Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO / IEC 38500 question

    Do you have any thoughts on the ISO/IEC 38500?

    SO/IEC 38500 provides guiding principles for governance specifically directed for Information Technology. It can be used to help integrate business strategy, information technology, and information security initiatives.

    For additional information, see:

    Would we want to add this after our ISO/IEC 27001 that we are working on?

    ISO 27001 does not require the implementation of any other standard, so the decision about the application of ISO/IEC 38500 would depend on the evaluation of potential benefits that can be achieved and the costs of implementing an additional standard.

    Also, in regards to the ISO 22301, does this compliment the GDPR that we are working on?

    ISO 22301 is about business continuity and resilience of systems. It can help you to demonstrate compliance with security measures under Article 32 GDPR (which requires technical and organizational security measures) but it does not cover all GDPR requirements (i.e. the information to be provided to data subjects, or the respect of data subject rights are outside the purposes of ISO 22301 and they are the core of GDPR). GDPR refers to all data processing regardless of the form and it is not only about data security (yet it is crucial), it is also about information, transparency, and lawful processing.

    For more information, see:

  • 04.2 Personal Data Protection Policy Integrated

    The Toolkit requires you to insert your national privacy law if any. Most countries, even EU Member States adopted internal laws and regulations to implement GDPR requirements in certain fields. Video surveillance, controls of workers, social security, criminal conviction, or health data are some examples of topics nationally implemented. 

    You should consult the website of your local Data Protection Authority (or Surveillance Authority) to discover what are the applicable laws and regulations adopted in your country. Therefore, you should check if your organization is subjected to other extraterritorial privacy laws like the California Consumer Protection Act (CCPA) or the Brazilian Data Protection Act (LGPD). In such a case, you should also insert those references in your data protection policy.

    Here you can find the list of relevant Data Protection Authorities and the list of laws and regulations on information security:

  • A.9.2.5 Review of user access rights

    Please note that ISO 27001 does not prescribe how to document the review, so organizations can develop the form as best fit their needs.

    Considering that, to record reviewed access rights you can use the Internal Audit Report template included in your toolkit, using the field Audit Trail to record this information.

    In case you need a more generic approach, you can use a word or excel file.

    In both cases, it is important to cover at least this information:

    • review date
    • who performed the review
    • who approved the review
    • name of system/network / service / physical area reviewed
    • results of the review: uses reviewed and if they were compliant or not with the defined access rules

  • Aerospace and Napcap standards

    The aerospace community have taken the ISO 9001:2015 standard and added some aerospace specific requirements into it, releasing this document as the AS9100 Rev D standard (https://advisera.com/9100academy/what-is-as9100/) which forms the requirements for a quality management system for aircraft, space and defense organizations. This standard is audited using a process audit approach just as other ISO standards for management systems are. It should also be noted that there is a replacement QMS standard for 2 specific types of aerospace companies; aircraft repair and overhaul organizations (AS9110) and stockist distributors (AS9120). Both of these standards are also based on ISO 9001:2015 but have different additions than AS9100 which is more generic. Training for AS 9100 auditing can be obtained from many of the same organizations that train for ISO 9001 auditing.

    NADCAP auditing, on the other hand, is not like process auditing of a management system. This is a compliance auditing against the specific requirements for a NADCAP process to certify that each and every detailed requirement is met in the process; step by step. For this type of auditing, you would need to contact a NADCAP certified training organization where they can train and certify you to do NADCAP auditing. This may only be necessary for a company that has NADCAP specific processes.

    You can read more on the companion standards to AS9100 in the article:

    • How does AS9110 & AS9120 relate to AS9100 Rev D? https://advisera.com/9100academy/blog/2017/10/30/how-does-as9110-as9120-relate-to-as9100-rev-d/
    • Connection between Nadcap and AS9100 Rev D – Which one do you need? https://advisera.com/9100academy/blog/2019/05/23/as9100d-and-nadcap-which-one-do-you-need/

    • ISO 9001 - Mechanical Design Process

      Check ISO 9001:2015 clause 8.3.

      When your organization needs to design a new equipment, you have to consider:

      • Collecting all the design inputs (standards, performance requirements, legislation requirements, customers’ requirements, …)
      • Planning the project
      • Developing the project
      • Checking progress and conformity with design inputs
      • Final tests to confirm design inputs conformity
      • Validation tests during use
      • Control changes. 

      You can find more information below:

       

    • Assets ISO 27001

      ISO 27001 does not prescribe a detailed level for assets, so organizations can define the detailed level that best suits them. This is generally a balance between the administrative effort and the need for information to ensure proper security. For example, you do not need to record organizations laptops as individual assets (you can add an asset called "laptop"), but if they have specific purposes with different risk levels you can use specific assets like "laptop", "development laptop", and "finance laptop". The same concept applies to the software of your organization and other assets. 

      For further information, see this article:

      How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
      These materials will also help you regarding:

      - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

      - ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    • Procedure for the Software Life Cycle

      Each medical device software must be developt under the IEC 62304:2006 Medical device software — Software life cycle processes. In this standard is described how software life cycle procedure must be. 

      Our ISO 13485:2016 documentation toolkit covers only documented procedures and requirements directly asked in the ISO 13485:2015 standard. This documentation covers the Quality management system that is applicable for all manufacturers of medical devices. 

      Please understand that the range of medical products ranging from spoons for giving antibiotics to the artifitial heart. It is not possible that one documentation toolkit have all documentation from technical standards. 

    • Is ISO 9001 listing of activities mandatory

      Unfortunately, we cannot give you a specific answer because we are not aware of categories OGi. What we can say is that the scope defines and communicates the borders of the management system. The scope should clearly describe the type of Products and Services covered by the system and provide sufficient information, preventing the transmission of erroneous or misleading information about what the organization covers in the management system and what it is able to provide to its customers. Describing a list of activities, instead of a general description, is used either to reinforce the message of something that the organization wants to highlight that it is included in the management system, or precisely the opposite, to communicate what is not included.

      You can find more information below:

    • List of documentation required by the data processor

      This is the list of mandatory documents required by EU GDPR to controller who is the subject liable of GDPR compliance in first instance.https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/  

      Processor’s documents which are mandatory under GDPR are less and indicated by the controller who need to give instruction to the processor. Usually mandatory documents for processor in their relationship with controller are:- The Data Processing Agreement and it should contains also instructions from the controller on how to process personal data.- The registry of processing activities as a processor.- Data Protection policy, and confidentiality clauses in agreements with people accessing data should be implemented.

      Other documents may be required by controllers in order to demonstrate compliance (i.e. a Data Processing Impact Assessment on the processing carried out by the processor), or a data breach notification procedure. 

      The processor should be available to receive inspections and audits from the controller.

      If you want to understand better data processor requirements under the EU GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

       

    • Contract Review per ISO 13485 sec. 7.2.1, 7.2.2

      Yes, if the sales order is distributed by the ERP as is, it is OK and enough from the standard point of view.
Page 230-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +