Search results

ISO 13485 and cleaning process

Cleaning is covered in the ISO 13485 in the following requirements: 6.4.1 Work environment and 6.4.2 Contamination control. There is no instruction how cleaning should be performed, there is even criteria which would be the required level of cleanliness for a particular product.  It is manufacturer responsibility  to define the requirements for health, cleanliness, clothing of personnel, contamination control.

For more information on this topic, please see following article:

• Managing cleanliness of a product and contamination control according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/07/04/managing-cleanliness-of-a-product-and-contamination-control-according-to-iso-134852016/

You can see in our ISO 13485:2016 Documentation toolkit how this procedure looks like:

• Procedure for Infrastructure and Work Environment https://advisera.com/13485academy/documentation/procedure-for-infrastructure-and-work-environment-iso-13485-2016/

• GDPR restrictions for Hotel e-check in

  I am a software engineer and I am building a software product referring to hotels. The main goal is to allow hotel customers to checkin prior to their physical presence on the hotel from their mobile device.

  From a bussiness point of view this is a three-step process:
  1. The user takes a photograph of their personal ID or their passport.
  2. The user fills out a form with all the details of the hotel's terms of service.
  3. This user digitally signs for all the above.

  There is no technical issue on performing these operations. However questions arise concerning GDPR restrictions on how to forward the files to the hotel stuff.

  Should I store these files on the server then send them with an email to the hotel stuff and then delete them?

  Is there any other recommended way of doing this proceess?

• Control of records ISO 9001

  I hope I understood your question. ISO 9001:2015 speaks about “documented information”, and documented information should be maintained or retained.

  ISO 9001 versions, before 2015, used the words “documents” and “records”. When ISO 9001:2015 mentions “maintain documented information” it is mentioning document control according to previous versions.

  When ISO 9001:2015 mentions “retain documented information” it is mentioning record control according to previous versions.

  You can find more information about documentation below:

  • New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
  • Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• Can we be GDPR and ISO 27001 compliant with 1 employee?

  ISO 27001 was designed to be applicable to organizations of any size and industry, so it is possible to be compliant with this standard with only one employee, as well as when working with freelancers/consultants.
   
  GDPR refers to the process of personal data by organizations/professionals so it is not referred to dimensions, since it is applicable also to professionals, sole traders, and freelancers. The implementation depends on the kind of data processed.

  These articles will provide you a further explanation about ISO 27001 and GDPR:

  • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
  • Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
  • 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
  • Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/

  These materials will also help you regarding ISO 27001 and GDPR:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
  • List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
  • EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//

• Including SOC 2 controls in SoA

  1. Are we required to include the SOC2 controls in the ISO 27001 Statement of Applicability?

  In case the SOC2 controls are applied to elements included in the ISMS scope, then you need to include them in the Statement of Applicability, but please note that some of ISO 27001 Annex A controls can be used to fulfill the Trusted Service Criteria used by SOC2, so in these cases, you can refer directly to the related Annex A controls.

  Also is important to note that, to include the SOC2 controls in the Statement of Applicability, you first need to review your risk assessment and risk treatment, and the applicable legal requirements, to ensure that you have the proper basis to include these controls in the SoA.

  This article will provide you a further explanation about ISO 27001 and SOC 2:

  • Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/21/02/02/iso-27001-vs-soc-2/

  2. If we were to add all of the SOC2 controls this year, would all these controls be tested during this year's external surveillance audit? I'm planning out the scope of the internal audit and which controls to test, but we have limited resources and time. It seems duplicative to me to include the SOC2 controls since those are tested independently as part of the SOC2 audit. I understand an internal audit is not required for the SOC2 certification, but I see the benefit of performing an internal review to identify issues that could be mitigated before the SOC2 cert audit.

  Please note that added controls need to be audited in the next surveillance audit because their impact on the information security levels needs to be verified.

