination control according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/07/04/managing-cleanliness-of-a-product-and-contamination-control-according-to-iso-134852016/

You can see in our ISO 13485:2016 Documentation toolkit how this procedure looks like:

• Procedure for Infrastructure and Work Environment https://advisera.com/13485academy/documentation/procedure-for-infrastructure-and-work-environment-iso-13485-2016/

• GDPR restrictions for Hotel e-check in

  I am a software engineer and I am building a software product referring to hotels. The main goal is to allow hotel customers to checkin prior to their physical presence on the hotel from their mobile device.

  From a bussiness point of view this is a three-step process:
  1. The user takes a photograph of their personal ID or their passport.
  2. The user fills out a form with all the details of the hotel's terms of service.
  3. This user digitally signs for all the above.

  There is no technical issue on performing these operations. However questions arise concerning GDPR restrictions on how to forward the files to the hotel stuff.

  Should I store these files on the server then send them with an email to the hotel stuff and then delete them?

  Is there any other recommended way of doing this proceess?

• Control of records ISO 9001

  I hope I understood your question. ISO 9001:2015 speaks about “documented information”, and documented information should be maintained or retained.

  ISO 9001 versions, before 2015, used the words “documents” and “records”. When ISO 9001:2015 mentions “maintain documented information” it is mentioning document control according to previous versions.

  When ISO 9001:2015 mentions “retain documented information” it is mentioning record control according to previous versions.

  You can find more information about documentation below:

  • New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
  • Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• Can we be GDPR and ISO 27001 compliant with 1 employee?

  ISO 27001 was designed to be applicable to organizations of any size and industry, so it is possible to be compliant with this standard with only one employee, as well as when working with freelancers/consultants.
   
  GDPR refers to the process of personal data by organizations/professionals so it is not referred to dimensions, since it is applicable also to professionals, sole traders, and freelancers. The implementation depends on the kind of data processed.

  These articles will provide you a further explanation about ISO 27001 and GDPR:

  • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
  • Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
  • 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
  • Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/

  These materials will also help you regarding ISO 27001 and GDPR:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
  • List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
  • EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//

• Including SOC 2 controls in SoA

  1. Are we required to include the SOC2 controls in the ISO 27001 Statement of Applicability?

  In case the SOC2 controls are applied to elements included in the ISMS scope, then you need to include them in the Statement of Applicability, but please note that some of ISO 27001 Annex A controls can be used to fulfill the Trusted Service Criteria used by SOC2, so in these cases, you can refer directly to the related Annex A controls.

  Also is important to note that, to include the SOC2 controls in the Statement of Applicability, you first need to review your risk assessment and risk treatment, and the applicable legal requirements, to ensure that you have the proper basis to include these controls in the SoA.

  This article will provide you a further explanation about ISO 27001 and SOC 2:

  • Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/21/02/02/iso-27001-vs-soc-2/

  2. If we were to add all of the SOC2 controls this year, would all these controls be tested during this year's external surveillance audit? I'm planning out the scope of the internal audit and which controls to test, but we have limited resources and time. It seems duplicative to me to include the SOC2 controls since those are tested independently as part of the SOC2 audit. I understand an internal audit is not required for the SOC2 certification, but I see the benefit of performing an internal review to identify issues that could be mitigated before the SOC2 cert audit.

  Please note that added controls need to be audited in the next surveillance audit because their impact on the information security levels needs to be verified.

  Considering your limited resources and time, an alternative could be to include first the controls that have the biggest impact on information security (i.e., they are the single or main controls applied to treat related risks) and leave other less impacting controls to be included in the next year. Additionally note that since some controls of Annex can be used for SOC2, this can reduce your need for resources and time.

• ISO 27001 confidentiality

  Confidentiality is mentioned in the following sections and clauses:

  • 0 Introduction – 0.1 General
  • Clause 6.1.2 c) 1) – Information security risk assessment
  • Clause 7.5.3 b) – Control of documented information
  • Control section A.10.1 – Cryptographic controls
  • Control A.13.2.4 – Confidentiality or nondisclosure agreements

  This article will provide you a further explanation about ISO 27001:

  • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/

  These materials will also help you regarding ISO 27001:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Documenting Statement of Applicability

  1. How to start documenting Statement of Applicability.

  To start documenting the Statement of Applicability you need to perform a risk assessment and risk treatment, to identify the relevant risks and controls (from ISO 27001 Annex A or other sources) you will implement to treat them. Additionally, you need to identify legal requirements (e.g., laws, regulations, and contracts) which require the implementation of specific controls.

  For further information, see:

  • ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
  • The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  2. What approach to follow?

  According to ISO 27001, the following information must be included in the SOA:

  • All applied controls
  • Justification for inclusions
  • Implementation status
  • justification for exclusions of controls from Annex A

  You can also add information you consider relevant to help manage the ISMS (e.g., a brief description of how the control is implemented).

  Regarding the format, you can adapt the information to any format your organization considers proper (a document, a spreadsheet, etc.)

  To see how a Statement of Applicability of compliant with ISO 27001 looks like, please see the free demo on this link: https://advisera.com/27001academy/documentation/statement-of-applicability/

  3. Who all should one interact with?

  In the development of the Statement of Applicability you need to interact with those who participated in the risk assessment and treatment, and in the identification of legal requirements, and they should be the managers and key personnel of the related areas or processes (e.g., for IT, you need to interact with IT manager and systems’ administrator, for Finance, you need to interact with the Finance Manager and a finance specialist, etc.).

  This information may help you to start, but please note that this material depends on the contribution of our readers and some of them may be outdated. is strongly recommend hiring legal expert advice to support this activity:

  • Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

  For further information, see:

  • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

• Critical areas to prioritize focus during implementation

  This answer will depend on the results of risk assessment and the identification of legal requirements (e.g., laws, regulations, and contracts), because they will allow you to identify the areas which concentrates the most relevant risks, and which are subjected to the greatest impacts in case of legal requirements noncompliance.

  Besides the areas where ISO 27001 will be implemented, you also should add some emphasis on management support, project management, and training, to ensure availability of resources and employee engagement.

  For further information, see:
  - ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
  - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
  - ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/