Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Implementation of ISO controls

    Please note that hidden risks can be related to:

    • not considering, in the risk assessment, risks related to already implemented controls (such risks in general already have low values and are not considered for further treatment but need to be identified in the risk assessment).
    • not involving all relevant personnel in the risk assessment (e.g., department manager, process owner, key user, etc.).
    • people involved do not have proper training on how to perform the risk assessment.

    Additionally, note that controls also can be related to legal requirements (laws, regulations, and contracts), and may need to be implemented even if there are no relevant risks.

    If after considering these items you still find not enough controls related to risks or requirements, please note that typically smaller companies find 90 to 110 controls as applicable, whereas larger companies 105 or more, and some of these controls are marked as applicable only because organizations felt this was a logical decision (e.g., backup or passwords), and your organization can do the same. 

    These materials will also help you regarding risk assessment:

  • ISMS responsible and CISM

    Please note that the ISMS responsible is a role an organization can create, or incorporate into an existing role, to cover at least these activities:

    • ensure that the ISMS conforms to the requirements of ISO 27001
    • report on the performance of the ISMS to top management.

    As for CISM (Certified Information Security Manager), it is a certification issued by ISACA which evidences that the certification holder has a certain set of knowledge and experience on information security management, which goes beyond the requirements related to ISO 27001.

    This article will provide you a further explanation about roles for ISO 27001:

    These materials will also help you regarding roles for ISO 27001:

  • 17025 accreditation: cost benefit

    You asked

    What about higher income for 17025 accredited Cal's compared to non-accredited?  Do you happen to have a rough % of additional price that a lab can charge for an accredited calibration, compared to just a straight commercial cal with NIST traceability?

    Pricing all depends on your sector, market (competition) and regulations. I cannot provide an idea of a price increase. What I can offer is some advise on how to proceed towards a decision to implement ISO 17025 and seek accreditation. Typically, to secure more business and a higher price, it will involve “selling” the added benefit to customers - the assurance of consistent, reliable results. If accredited, it is not just the word of the laboratory, but that of the accreditation body that provides the client with additional confidence. Providing a calibration with NIST traceability alone does not provide assurance that only competent personnel perform the calibration, and that all the other technical requirements are met.

    Accreditation is often mandatory for calibration laboratories; however, if it is not; to help make the decision,  I suggest that the laboratory obtain a quote from their accreditation body and estimate the total cost of obtaining and maintaining accreditation each year. Then do a risk /opportunities analysis. Look at the financial risks and benefits. Consider first, the current income and number of calibrations, and what you would need to increase the price by, to just recover your additional costs. Then consider the reputational opportunity (benefit) - whether you may gain (or retain) customers. Another benefit to consider is reduced costs due to improved efficiency and fewer repeats. This may lead, for example, to an opportunity to increase the number of calibrations performed monthly. Then look at the rates charged by competitors.

    Financial management for the organisation should be able to assist with a model to decide whether the additional cost of accreditation could be recovered, from a financial perspective. Then by effectively implementing and maintaining the system, cost savings and further income should be realized.

  • ISO 9001 and ISO 13485 PMS

    No, when performing PMS/PSUR, you need to cover only medical devices.

  • ISO 9001 for Law firms

    Requirements for ISO 9001:2015 certification of a law firm is similar to any other organization. Having a quality management system designed and implemented according to the standard.

    First, I would decide the scope of the quality management system. Is it applicable to all areas and services or just for some?

    If you are starting a project to implement ISO 9001:2015:

    Setup a project sponsor, a project manager, and a project team. Ensure top management support, get training about the standard. Designing and implementing a quality management system implies being knowledgeable about ISO 9001:2015.
    As a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis, you can develop your Project Plan, listing what needs to be done, by whom, until when.

