Search results

Stage 1 audit

Stage 1 is usually called „Documentation audit“ because auditors what will check are all documentation requirements from the standard fulfilled. SO, you need to prepare all documents from the requirements that are applicable for your company and within the scope. If some of the major documents are missing, it is not possible to access the next step, the initial audit or so-called Stage 2 audit.

For more information regarding the certification process, please see the following articles:

• First-, Second- & Third-Party Audits for medical device manufacturers & suppliers https://advisera.com/13485academy/knowledgebase/first-second-third-party-audits-for-medical-device-manufacturers-suppliers/
• Checklist of ISO 13485 implementation and certification steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
• How to get ISO 13485 certified? https://advisera.com/13485academy/iso-13485-certification/

• Certification qualification

  According to section 1. Scope of the ISO 13485:2016 is stated that this standard is applicable to all entities involved in the life-cycle of the medical device. It means that this standard is applicable for: manufacturer, design and development, storage, distribution, installation, service, or any other company that provides associated activities like technical support.

  For more information about ISO 13485, please see the following articles:

  • What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
  • Six key benefits of ISO 13485 implementation https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/

  • Can I save my customers information and email them about the event they purchased a ticket for?

    Yes, you can. You don’t need consent to remind a service that your customer purchased (however, you should mention follow-up and reminders in your privacy notice and also the sharing of data with third parties like your CRM).Article 6 GDPR on the legal basis of data processing allows the controller to process personal data to fulfill contract obligation and reminding your customers that the online event they purchased is coming, it is part of the customer care relationship. So, definitely, you can.

    If you need to know more about data subjects rights, consent, and compliance to GDR here you can find more information:

    • Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
    • Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
    • Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/

    If you need to understand how to data subject rights need to be managed under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • Risk Management Alignment Among ISO31000, ISO27001, ISO22301 & ISO9001

    First is important to note that ISO 9001, ISO 22301, and ISO 27001 do not prescribe any methodology for risk assessment and risk treatment, so you can adopt the methodology that better fits your context. As for ISO 31000, it defines a general framework for risk management that can be applied to organizations of any industry and size, based on this core process: risk identification, risk analysis, risk evaluation, and risk treatment.

    Considering that, you should adopt the “global definition, local implementation” approach, i.e., which aspects need to be used in all situations, and which ones are used in specific situations.

    For example, for risk identification, depending on how you need to look at the risk (e.g., in terms of information security, business continuity, quality, or organization) one approach can be better than another (the most common approaches are asset-based, process-based and scenario-based). This is a step you should consider in local terms for execution (i.e., which approach to use) but ensuring the participation of personnel with competence in all perspectives, ensure a holistic view, and avoid reassessment.

    On the other hand, for risk analysis and risk evaluation, you need to have a global definition, because without that you will be unable to compare risks from different perspectives. This can be achieved by using the same risk formula and scale in all approaches (e.g., risk equals to impact times likelihood, and scale very low to very high, or 1 to 5), and normalizing the meaning of the scales considering all your perspectives. For example, what an impact value of 1 means to information security, business continuity, quality, and to the organization?

    If you have the same formula and the same scale used for all identified risks, regardless of how you identified them, you will be able to compare them (and this will save you the time and effort in overlapping assessments).

    As for risk treatment, you should define general treatment options (e.g., risk acceptance, risk mitigation, risk avoidance, and risk transfer), so you can have a holistic view of applied treatments, and define specific sets of potential implementation solutions since what is applicable for information security may not be applicable to quality.

    By following this approach, you can ensure all risks can be related, improving risk management effectiveness, decrease the effort and need for reassessments, improving risk management efficiency, and keep the independent goals of each risk assessment/management.

    These articles will provide you a further explanation about risk management:
    - ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
    - ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
    - How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/

    This material will also help you regarding risk management:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • HIPAA vs. ISO 27001 - What are the differences?

    Please note that either SOC2 and HIPAA focus on controls to be implemented, while ISO 27001 provides a framework for information security management, meaning that it also covers the controls improvement and adjustment according to changes in a business context, based on a risk management approach.

