Search results

ISO 27001 certification benefits

I’m assuming that you are referring to ISO 27001 certification, not accreditation because the main purpose of accreditation is to provide certification audit services, not managed services.

Considering that, a certified supplier saves customer costs on performing its own audits on supplier’s sites to ensure it is compliant with standard’s requirements. But most important of all, it increases customer’s confidence that the organization can properly protect customer’s information.

This article will provide you a further explanation about ISO 27001 benefits:

• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

These materials will also help you regarding Iso 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

7 Controls in the A.6

The seven controls from ISO 27001 Annex A section A.6 are:

• A.6.1.1 Information security roles and responsibilities
• A.6.1.2 Segregation of duties
• A.6.1.3 Contact with authorities
• A.6.1.4 Contact with special interest groups
• A.6.1.5 Information security in project management
• A.6.2.1 Mobile device policy
• A.6.2.2 Teleworking

These articles will provide you a further explanation about controls from section A.6:

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
• Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
• How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/
• What to include in an ISO 27001 remote access policy https://advisera.com/27001academy/blog/2019/04/23/iso-27001-remote-access-policy-how-to-develop-it/

These materials will also help you regarding controls from section A.6:

• Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home
• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Measures Appendix A

1 - we are in possession of your toolkit for ISO 27001 and are in point 6 (declaration of applicability). The 114 specified measures are to be checked for applicability. For us, however, the question arises as to whether all measures really have to be applied, since theoretically quite a few of them could be used or whether only suitable measures have to be defined for the risks that we have assessed with risk levels 3 and 4 (unacceptable risks).

Please note that you only have to state as applicable in the Statement of Applicability the controls you defined as needed to treat the risks you identified as unacceptable (according to your Risk Treatment Table), and those required by legal requirements. For the other controls, you can state that they are not applicable because there are no risks or legal requirements demanding their implementation.

By the way, included in your toolkit you have access to a video tutorial that can help you fill in the Statement of Applicability.

For further information, see:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2 - In addition, we would like to know whether there are any legal regulations in Germany to which we must pay special attention in the course of the introduction of Iso 27001.

We are not legal experts, so our recommended approach is indeed for organizations to hire local expert advice to identify legal requirements that must be fulfilled to be compliant with the ISO 27001 in required countries. An online search can help at the beginning of your work (for an overview), but local expert advice is highly recommended.

This article can provide a start: https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

But please note that the list in this article is not fully up-to-date because it depends on voluntary contributions from our readers – therefore, it is likely that not all regulations for each country are listed (some even may have been withdrawn).

This article will provide you a further explanation about the identification of requirements:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Complying with ISO 27001 and EU GDPR

Please note that ISO 27001 was designed to be implemented by organizations of any size and industry, so it can be applicable to your organization. Freelancers/consultants can be viewed as outsourced services and treated accordingly.

Regarding GDPR, it depends on the activity of your organization. If your organization processes a high volume of personal data, or monitors behavior, or processes special categories of personal data like health data, political opinion, sex orientation, criminal convictions, so you require a Data Protection Officer (DPO). If your organization does not deal with this data, you do not require a DPO.

The DPO does not need to be an employee of the organization, this role can be outsourced, but you need to ensure that required roles and responsibilities are included in the contract or service agreement.

These articles will provide you a further explanation about ISO 27001 and DPO:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• How to hire the right DPO? https://advisera.com/articles/how-to-hire-the-right-dpo/
• The role of the DPO in light of the General Data Protection Regulation https://advisera.com/articles/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/

These materials will also help you regarding ISO 27001 and DPO:

• How to integrate GDPR with ISO 27001 https://advisera.com/webinars/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• EU GDPR Data Protection Officer Course https://advisera.com/training/eu-gdpr-data-protection-officer-course/

Email won't respond unless I give certain info in order to be GDPR-compliant - is this GDPR-relevant?

In your first question, you stated that they can find that you are an employee from the content of your complaint so that they can discover it without asking you. The consequences arising from your complaint may differ from your contract and your home labor law but do not involve GDPR. Depending on how sensitive your allegation and complaint are, I would suggest you talk to a lawyer to get a better consultation over your concrete situation.From the perspective of GDPR compliance, it is a common procedure to confirm identity in order to handle correctly a data subject access request.

Designing the audit checklist

Let us develop a checklist for clause 7.2 of ISO 14001:2015 and hope you can apply the same technique to develop a checklist for any clause of ISO 14001:2015.

