Search results

ISO 27001 - Risk Assessment

ISO 27001 does not prescribe how to record assets, so you can group assets that share risks and still be compliant with the standard. The only point you have to pay attention to is when recording this set of assets in your risk assessment. You will have to make sure that from the "set of assets" registry you can identify all the assets that form that set, so in the event the set changes you can identify the need for a risk assessment review.  

This article will provide you a further explanation about managing assets:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding managing assets:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Lead Auditor vs Lead Implementer

These courses are equal in their own way because they focus on different purposes.

However, since the implementation is something organizations often perform only one time, and after that, they have a continuous maintenance effort, the demand for auditors is greater than for implementers. Also, to work for certification bodies is necessary to be approved in a Lead Auditor course, while for implementation the certification is not mandatory.

This article will provide you a further explanation about these courses (although its focus is on ISO 27001, the same concepts apply to ISO 22301:

• Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

MDD to MDR Transition

You can move to another notified body, but most important here is that findings that were raised against MDD are applicable for MDR as well. So you definitively need to solve those findings. Your CE mark will be under suspension until you comply with the MDR.

Using certified contract manufacturer impact

If you a legal manufacturer and want to put a medical device under your name, then you are also obliged to be certified according to ISO 13485. The contract manufacturer is your outsourced process and you need to have a proper quality agreement with them in accordance with the requirement 4.1.5 from the ISO 13485.2016. This quality agreement is supposed to cover mutual responsibilities, but also what kind of control you will have over them. Usually, the following are control measures:

Supplier's audit – you will perform supplier audit over them in a periodicity which will be risk-based the need for the outsourced company to notify you if it receives any complaint about similar products mutual communication in resolving complaints and inconsistencies - defined time required to respond to inquiries and clarifications

Considering the MDR /CE mark, again if you are a legal manufacturer and want to put a medical device under your name, then it is your responsibility to prepare the technical file in accordance with the Annex II and Annex III of MDR. Be prepared that when the notified body will come for your MDR audit they will also go to the audit of the outsourced certified company.  

For more information, see: 

• EU MDR Annex II – Technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
• EU MDR Annex III – Technical documentation on post-market surveillance https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/

• Data protection: IT service provider

  You need consent to process a special category of personal data (the so-called sensitive data) and when your data processing goes beyond the fulfillment of a contractual obligation. In your case, when making a contract with a client for your software, the client agrees to data processing for the purposes of the contract: receiving the software, issuing invoices, store the IP, Wi-fi password, location, etc. This set of data you are collecting must be contained in the privacy notice and have as a legal basis the performing of contractual obligation.

  However, if you want to process your client’s data for marketing purposes you need to ask a specific consent on it because the client when downloading the software reasonably expected that personal data would be processed to fulfill the obligation.The consent must be specific and given freely so you need to ask your client something like “Do you agree to receive information, promotions, from us?” or “Do you want that your data are shared with our partners for promotional advertisement?” The Client must be aware of the reasons you are asking him consent.

  Here you can find more information on the legal basis to process personal data according to the GDPR and what to consider about the GDPR privacy notice:

  • Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
  • Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

  If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//

• ISO 9001 and 14001 certification and integration

  How to integrate ISO 9K with ISO 14K

  Answer:

  Organizations exist to serve clients. So, I recommend starting with modeling how the organizations serve clients based on the process approach and ISO 9001.

  

  Then, I consider other interested parties:

  

  Based on ISO 14001 and interested parties' requirements I recommend organizations to determine environmental aspects and impacts, compliance obligations, and risks.

  From here, it is possible to determine what needs to be done to improve the interaction with the environment while serving clients. And what needs to be done can be translated to things like:

  • Add work instructions specifically about environmental practices
  • Update work instructions from quality with tips and requirements to be followed because of improvement needs relevant to the environment
  • Make changes in layouts and visual management in order to help people comply with environmental requirements while doing their work
  • Develop action plans to meet quality and environmental objectives

  Of course, you will have several activities that can be immediately integrated like training, management review, internal audits, document control, monitoring, and measurement.

  You can find more information below:

  • How to integrate ISO 14001 and ISO 9001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
  • ISO 14001:2015 integration with ISO 9001:2015 – What has changed? - https://advisera.com/14001academy/blog/2016/02/15/iso-140012015-integration-with-iso-90012015-what-has-changed/
  • Free webinar - How to integrate ISO 9001:2015 and ISO 14001:2015 - https://advisera.com/14001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar-on-demand/
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
     

  what are the basic requirements for certification?

  Answer:

  I don’t know if I’m understanding correctly your question. To be certified an organization has to comply with management system standards (both at the design of the system level and at the conformity of practices level) and has to comply with compliance obligations.

  what are the best practices followed by organisations seeking for ISO 14k certification?

  Answer:

  Setup a project sponsor, a project manager, and a project team. Determine the scope of the EMS. Ensure top management support, get training. Designing and implementing an environmental management system (EMS) implies being knowledgeable about ISO 14001:2015.

  As a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 14001:2015 requirements. From that GAP Analysis, you can develop your Project Plan, listing what needs to be done, by whom, until when.

  From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

  Perhaps the following links can be useful:

  • Free webinar on-demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
  • List of ISO 14001 implementation steps -https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
  • ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram

• Can a Lead Auditor certify that organisation is ISO 27001 compliant?

  Only auditors working for certification bodies (certification auditors) can certify a business as ISO 27001 compliant.

  The choice of the certification body is an organization's decision, based on its strategies and business objectives and alignment with certification body practices.

  These articles can provide you further information:

  • How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
  • Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

• Contractor's obligation to provide the client with BIA/BCRA

  Please note that the provision of Business Impact Analysis / Business Continuity Risk Assessment needs to be considered in the contract or service agreement you have with this supplier because this way in case they do not provide the documents you can have legal means to enforce compliance. Anything out of the contract or service agreement must be negotiated with the supplier.

  Considering that, to see a material with examples of applicable legal clauses to contracts that you can use as a basis to make your questionnaire for performance review, please access this template demo (although it is about ISO 27001, it also can be applied to business continuity): https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/

  These articles will provide you a further explanation about supplier management:

  • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
    Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

  These materials will also help you regarding supplier management:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Question on ISMS scope definition

  1 - The scope cannot be a server or a product, because it is a management standard right? Does this then mean that it can’t be an environment, like a cloud environment? Would you set the scope as the software engineering department for example instead?

  Your assumption is correct. The ISMS scope cannot be defined in terms of products, assets, or technologies. It needs to be defined in terms of information, location or processes to be protected, so the definition of the scope as a software engineering department is more appropriated.

  This article will provide you a further explanation about scope definition:

  • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  These materials will also help you regarding scope definition:

  • How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  2 - And you mentioned the scope cannot be drawn between people who share the same office? Does this mean they would also need to be segregated in terms of network or email environment?
  I’d really appreciate your opinion as I think the delivery time will be quite different if we chose the smaller scope rather than the whole company, although maybe more detailed in segregating them.

  Please note that, for small environments, it is better to define all its elements as the ISMS scope because the effort and costs to segregate them may not be worthy, compared to managing all elements as part of the ISMS scope.

  This article will provide you a further explanation about scope definition:

  • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/