Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Data leakage prevention

    Unfortunately, such a template is not available. ISO 27001 does not require a specific document for data loss prevention, and it is not a commonly used document.

    For the development of such a document, we suggest you consider the following topics:

    • definition of responsibilities for data leakage prevention
    • definition of steps for data leakage prevention
    • definition of which type of information requires the application of data leakage prevention measures
    • definition of technologies to be implemented for data leakage prevention
    • definition of acceptable behavior for users regarding Internet use

    Considering this suggestion, you can use the highlighted sections mentioned in the documents in the first answer to start your document.

  • Internal auditor selection

    It means that you can hire an external auditor. But also, it means that no matter that you are a small company, you can audit each other. So, you do not need to have one internal auditor, but all of you can audit each other's work. 

  • MDR classification

    For the classification rules and help with the classification please see the following guidance:

    • MDCG 2021-24 - Guidance on classification of medical devices https://health.ec.europa.eu/latest-updates/mdcg-2021-24-guidance-classification-medical-devices-2021-10-04_en

    • Drug-device combination product development and manufacturing

      Each manufacturer of medical devices must be in compliance with ISO 13485 no matter the type and class of medical device. But, since MDR 2017/745 has additional requirements for quality management system, please look into the ISO 13485:2016/A11:2021. 

    • Question about gap analysis

      Please note that the standard does not require a gap analysis between two versions of the standard to be performed.

      For analysis between these two versions, we suggest you these documents:

      This tool can also help you:

    • Surveillance audit

      You can continue with the surveillance audit according to the ISO 27001:2013 standard by 10 August 2023.

      But please note that you need to make the transition to the 2022 revision of the standard by October 31, 2025.

      For further information, see:

      • ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

      • Handling accidents

        According to ISO 27001, the following controls are related to incident management:

        • A.5.7 Threat intelligence
        • A.5.24 Information security incident management planning and preparation
        • A.5.25 Assessment and decision on information security events
        • A.5.26 Response to information security incidents
        • A.5.27 Learning from information security incidents
        • A.5.28 Collection of evidence
        • A.6.8 Information security event reporting

        Please note that ISO 27001 does not prescribe details on how to manage incidents, only objectives that need to be achieved. For detailed guidance, you should look for ISO 27002, a non-mandatory supporting standard that provides explanations on the implementation of ISO 27001 Annex A controls.

        To see how a document describing incident handling compliant with ISO 27001 looks like, please take a look at this demo: https://advisera.com/27001academy/documentation/incident-management-procedure/

        For further information, see:

        Please note that, even though this article is about old 2013 revision of ISO 27001, the principles in the article are still valid.

      • Risk Management Question

        You need to include all processes that are involved in the lifetime of medical devices, from the design and development of the medical device until use and disposal.

      • Questions about implementation

        1 - What documents should we be including under the ISMS? Should the scope mainly include policies and procedures or should we be including all client/supplier contracts, day to day project documents eg. cost estimates / statement of works etc.

        The documents to be included in your ISMS will depend on your defined scope, i.e., the processes or locations where the information you want to protect flows.

        For example, if your ISMS scope covers only a software development and maintenance process, then the source codes, customer specifications, and policies and procedures related to that process should be included in the ISMS.

        In case all your organization is included in the ISMS scope, then all information you mentioned should be included.

        For further information, see:

        2 - Double check internal annual audit - does this need to happen every year? if so, when does this happen e.g., every year from certification? (in our case, we're looking to be certified Sept 2023, so Sept 2024 would be the next internal audit). Is there any leniency on it being 12 months versus 18 months for example?

        An internal audit needs to be performed before each planned audit scheduled by your certification body (i.e., the certification and surveillance audits), so you need to consider the certification body’s audit schedule to check when to perform the audits. In general, certification bodies define a one-year cycle for their surveillance audits, so in this situation, you need to perform at least one internal audit per year.

        Regarding when to perform the internal audits prior to the certification’s body audits, there is no prescribed prior period to perform an internal audit, so organizations can perform them according to their needs, provided the internal audits are performed before a scheduled certification/surveillance audit.

        Since the internal audit is a mandatory requirement, not performing an internal audit before a scheduled certification body’s audit would be a major non-conformity, which can compromise your certification.

        For further information, see:

        This material can also help you:

        3 - Remote working policy - this is more general advice, but do we need to add how we manage people working abroad, as they need to be able to work from wherever they can on business which can sometimes mean in a coffee shop or workspace, which we advise against when working in London for security reasons. What do others usually suggest here?

        Please note that common practices are already covered in the Mobile Device, Teleworking and Work from Home Policy, such as:

        • Access control
        • Backup
        • Storage of device when not in use

        This template is located in folder 09 – Annex A Security Controls.

        For additional practices to be considered, you need to check the results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts).

        4 - Again, this is more seeking advice, but should client infrastructure be covered under our ISMS scope? We currently are excluding them as we feel we would be covered under their own security policies but just wanted to double check that's accurate/ what the standard is?

        Answer: You should consider in your ISMS scope only the infrastructure you can control, so you should leave the client infrastructure out of your ISMS scope.

      • Writing objectives

        I would have to assume the finding was that there was no evidence of review of objectives during Management Review, with the criteria being ISO 17025:2017 clause 8.9.2b. My first comment is that your laboratory system should include a procedure and guidelines on how to address such non-conformances.

        When doing root cause analysis start by stating what should have been in place (requirement) and what is the real problem (issue) clearly based on the context of having an ISO 17025 management system in place.  Evaluate the impact and why this needs addressing to fix and prevent it or a similar incident from happening again. The depth you go to, in each case, should be decided based on risk.
        Using tools like brainstorming and asking questions like why and what will assist you develop your report and get to the root causes. In this case, the requirement is that information regarding the fulfillment of objectives should have been input for an effective management review activity; and the outcome of discussions recorded. Determine, for example, if the requirement is documented in your QMS. Determine whether the objectives were discussed and reviewed but not recorded. It may be caused by a lack of understanding of ISO 17025 requirements, no assigned responsibility, rushed management review, or poorly documented processes. Have a look to see which causes are most likely and then address them through corrective actions.

        For more information, have a look at these articles

        How to perform management review in ISO 17025 at https://advisera.com/17025academy/blog/2021/05/03/how-to-perform-management-review-in-iso-17025/

        Corrective actions principles and root cause analysis in ISO 17025 at https://advisera.com/17025academy/blog/2020/11/04/corrective-actions-principles-and-root-cause-analysis-in-iso-17025/

        These ISO 17025 templates could also be of interest:

        Complaint, Nonconformity and Corrective Action Procedure at  https://advisera.com/17025academy/documentation/complaint-nonconformity-and-corrective-action-procedure/

        Corrective Action Report (CAR) at https://advisera.com/17025academy/documentation/corrective-action-report-car/
Page 21-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +