Search results

Change profile from incident management to security compliance domain

Considering the mentioned certifications and your background, you should consider ISO 27001 Lead Auditor or CISA. CISSP is more indicated to people who want to work in technical areas. For the choice between ISO 27001 Lead auditor and CISA, you need to consider the type and depth of the activities you desire to perform (both are world-wide recognized certifications for auditing).

If you want to focus on auditing information security management, you should consider ISO 27001 Lead Auditor. If you want to go beyond auditing the scope of information security, and also consider the audit of strategic relationships between information security and the information systems and business objectives you should consider CISA. Please note that these courses do not exclude each other, they only offer different perspectives about how to audit the way information interacts with the business. ISO 27001 Lea Auditor would also need to be considered if you which to work for certification bodies, as a certification auditor.

These articles will provide you further explanation about personal certifications:
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/training/iso-27001-lead-auditor-course/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

To see more about the ISO 27001 Lead Auditor Course, please access: https://advisera.com/training/iso-27001-lead-auditor-course/

ISO 9001 Internal adit and a legal department

ISO 9001:2015 clause 7.5.3.2. Consider the paragraph starting with “Documented information of external origin”. You can find a set of guidelines for controlling external documents in this article - What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/

You can find more information below:

• How to include statutory and regulatory requirements in your QMS - https://advisera.com/9001academy/blog/2017/02/14/how-to-include-statutory-and-regulatory-requirements-in-your-qms/
• Free on-line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
   

Safety courses, CPR or first aid as part of accreditation

You do not have to have safety courses, CPR or first aid to meet accreditation requirements.  ISO 17025 accreditation does not specifically include Health and safety requirements. As a laboratory you should of course, comply with all Health, Safety and Environmental protection regulations of your country; and personnel need suitable training and knowledge. Typically these requirements are covered under a separate programme and documentation, usually via a policy and manual. This means that the accreditation body will not directly assess the laboratory on these issues, unless linked to an ISO 17025 requirement that could jeopardise the consistent, impartial operation to produce valid results – for example cross contamination.  What ISO 17025 does require, stipulated in clause 5.4, is that Laboratory activities must be carried out in such a way as to meet the requirements of regulatory authorities, organizations providing recognition and customers. These requirements could be integrated into one management system or could be separate. 

For more information on 17025 requirements, have a look at the Whitepaper Clause-by-clause explanation of ISO 17025:2017, which will assist you with ISO 17025 awareness, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ and the ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

58 areas of compliance required by ISO 13485

This means that in the standard ISO 13485:2016 on 58 places is put that manufacturer needs to be in compliance with applicable regulatory requirements. Regulatory requirements are any other standard, law, rule, regulation that is applicable for certain medical devices or manufacturers of medical devices. These requirements can be international or national. The point is that manufacturers of medical devices understand that it is not only ISO 13485 that is applicable to them, that there are a number of other rules by which they must be complied with. 

For example, in point 4.1 General each manufacturer of medical devices must be in compliance with requirements from this standard, but also with any other applicable regulatory requirements. This means that any technical standard must be taken into account when designing and manufacturing a medical device, but also any national law, rule, or ordinance must be considered. 

If manufacturers have any outsourced process, this also must be organized by the requirements of ISO 13485 but also any other applicable regulatory requirements. If there are some national laws and rules how contracts between two companies must look like, then it also must be taken into account. 

Considering the retention period of obsolete documents, the standard stipulates that mandatory storage is a minimum of two years. However, if there is a national rule on how long a particular type of documentation must be kept, then the manufacturer must comply with that as well. 

I hope that these examples approached what it means to be in compliance with regulatory requirements. Throughout the standard, this term extends and is found at almost every point. A detailed list of this is essentially the whole standard.

For more details on this topic, please see the following articles:

• How to determine regulatory requirements according to ISO 13485:2016 https://advisera.com/13485academy/knowledgebase/how-to-determine-regulatory-requirements-according-to-iso-13485/
• What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
• ISO 13485 structure and requirements https://advisera.com/13485academy/what-is-iso-13485/

• Green field plant IATF certification

  Automotive customer satisfaction shall be tracked by metrics such as quality performance, shipping performance, premium freight, number of complaints, etc. and this is mandatory for IATF 16949: 2016. For this subject, you can refer to Article 9.1.2.1 of the IATF 16949:2016 standard.

• Availability of parts and components for a discontinued medical device

  It is covered in MDR 2017/745, Annex 9, section point 2.2 c): the procedures and techniques for monitoring, verifying, validating, and controlling the design of the devices and the corresponding documentation as well as the data and records arising from those procedures and techniques.

  Those procedures and techniques shall specifically cover:

  • solutions for fulfilling the applicable specific requirements regarding design and construction, including appropriate pre-clinical evaluation, in particular, the requirements of Chapter II of Annex I,
  • solutions for fulfilling the applicable specific requirements regarding the information to be supplied with the device, in particular, the requirements of Chapter III of Annex I.

  So yes, you need to inform the customers that you will not produce your medical device anymore, but that you will provde the spare parts or service for a lifetime. If you are unable to do so, then you must inform who I can contact for spare parts or for service.   

• Giving consent

  First of all, consent needs to be clearly expressed by the user. The Supervisory Authorities consider that consent with an opt-out mechanism is not given correctly.

  You should add an opt-in checkbox.

  Here you can find more information on consent and e-mail marketing.

  • Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
  • Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
  • Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/

  If you need to understand how to process consent under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Implementation of applicable controls

  Please note that ISO 27002 is a support standard that provides guidelines and recommendations for implementation of ISO 27001 Annex A controls, so it is not mandatory, and you can adapt its contents to your context, provided you fulfill the security objectives and security controls statement provided in the ISO 27001 Annex A.

  Regarding the word “shall”, please note that ISO 27002, as a guideline, does not use the word “shall”, but “should”, and that for ISO world means that its content can be implemented or not, according to your needs.

  This article will provide you a further explanation about ISO 27002:

  • ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

  These materials will also help you regarding controls from Annex A:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Control A.14.3.1

  1) I understand that the CISO performs internal audits in a company, but who should audit the CISO?

  Answer: First is important to note that CISO is a very bad choice for the internal auditor because of the obvious conflict of interest (this role is in general responsible for all the ISMS, and auditors cannot audit their own work).

  Considering that, you must consider another person to be the internal auditor (e.g., train another employee as internal auditor, or hire an external auditor).

  For further information about CISO, see:
  - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
  - Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
  - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

  These materials will also help you regarding internal audit:
  - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
  - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  
  2) Our company is dedicated to selling ERP in SaaS mode (software as a service), how should control A.14.3.1 (Protection of test data) be implemented? ... it is necessary to obfuscate the information of customers who are in the database?

  Answer: The way to implement control A.14.3.1 will depend on the results of risk assessment and identified legal requirements. For example, risk assessment may identify that only strict control to test database is enough, or that creation of randomized dummy customer data may be needed. Additionally, contractual clauses may require the use of specific techniques, or forbid others, and some regulations like GDPR may require anonymization of test data.

  This article will provide you a further explanation about the software development life cycle:
  - How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

  This material will also help you regarding ISO 27001 controls:
  - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• EU IVDR 2017/746

  Thank you very much!