Translate clause 7.2 into a set of actions, look for the verbs:

a) determine the necessary competence of person(s)

b) ensure that these persons are competent

c) determine training needs

d) take actions to acquire the necessary competence,

d) evaluate the effectiveness of the actions taken.

Now, where do you want to start your audit? At the end? In the beginning? In the middle? Let us start at the middle.

Have you determined training needs? (about c)) Did you plan actions to address them? Can I see your overall plan to address them? (about the first d)) Was the plan approved? By whom? Was the plan fulfilled? Choose two or three actions and ask for evidence of their realization. Who participated in these actions? Why? To what extent have these actions met training needs? Has the effectiveness of these actions been assessed? What was the result? Can I see evidence of the evaluation? (about the second d)) To what extent have these actions met skills gaps? Can I see those gaps? Choose two or three people who attended the chosen training courses and see what are the competence requirements of the functions they perform (about a) and b)) and how did the training contribute to their evolution?

Translate the standard into verbs, then ask questions to check if the actions were done and evidence of that.

You can find more information below:

• Please check this free webinar on-demand - How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar-on-demand/ where I present an example of the development of a checklist.
• You can also attend this free course – ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Calibration

Considering the requirement 7.6 Control of monitoring and measuring equipment, it is not prescribed what is the tolerance for calibration measuring. This mostly depends on some technical standards, but also how precise must be what you are measuring. It is not the same if you calibrate a thermometer for the warehouse where it is allowed to have a temperature range from 5 to 30 Celsius degree or a thermometer for a fridge where it is allowed a temperature range from +2 to +8 Celsius degrees. 

For more information, please see the following article:

• Calibration requirements in ISO 13485 https://advisera.com/13485academy/blog/2019/03/08/calibration-requirements-in-iso-13485/

You can see how our document for Maintenance and Calibration Record looks in our ISO 13485:2016 Documentation toolkit: https://advisera.com/13485academy/documentation/maintenance-and-calibration-record-iso-13485-2016/

Personnel training

As with all requirements, the objective is to ensure competency for the tasks personnel are responsible for, and the provision of resources and authority to contribute positively to the overall compliance and objectives of the laboratory. This means that that the training procedure and records must include actions, controls, monitoring and evidence that the training is fit (appropriate and effective) for the work being performed. All personnel must be sufficiently skilled, trained and deemed competent for the specific task they are responsible for. Personnel should have suitable ISO 17025 awareness training, as they need to know how their role and actions can positively or negatively impact the consistent valid results of the laboratory. The training would typically cover administrative, operational, technical and general management activities; including a good understanding of the risks, controls and monitoring activities that are associated with their work. Personnel training records must include identification of competence requirements, evidence of supervision, authorization (deemed competent for an activity) and monitoring of competence.

ISO 17025 has mandatory requirements for documenting the competency requirements and retaining records. As personnel training and competency is a critical activity, the Advisera ISO 17025 toolkit includes the mandatory procedure as ISO 17025 document template: Competence, Training and Awareness Procedure along with 4 appendices: Training Program, Training Record and Performance Monitoring, Record of Attendance and Competence Approval and Authorization Record. You can preview the template at https://advisera.com/17025academy/documentation/competence-training-and-awareness-procedure/

The Whitepaper Clause-by-clause explanation of ISO 17025:2017 will assist you with ISO 17025 awareness, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

Also have a look at the Advisera Expert Advice Community question and answer in deeming someone competent for more information. Available at https://community.advisera.com/topic/how-training-should-someone-have-before-they-are-deemed-competent-for-a-specific-task/

udi for Legacy devices

No, you do not need to put the UDI number until you will go to the certification under MDR (end of 2023). If you go through Article 120 Transition provisions of the MDR, there you will see which elements from MDR must be prepared for periodic MDD audit after May 2021:post-market surveillance, market surveillance, vigilance, and registration of economic operators.

For more information, see:

• EU MDR Article 120 Transition provisions - https://advisera.com/13485academy/mdr/transitional-provisions/

• Appendix for Design and Development

  It was our opinion that transparency is better this way. Appendix corresponds to the sequence required by requirement 7.3 Design and development. If you put all Appendix together, start from Appendix 1 to Appendix 8, then you will have documented the whole process for the Desing and development.

  You can find more information about Desing and development on the following link:

  • How to manage design and development of medical devices according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/08/24/how-to-manage-design-and-development-of-medical-devices-according-to-iso-134852016/