  Considering your limited resources and time, an alternative could be to include first the controls that have the biggest impact on information security (i.e., they are the single or main controls applied to treat related risks) and leave other less impacting controls to be included in the next year. Additionally note that since some controls of Annex can be used for SOC2, this can reduce your need for resources and time.

• ISO 27001 confidentiality

  Confidentiality is mentioned in the following sections and clauses:

  • 0 Introduction – 0.1 General
  • Clause 6.1.2 c) 1) – Information security risk assessment
  • Clause 7.5.3 b) – Control of documented information
  • Control section A.10.1 – Cryptographic controls
  • Control A.13.2.4 – Confidentiality or nondisclosure agreements

  This article will provide you a further explanation about ISO 27001:

  • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/

  These materials will also help you regarding ISO 27001:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Documenting Statement of Applicability

  1. How to start documenting Statement of Applicability.

  To start documenting the Statement of Applicability you need to perform a risk assessment and risk treatment, to identify the relevant risks and controls (from ISO 27001 Annex A or other sources) you will implement to treat them. Additionally, you need to identify legal requirements (e.g., laws, regulations, and contracts) which require the implementation of specific controls.

  For further information, see:

  • ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
  • The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  2. What approach to follow?

  According to ISO 27001, the following information must be included in the SOA:

  • All applied controls
  • Justification for inclusions
  • Implementation status
  • justification for exclusions of controls from Annex A

  You can also add information you consider relevant to help manage the ISMS (e.g., a brief description of how the control is implemented).

  Regarding the format, you can adapt the information to any format your organization considers proper (a document, a spreadsheet, etc.)

  To see how a Statement of Applicability of compliant with ISO 27001 looks like, please see the free demo on this link: https://advisera.com/27001academy/documentation/statement-of-applicability/

  3. Who all should one interact with?

  In the development of the Statement of Applicability you need to interact with those who participated in the risk assessment and treatment, and in the identification of legal requirements, and they should be the managers and key personnel of the related areas or processes (e.g., for IT, you need to interact with IT manager and systems’ administrator, for Finance, you need to interact with the Finance Manager and a finance specialist, etc.).

  This information may help you to start, but please note that this material depends on the contribution of our readers and some of them may be outdated. is strongly recommend hiring legal expert advice to support this activity:

  • Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

  For further information, see:

  • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

• Critical areas to prioritize focus during implementation

  This answer will depend on the results of risk assessment and the identification of legal requirements (e.g., laws, regulations, and contracts), because they will allow you to identify the areas which concentrates the most relevant risks, and which are subjected to the greatest impacts in case of legal requirements noncompliance.

  Besides the areas where ISO 27001 will be implemented, you also should add some emphasis on management support, project management, and training, to ensure availability of resources and employee engagement.

  For further information, see:
  - ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
  - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
  - ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/

• Recommended system/application to control documents, incidents and other stuff from ISO standards

  It's our policy not to make recommendations about specific tools owned by other organizations, since the selection of a tool will depend on specific requirements and needs of each organization, and we can’t ensure they are fully compliant with ISO management standards.

  However, we’d like to invite you to know our system for implementation and management of an ISMS compliant with ISO 27001, from which you can control documents, incidents, and other features required for compliance with ISO 27001:

  • Conformio (an online tool for ISO 27001) https://advisera.com/conformio/

• The best KPIs for monitoring metrics

  ISO 27001 does not prescribe which performance indicators should be adopted by organizations, so there is no such thing as best KPIs, and organizations must define them according to their own needs and objectives. Some common issues organizations should take into account when defining KPIs are:

  • Business relevant: indicator aligned to clear business objectives or legal requirements
  • Process integrated: a KPI should add the least amount of work possible into business processes.
  • Assertive: the indicator should be capable of pinpointing relevant issues that need attention.

  As general examples we have:

  • Percent of business initiatives supported by the ISMS
  • Number of security-related service downtimes
  • Percent of controls assessment performed
  • Number of improvement initiatives

  These articles will provide you a further explanation about performance indicators and security objectives:

  • Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
  • ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/