    Considering that including in an audit of SOC2 and HIPPA references to clauses 4-10 of ISO 27001 only makes sense if the organization, besides the required controls, also has a management system.

    My point of view is that “HIPAA plus ISO” trend will increase, and since legal requirements for information security will also increase, the adoption of a full information security management system will require future audits to include clauses 4-10 of ISO 27001, if not because HIPAA requirements, but because organizations will realize that a full management system will help them better manage multiple legal requirements for information security

    This article will provide you a further explanation about benefits of ISO 27001:
    - Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
    - HIPAA compliance vs ISO 27001 https://advisera.com/27001academy/blog/21/01/27/hipaa-compliance-vs-iso-27001/

    These materials will also help you regarding ISO 27001:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • How to fill out BYOD policy?

    Please note that in these templates you will find some text between brackets (e.g., [job title], [name of document], etc.). To customize the templates according to your organization's needs you only need to change these texts by your information. For example, in the phrase “[job title] defines the list of devices approved for BYOD” you can write “Head of IT defines the list of devices approved for BYOD”, or any other role that will be in charge of this definition.

    Also, note that in the templates you will find many commentaries with tips on how to fill in the documents and material you can read for more information.

    These articles will provide you a further explanation about BYOD policy and for training and awareness:

    • How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
    • How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

    These materials will also help you regarding BYOD policy and for training and awareness:

    • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

  • Policies presentation

    Please note that there is no single answer to this question because you have different publics with different interests:

    • top management needs to make decisions over issues that many times are not so clear for them, and they do not need deep knowledge about technicalities of security issues (they will be more concerned about how it impacts the business). In these cases, your presentation should be focused on decisions they need to make on each policy
    • technical personnel with operational responsibilities for security needs deep knowledge over technologies, methodologies, and process, so your presentation should be focused on the procedures and rules they need to follow
    • overall personnel needs a basic understanding of security, to properly identify, report, and react to risky situations. In these cases, your presentation should be focused on examples and how to proceed according to the policies

    
    These articles will provide you a further explanation about awareness in the organization:

    • What are the benefits of security awareness training for organizations? https://advisera.com/27001academy/blog/2019/03/27/what-are-the-benefits-of-security-awareness-training-for-organizations/
    • How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
    • Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/

    
    These materials will also help you regarding the awareness in the organization:

    • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

  • ISMS audit fidings

    First, it is important to note that, considering ISO 19011, the standard used for auditing ISO management systems, audit findings can be conformity, nonconformity, opportunities for improvement, and recommendations (i.e., there is no definition for observation in the standard as an audit finding).

    As for minor and major NC, these definitions are normally used by certification auditors, to differentiate NCs that impact mandatory documents, or systematically affects the management system, from punctual NCs that do not affect the general operation of the management system.

    The difference between an NC and observation is that for the second one you do not have enough evidence to support a non-conformity statement. In this situation, an auditor can make an observation to the organization so its staff can decide to work on an evaluation to identify if further work has to be done. It also can be used by another auditor in another audit to verify if the situation has evolved to a well-based non-conformity or not.

    For further information, see:

    • Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

    This course can give you further information about internal audit:

    • ISO 27001:2013 Internal Auditor course https://advisera.com/training/iso-27001-internal-auditor-course/

  • Polices version 27001

    ISO 27001 does not prescribe how to make version numbers, only that documents are controlled, so organizations are free to adopt any versioning system they want, and this versioning system does not need to be equivalent to the numbering of ISO 27001, so the situation you described wouldn’t be a nonconformity.

    This article will provide you a further explanation about managing documents:

    • Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

    These materials will also help you regarding document management:

    • Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
    • ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • ISO 27001 controls

    Please note that controls objectives and controls descriptions from ISO 27001 Annex A are aligned with controls guidance and recommendations from ISO 27002, and the description of these controls in ISO 27002 starts in section 5. Sections 1 to 4 of ISO 27002 does not refer to controls, so that’s why there are controls A1 to A4 in ISO 27001 Annex A.

    This article will provide you a further explanation about ISO 27002:

    • ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

    These materials will also help you regarding ISO 27002:

    • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/