Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 certificate

    1 - how can I conduct the iso27001 gap analysis

    Answer: First is important to note that ISO 27001 gap analysis is not mandatory, and is actually not recommended for smaller companies because it only takes away the resources without providing many benefits.

    Considering that, the best approach is to develop a checklist of which items you need to verify, and which results you have to find to define if there is a gap or not. When looking for results, some approaches you may use are interviews, documentation evaluation, and field observation. Based on that approach it is easier to develop action plans to eliminate the gaps.

    Regarding ISO 27001, I suggest you take a look at our free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

    It was developed as a simple question-and-answer questionnaire so you can visualize which specific elements of an information security management system are already implemented, and what is still needed to do.

    For more information, see:
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
    - Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/


    2 - what are the minimum requirements to achieve the iso27001 certificate?

    Answer: Broadly speaking, the minimum requirements to fulfill if you want to go for ISO 27001 certification are related to clauses 4 to 10 of the standard, involving:
    - documentation and implementation of information security-related requirements (e.g., ISMS scope, Information Security Policy, Risk Assessment and Risk treatment, etc.)
    - performing internal audit and management review
    - treatment of nonconformities and corrective actions.

    These articles will provide you a further explanation about ISO 27001 certification:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    To see how documents compliant with ISO 27001 look like, please take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    These materials will also help you regarding ISO 27001 certification:
    - ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Change profile from incident management to security compliance domain

    Considering the mentioned certifications and your background, you should consider ISO 27001 Lead Auditor or CISA. CISSP is more indicated to people who want to work in technical areas. For the choice between ISO 27001 Lead auditor and CISA, you need to consider the type and depth of the activities you desire to perform (both are world-wide recognized certifications for auditing).

    If you want to focus on auditing information security management, you should consider ISO 27001 Lead Auditor. If you want to go beyond auditing the scope of information security, and also consider the audit of strategic relationships between information security and the information systems and business objectives you should consider CISA. Please note that these courses do not exclude each other, they only offer different perspectives about how to audit the way information interacts with the business. ISO 27001 Lea Auditor would also need to be considered if you which to work for certification bodies, as a certification auditor.

    These articles will provide you further explanation about personal certifications:
    - CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/training/iso-27001-lead-auditor-course/
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

    To see more about the ISO 27001 Lead Auditor Course, please access: https://advisera.com/training/iso-27001-lead-auditor-course/

  • ISO 9001 Internal adit and a legal department

    ISO 9001:2015 clause 7.5.3.2. Consider the paragraph starting with “Documented information of external origin”. You can find a set of guidelines for controlling external documents in this article - What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/

    You can find more information below:

  • Safety courses, CPR or first aid as part of accreditation

    You do not have to have safety courses, CPR or first aid to meet accreditation requirements.  ISO 17025 accreditation does not specifically include Health and safety requirements. As a laboratory you should of course, comply with all Health, Safety and Environmental protection regulations of your country; and personnel need suitable training and knowledge. Typically these requirements are covered under a separate programme and documentation, usually via a policy and manual. This means that the accreditation body will not directly assess the laboratory on these issues, unless linked to an ISO 17025 requirement that could jeopardise the consistent, impartial operation to produce valid results – for example cross contamination.  What ISO 17025 does require, stipulated in clause 5.4, is that Laboratory activities must be carried out in such a way as to meet the requirements of regulatory authorities, organizations providing recognition and customers. These requirements could be integrated into one management system or could be separate. 

    For more information on 17025 requirements, have a look at the Whitepaper Clause-by-clause explanation of ISO 17025:2017, which will assist you with ISO 17025 awareness, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ and the ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

  • 58 areas of compliance required by ISO 13485

    This means that in the standard ISO 13485:2016 on 58 places is put that manufacturer needs to be in compliance with applicable regulatory requirements. Regulatory requirements are any other standard, law, rule, regulation that is applicable for certain medical devices or manufacturers of medical devices. These requirements can be international or national. The point is that manufacturers of medical devices understand that it is not only ISO 13485 that is applicable to them, that there are a number of other rules by which they must be complied with. 

    For example, in point 4.1 General each manufacturer of medical devices must be in compliance with requirements from this standard, but also with any other applicable regulatory requirements. This means that any technical standard must be taken into account when designing and manufacturing a medical device, but also any national law, rule, or ordinance must be considered. 

    If manufacturers have any outsourced process, this also must be organized by the requirements of ISO 13485 but also any other applicable regulatory requirements. If there are some national laws and rules how contracts between two companies must look like, then it also must be taken into account. 

    Considering the retention period of obsolete documents, the standard stipulates that mandatory storage is a minimum of two years. However, if there is a national rule on how long a particular type of documentation must be kept, then the manufacturer must comply with that as well. 

    I hope that these examples approached what it means to be in compliance with regulatory requirements. Throughout the standard, this term extends and is found at almost every point. A detailed list of this is essentially the whole standard.

    For more details on this topic, please see the following articles:

Page 212-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +