Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Retention for SIEM

    The identification of such times will depend on the results of risk assessment and applicable legal requirements (i.e., laws, regulations, and contracts), considering each country you want to cover.

    As a tip, you could define an initial time retention period (e.g., 1 year) and see if this would fit your business and legal needs, and adjust it in a case by case basis.

    For further information, see:

    • Logging according to ISO 27001 A.8.15 https://advisera.com/27001academy/logging-according-to-iso-27001/
    • Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

    • Data leakage prevention

      Unfortunately, such a template is not available. ISO 27001 does not require a specific document for data loss prevention, and it is not a commonly used document.

      For the development of such a document, we suggest you consider the following topics:

      • definition of responsibilities for data leakage prevention
      • definition of steps for data leakage prevention
      • definition of which type of information requires the application of data leakage prevention measures
      • definition of technologies to be implemented for data leakage prevention
      • definition of acceptable behavior for users regarding Internet use

      Considering this suggestion, you can use the highlighted sections mentioned in the documents in the first answer to start your document.

    • Internal auditor selection

      It means that you can hire an external auditor. But also, it means that no matter that you are a small company, you can audit each other. So, you do not need to have one internal auditor, but all of you can audit each other's work. 

    • MDR classification

      For the classification rules and help with the classification please see the following guidance:

      • MDCG 2021-24 - Guidance on classification of medical devices https://health.ec.europa.eu/latest-updates/mdcg-2021-24-guidance-classification-medical-devices-2021-10-04_en

      • Drug-device combination product development and manufacturing

        Each manufacturer of medical devices must be in compliance with ISO 13485 no matter the type and class of medical device. But, since MDR 2017/745 has additional requirements for quality management system, please look into the ISO 13485:2016/A11:2021. 

      • Question about gap analysis

        Please note that the standard does not require a gap analysis between two versions of the standard to be performed.

        For analysis between these two versions, we suggest you these documents:

        This tool can also help you:

      • Surveillance audit

        You can continue with the surveillance audit according to the ISO 27001:2013 standard by 10 August 2023.

        But please note that you need to make the transition to the 2022 revision of the standard by October 31, 2025.

        For further information, see:

        • ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

        • Handling accidents

          According to ISO 27001, the following controls are related to incident management:

          • A.5.7 Threat intelligence
          • A.5.24 Information security incident management planning and preparation
          • A.5.25 Assessment and decision on information security events
          • A.5.26 Response to information security incidents
          • A.5.27 Learning from information security incidents
          • A.5.28 Collection of evidence
          • A.6.8 Information security event reporting

          Please note that ISO 27001 does not prescribe details on how to manage incidents, only objectives that need to be achieved. For detailed guidance, you should look for ISO 27002, a non-mandatory supporting standard that provides explanations on the implementation of ISO 27001 Annex A controls.

          To see how a document describing incident handling compliant with ISO 27001 looks like, please take a look at this demo: https://advisera.com/27001academy/documentation/incident-management-procedure/

          For further information, see:

          Please note that, even though this article is about old 2013 revision of ISO 27001, the principles in the article are still valid.

        • Risk Management Question

          You need to include all processes that are involved in the lifetime of medical devices, from the design and development of the medical device until use and disposal.

        • Questions about implementation

          1 - What documents should we be including under the ISMS? Should the scope mainly include policies and procedures or should we be including all client/supplier contracts, day to day project documents eg. cost estimates / statement of works etc.

          The documents to be included in your ISMS will depend on your defined scope, i.e., the processes or locations where the information you want to protect flows.

          For example, if your ISMS scope covers only a software development and maintenance process, then the source codes, customer specifications, and policies and procedures related to that process should be included in the ISMS.

          In case all your organization is included in the ISMS scope, then all information you mentioned should be included.

          For further information, see:

          2 - Double check internal annual audit - does this need to happen every year? if so, when does this happen e.g., every year from certification? (in our case, we're looking to be certified Sept 2023, so Sept 2024 would be the next internal audit). Is there any leniency on it being 12 months versus 18 months for example?

          An internal audit needs to be performed before each planned audit scheduled by your certification body (i.e., the certification and surveillance audits), so you need to consider the certification body’s audit schedule to check when to perform the audits. In general, certification bodies define a one-year cycle for their surveillance audits, so in this situation, you need to perform at least one internal audit per year.

          Regarding when to perform the internal audits prior to the certification’s body audits, there is no prescribed prior period to perform an internal audit, so organizations can perform them according to their needs, provided the internal audits are performed before a scheduled certification/surveillance audit.

          Since the internal audit is a mandatory requirement, not performing an internal audit before a scheduled certification body’s audit would be a major non-conformity, which can compromise your certification.

          For further information, see:

          This material can also help you:

          3 - Remote working policy - this is more general advice, but do we need to add how we manage people working abroad, as they need to be able to work from wherever they can on business which can sometimes mean in a coffee shop or workspace, which we advise against when working in London for security reasons. What do others usually suggest here?

          Please note that common practices are already covered in the Mobile Device, Teleworking and Work from Home Policy, such as:

          • Access control
          • Backup
          • Storage of device when not in use

          This template is located in folder 09 – Annex A Security Controls.

          For additional practices to be considered, you need to check the results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts).

          4 - Again, this is more seeking advice, but should client infrastructure be covered under our ISMS scope? We currently are excluding them as we feel we would be covered under their own security policies but just wanted to double check that's accurate/ what the standard is?

          Answer: You should consider in your ISMS scope only the infrastructure you can control, so you should leave the client infrastructure out of your ISMS scope.
Page 21-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +