Search results

Medical Molecular Lab certification

Always confirm with the relevant regulatory bodies. However, if the results of the tests are being used for medical diagnostic purposes then ISO 15189:2022 Medical Laboratories - Requirements for quality and competence is the standard to be accredited to. If the testing is for non-medical purposes (for example forensics or in some cases for trial purposes only), then ISO/IEC 17025:2017 General requirements for the competence of testing and calibration laboratories is the appropriate standard to be accredited.

For more information on ISO 17025, have a look at https://advisera.com/17025academy/what-is-iso-17025/

Confidentiality Statement

In fact, all people who need to access information that is sensitive should sign a confidentiality statement. E.g.:

• employees should sign a confidentiality statement so they can access clients’ information.
• clients should sign a confidentiality statement so they can access the organization's internal procedures.
• suppliers should sign a confidentiality statement so they can access the organization's data.

To identify which information may need a confidentiality statement so it can be accessed, you should check the results of risk assessment, and applicable legal requirements.

ISO 27001:2013 to ISO 27001:2022 Conversion Tool

First of all, thanks for this feedback.

Please note that this tool follows the ISO 27002 guideline about merging and splitting controls from ISO 27001 Annex A.

Considering that, the converted output for control A.12.6.1 (i.e., control A.8.8) does not mention the split of control A.18.2.3 because this information is not relevant for presenting that information from controls A.12.6.1 and A.18.2.3 are now included in the new control A.8.8 (i.e., it is not necessary to explain that only part of one control is included in the new control, this only would complicate things).

Questions on Retention Policies

1: Categories of recipients – maybe a dumb question but would this be the people that receive the data. For example, for a quantitative 13 minute survey where a third party is collecting the data. The recipients would be Ypulse employees? Because categories of data subjects would be Survey Panelists, and processor is the third party.

2: Also, another silly question, but I believe the lawful basis for processing is Legitimate Interests. Although, we do provide marketing research services to companies via Presentations and PPTs that we deliver, and we provide consulting services based on the research we conduct. And we do have a contract/ SOW designed with our clients. Can you confirm this would still be Legitimate interest or if this would be more considered ‘contract’, as legitimate interest?

3: I am also not clear on what to add under this column: Data Protection Act 2018 Schedule 1 Condition for processing. I am not really sure what to add for this column. Can you advise on this one.

For example, for Quan surveys?Or for when we are communicating with clients – this would be legitimate interest again?Or when we conduct qualitative surveys as well.

Please also consult these links:

• Article 9 GDPR – Processing of special categories of personal data: https://advisera.com/gdpr/processing-of-special-categories-of-personal-data/
• EU GDPR Glossary of Terms: https://advisera.com/articles/eu-gdpr-glossary/

Who should write mandatory documents in organization?

Nice 

Retention for SIEM

The identification of such times will depend on the results of risk assessment and applicable legal requirements (i.e., laws, regulations, and contracts), considering each country you want to cover.

As a tip, you could define an initial time retention period (e.g., 1 year) and see if this would fit your business and legal needs, and adjust it in a case by case basis.

For further information, see:

• Logging according to ISO 27001 A.8.15 https://advisera.com/27001academy/logging-according-to-iso-27001/
• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

• Data leakage prevention

  Unfortunately, such a template is not available. ISO 27001 does not require a specific document for data loss prevention, and it is not a commonly used document.

  For the development of such a document, we suggest you consider the following topics:

  • definition of responsibilities for data leakage prevention
  • definition of steps for data leakage prevention
  • definition of which type of information requires the application of data leakage prevention measures
  • definition of technologies to be implemented for data leakage prevention
  • definition of acceptable behavior for users regarding Internet use

  Considering this suggestion, you can use the highlighted sections mentioned in the documents in the first answer to start your document.

• Internal auditor selection

  It means that you can hire an external auditor. But also, it means that no matter that you are a small company, you can audit each other. So, you do not need to have one internal auditor, but all of you can audit each other's work. 

• MDR classification

  For the classification rules and help with the classification please see the following guidance:

  • MDCG 2021-24 - Guidance on classification of medical devices https://health.ec.europa.eu/latest-updates/mdcg-2021-24-guidance-classification-medical-devices-2021-10-04_en

  • Drug-device combination product development and manufacturing

    Each manufacturer of medical devices must be in compliance with ISO 13485 no matter the type and class of medical device. But, since MDR 2017/745 has additional requirements for quality management system, please look into the ISO 13485:2016/A11:2021.