Search results

Assets ISO 27001

ISO 27001 does not prescribe a detailed level for assets, so organizations can define the detailed level that best suits them. This is generally a balance between the administrative effort and the need for information to ensure proper security. For example, you do not need to record organizations laptops as individual assets (you can add an asset called "laptop"), but if they have specific purposes with different risk levels you can use specific assets like "laptop", "development laptop", and "finance laptop". The same concept applies to the software of your organization and other assets. 

For further information, see this article:

How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding:

- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Procedure for the Software Life Cycle

Each medical device software must be developt under the IEC 62304:2006 Medical device software — Software life cycle processes. In this standard is described how software life cycle procedure must be. 

Our ISO 13485:2016 documentation toolkit covers only documented procedures and requirements directly asked in the ISO 13485:2015 standard. This documentation covers the Quality management system that is applicable for all manufacturers of medical devices. 

Please understand that the range of medical products ranging from spoons for giving antibiotics to the artifitial heart. It is not possible that one documentation toolkit have all documentation from technical standards. 

Is ISO 9001 listing of activities mandatory

Unfortunately, we cannot give you a specific answer because we are not aware of categories OGi. What we can say is that the scope defines and communicates the borders of the management system. The scope should clearly describe the type of Products and Services covered by the system and provide sufficient information, preventing the transmission of erroneous or misleading information about what the organization covers in the management system and what it is able to provide to its customers. Describing a list of activities, instead of a general description, is used either to reinforce the message of something that the organization wants to highlight that it is included in the management system, or precisely the opposite, to communicate what is not included.

You can find more information below:

• How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
• Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope -
• Free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

List of documentation required by the data processor

This is the list of mandatory documents required by EU GDPR to controller who is the subject liable of GDPR compliance in first instance.https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/  

Processor’s documents which are mandatory under GDPR are less and indicated by the controller who need to give instruction to the processor. Usually mandatory documents for processor in their relationship with controller are:- The Data Processing Agreement and it should contains also instructions from the controller on how to process personal data.- The registry of processing activities as a processor.- Data Protection policy, and confidentiality clauses in agreements with people accessing data should be implemented.

Other documents may be required by controllers in order to demonstrate compliance (i.e. a Data Processing Impact Assessment on the processing carried out by the processor), or a data breach notification procedure. 

The processor should be available to receive inspections and audits from the controller.

If you want to understand better data processor requirements under the EU GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Contract Review per ISO 13485 sec. 7.2.1, 7.2.2

Yes, if the sales order is distributed by the ERP as is, it is OK and enough from the standard point of view.

Difference between 3.10 Release in production/ market and 3.12 Transfer to production

This is related to the general demands exemplified by health records.

Audit

I will be grateful if you can solve my next query.

For some months I bought the Premium Package from you and I have been preparing for a company to be certified in ISO 27001.

My question is: To what extent should I go so that the Certifying company does its audit? They must consider that I have completed all the steps required and mandatory by ISO 27001, having reached the "Awareness and training plan". I am only missing the points of "Internal Audit", "Review by management" and "Corrective actions" .... My question is, if these last 3 steps must be carried out before passing the Certification Audit.

I must emphasize that, in my capacity as Consultant for the implementation of ISO 27001, I could not do an Internal Audit, because I should not be "judge and party".

What should I do or what do you recommend?

To go for certification, an organization must have evidence of the fulfillment of all requirements of the standard, as well as of the operation of all implemented controls.

Considering that, the certifying company must perform an internal audit, management review, and treat corrective actions, before going for the certification audit.

As for performing an internal audit, you still have some options: you can train organization employees to perform an internal audit (taking care they do not audit their own work), or the organization can hire an external auditor for performing this internal audit. 

These articles will provide you a further explanation about certification:

• Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

These materials will also help you regarding certification:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Business continuity management

ISO 22301, the ISO standard for Business Continuity Management, was designed to be implemented in organizations of any size and industry, so it can be applicable to a Pharmaceutical company.

To see how documents compliant with ISO 22301 look like, I suggest you take a look at the free demo of our ISO 22301 Documentation Toolkit at this link: https://advisera.com/27001academy/

This article will provide you a further explanation of ISMS implementation:

• 17 steps for implementing ISO 22301  https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

These materials will also help you regarding ISO 27001 implementation:

• How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Tinder Account Banned - removing my data

The legal basis for processing personal data is to fulfill a contract obligation, that is provide you access to the platform of Tinder. Tinder can store your personal data (Apple ID in order to verify the user) as long as they provide you the service and even after the termination of the contract if there is any reason (legal action, bookkeeping requirements, tax laws provisions) that requires Tinder to store such information.

Under Article 15 GDPR, you have the right to ask Tinder to let you know exactly what kind of data they process, what is the legal basis of data processing, and how long the data will be stored, according to the minimization principle, to delete any personal data that is not necessary to be processed anymore (i.e. if you did not make any purchase, there might be no reason to store the credit cards details and demand them to delete it) as stated in Article 17 par. 1 a) GDPR.

Tinder might reject your request by claiming to have the right to store your personal data, if you believe that your rights are compressed you can lodge a complaint to the Supervisory Authority of your home country.

Here you can find more information on data subjects rights and the right to be forgotten:

• Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
• Right to be forgotten in the era when everyone seems willing to be remembered https://advisera.com/eugdpracademy/blog/2019/08/26/gdpr-right-to-be-forgotten-an-easy-explanation/ 

To understand which are the data subjects rights and how to protect them under GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Post-market surveillance

Concerning ISO 9001:2015:

• Clause 8.2.1 c) – states that communication with customers should include getting customer feedback, including customer complaints
• Clause 8.5.5 – states a set of activities that should be considered after delivering a product or service like any guaranty, any repair, any complaint, any feedback
• Clause 9.1.2 – states monitoring customer satisfaction 

You can find more information below:

• Handling customer satisfaction with code of conduct and complaints procedure - https://advisera.com/9001academy/blog/2014/07/15/handling-customer-satisfaction-code-conduct-complaints-procedure/
• How the ISO 9001:2015 standard can help improve relationships with your customers - https://advisera.com/9001academy/blog/2016/02/23/how-the-iso-90012015-standard-can-help-improve-relationships-with-your-customers/
• Main elements of handling customer satisfaction in ISO 9001 - https://advisera.com/9001academy/blog/2014/07/01/main-elements-handling-customer-satisfaction-iso-9001/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/