Search results

Validation of equipment

According to requirement 7.5.6 manufacturers must validate any processes for production and service provision where the resulting output cannot be or is not verified by subsequent monitoring or measurement. Furthermore, according to requirement 6.3 Infrastructuremanufacturer must document the requirements for the infrastructure needed to achieve conformity to product requirements. This definitively is considering using validated equipment during manufacturing.  

09.04 BYOD Policy and 09.01 IT Security Policy

The BYOD Policy and the IT Security Policy were developed as separate documents to avoid making the IT Security Policy a bigger and more complex document to read and manage, but you can merge the two documents if you want to (ISO 27001 does not require policies to be written as separate documents).

For further information, see:

• One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/

Distributors role in UK MDR changes

To my knowledge, this MHRA extending the deadline does not impact the distributors since they are not responsible for placing the device on the market. So they will behave accordingly to the manufacturer's obligations.  

Questions on Training Procedure and Procedure for Infrastructure and Work Environment

1. The reason of my mail is to ask you on which document of the toolkit can I find the one that describes the trainings product?

2. On the Procedure for Infrastructure and Work Enviroment document, on section 3.5 (Monitoring and measuring environmental conditios) I wonder if this section is necessary environmental conditions nor a cleanroom to do the device, the device is not invasive and it's mostly a software with sensors to check basic vital signs using IoT.

Aligning ISO 17025 with ISO 14001, ISO 45001 and ISO 9001

The alignment of ISO QMS standards is based on the ISO harmonization using what ISO refers to as a High-Level Structure (HLS). This ensured better integration as all ISO management systems reviewed after 2012 were revised to have the same look and feel by including a set of ten common clauses. Understandably, depending on the purpose and scope of the standards, the other main clauses will differ. ISO Standards are reviewed every 5 years and either confirmed as current or revised.  ISO 17025:2017 is currently under review, however, that does not mean it will be revised, as already in 2017 the HLS was adopted. ISO 17025 was revised after ISO 9001:2015 and was aligned to ISO 9001:2015 at the time (both having the HLS). Refer to clause 8 – you will see the harmonization. For interest,  see from the ISO website that ISO 9001:2015 was last reviewed and confirmed as current in 2021; ISO 14001:2018 was last reviewed and confirmed in 2022. ISO 45001:2018 is the most recent revised standard you have mentioned.  

When integrating QMS in your organizations, you can combine activities together by referencing different clauses for different Standards and ensuring that the appropriate process is followed say for the ISO 17015 and ISO 14001 components of the integrated QMS.

For some further information have a look at my post at https://community.advisera.com/topic/laboratory-certifications-for-iso9001-and-17025/ 

ISO 27001 doubt on applicability of controls

Please note that the mentioned controls:

• 8.25 Secure development life cycle
• 8.26 Application security requirements
• 8.27 Secure system architecture and engineering principles
• 8.28 Secure coding
• 8.29 Security testing in development and acceptance 

They are intended to protect the development of any software, not just in-house software, so if your company intends to make changes to an open-source software/platform and there are relevant risks or applicable legal requirements (e.g., laws, regulations, or contracts) that justify implementing such controls, then you need to implement them.

Only in case you do not have relevant risks or applicable legal requirements or have open-source software where you do not make any changes, then you do not need to implement these controls.

For further information, see:

• How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/blog/2017/01/24/how-to-integrate-iso-27001-a-14-controls-into-the-system-software-development-life-cycle-sdlc/

Completing RTP before certification audit

You can leave some of the activities of the Risk Treatment Plan to be completed after the certification audit under the following conditions:

1. That you have implemented before the certification the controls that mitigate the biggest risks - in other words, you can leave for conclusion after the certification audit only activities related to less important controls.
2. That you have specified the deadlines for the activities related to the controls that you will be implementing after the certification in your Risk Treatment Plan - of course, those deadlines must be after the certification date.
3. That your risk owners or top management accept all the risks for which controls have not been implemented before the certification.

This means that activities related to the most important controls must have "implemented" status at the certification, while the less important controls can have the status "planned" or "partially implemented" at the moment of the certification.

This article will provide you with further explanation:

• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

Can a single legal entity have multiple ISO 27001 certifications?

It is possible for a single legal entity to have 2 ISO 27001 certifications, provided you can establish a clear separation between them (i.e., they shouldn’t have overlapping elements).

Team in charge of implementation and maintenance of the ISMS

From your question it is not clear whether you are asking about responsibilities for approving policies and procedures, or for responsibilities that are specified in information security documents.

1) Responsibilities for approving policies and procedures:

In smaller companies, one person usually approves documents, while there are usually 2 or 3 persons that are reviewing the documents before they are sent for approval.

2) Responsibilities specified in information security documents:

In the top-level Information Security Policy you should define:

• one person in charge of coordinating the ISMS
• one sponsor from the top management team

For detailed policies like Backup Policy or Access Control Policy, different people will have different responsibilities - e.g., the person in charge of doing the backup might be a different person from the one in charge of approving access.

The standard allows collective decision-making, however having a 3-person committee that decides about everything is impractical.

For further information, see:

• Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

• Certification

  First is important to note that the software is not certifiable against ISO 27001. What can be certified are departments or whole companies.

  You can certify either company A, or B, or both of them. Since this certification is driven by customer demand, it would be best to ask the customer which company would they prefer to be certified. If the customer does not have a preference, it would be more logical to go for company B.

  Regarding Conformio, it can be used to implement and maintain your Information Security Management System, no matter if you choose to go with company A or B. It is designed to be used by smaller companies.

  For further information, see:

  • Conformio (online tool for ISO 27001) https://advisera.com/conformio/