    From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

    To speed up the process you can use our Documentation Toolkit for the implementation of ISO 9001:2015 here - https://advisera.com/9001academy/iso-9001-documentation-toolkit/ and check the free previews. You can also watch this free webinar on-demand - How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/

     

    Time to implement from scratch and be certified, with our Toolkit Documentation, can take:

    Companies of up to 10 employees - up to 3 months
    Up to 50 employees – up to 3 to 6 months
    Up to 200 employees – up to 6 to 10 months
    More than 200 employees – up to 10 to 20 months
     

    This is a very short description of the journey but below you can find more detailed information:

     

    You can find more information below:

  • ISO 13485 and cleaning process

    Cleaning is covered in the ISO 13485 in the following requirements: 6.4.1 Work environment and 6.4.2 Contamination control. There is no instruction how cleaning should be performed, there is even criteria which would be the required level of cleanliness for a particular product.  It is manufacturer responsibility  to define the requirements for health, cleanliness, clothing of personnel, contamination control.

    For more information on this topic, please see following article:

    You can see in our ISO 13485:2016 Documentation toolkit how this procedure looks like:

    • Procedure for Infrastructure and Work Environment https://advisera.com/13485academy/documentation/procedure-for-infrastructure-and-work-environment-iso-13485-2016/

    • GDPR restrictions for Hotel e-check in

      I am a software engineer and I am building a software product referring to hotels. The main goal is to allow hotel customers to checkin prior to their physical presence on the hotel from their mobile device.

      From a bussiness point of view this is a three-step process:
      1. The user takes a photograph of their personal ID or their passport.
      2. The user fills out a form with all the details of the hotel's terms of service.
      3. This user digitally signs for all the above.

      There is no technical issue on performing these operations. However questions arise concerning GDPR restrictions on how to forward the files to the hotel stuff.

      Should I store these files on the server then send them with an email to the hotel stuff and then delete them?

      Is there any other recommended way of doing this proceess?

    • Control of records ISO 9001

      I hope I understood your question. ISO 9001:2015 speaks about “documented information”, and documented information should be maintained or retained.

      ISO 9001 versions, before 2015, used the words “documents” and “records”. When ISO 9001:2015 mentions “maintain documented information” it is mentioning document control according to previous versions.

      When ISO 9001:2015 mentions “retain documented information” it is mentioning record control according to previous versions.

      You can find more information about documentation below:

    • Can we be GDPR and ISO 27001 compliant with 1 employee?

      ISO 27001 was designed to be applicable to organizations of any size and industry, so it is possible to be compliant with this standard with only one employee, as well as when working with freelancers/consultants.
       
      GDPR refers to the process of personal data by organizations/professionals so it is not referred to dimensions, since it is applicable also to professionals, sole traders, and freelancers. The implementation depends on the kind of data processed.

      These articles will provide you a further explanation about ISO 27001 and GDPR:

      These materials will also help you regarding ISO 27001 and GDPR:

    • Including SOC 2 controls in SoA

      1. Are we required to include the SOC2 controls in the ISO 27001 Statement of Applicability?

      In case the SOC2 controls are applied to elements included in the ISMS scope, then you need to include them in the Statement of Applicability, but please note that some of ISO 27001 Annex A controls can be used to fulfill the Trusted Service Criteria used by SOC2, so in these cases, you can refer directly to the related Annex A controls.

      Also is important to note that, to include the SOC2 controls in the Statement of Applicability, you first need to review your risk assessment and risk treatment, and the applicable legal requirements, to ensure that you have the proper basis to include these controls in the SoA.

      This article will provide you a further explanation about ISO 27001 and SOC 2:

      2. If we were to add all of the SOC2 controls this year, would all these controls be tested during this year's external surveillance audit? I'm planning out the scope of the internal audit and which controls to test, but we have limited resources and time. It seems duplicative to me to include the SOC2 controls since those are tested independently as part of the SOC2 audit. I understand an internal audit is not required for the SOC2 certification, but I see the benefit of performing an internal review to identify issues that could be mitigated before the SOC2 cert audit.

      Please note that added controls need to be audited in the next surveillance audit because their impact on the information security levels needs to be verified.

      Considering your limited resources and time, an alternative could be to include first the controls that have the biggest impact on information security (i.e., they are the single or main controls applied to treat related risks) and leave other less impacting controls to be included in the next year. Additionally note that since some controls of Annex can be used for SOC2, this can reduce your need for resources and time.
Page 195-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +