Search results

ISO 22301 Compliance Matrix

You can download an explanation of ISO 22301 standard here: Clause-by-clause explanation of ISO 22301 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-223012008

In the ISO 27001 & ISO 22301 toolkit you purchased, you will find the document called "List of documents" - it defines which documents are needed for ISO 22301 implementation.

To simplify this, if you want to implement only ISO 22301 without ISO 27001, you would need to implement documents from these folders, in this very sequence:

00 Document management
01 Preparations for the project
02 Identification of requirements
05 Risk assessment and treatment
08 Annex A controls - A.17 Business continuity
09 Training and awareness
10 Internal audit
11 Management review
12 Corrective actions

Writing quality SOP for work infrastructure

In SOP for infrastructure you need to consider the following:

• Description of the buildings, workspace, and associated utilities
• What kind of the process equipment you have (both hardware and software)
• What kind of supporting service you have

More information on this topic you can find in the following article:

• Managing medical device infrastructure requirements according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/06/28/managing-medical-device-infrastructure-requirements-according-to-iso-13485/

You can also see how the procedures for infrastructure and records of the infrastructure maintenance in our ISO 13485:2016 documentation toolkit look like:

• Procedure for Infrastructure and Work Environment https://advisera.com/13485academy/documentation/procedure-for-infrastructure-and-work-environment-iso-13485-2016/
• Record of Infrastructure Maintenance https://advisera.com/13485academy/documentation/record-of-infrastructure-maintenance-iso-13485-2016/

• EU GDPR membership and countries outside of the membership

  Concerning the EU GDPR membership and countries outside of the membership;The EU GDPR will be mirrored by the UK-GDPR version - would this be subject to regular reviews?

  The UK chose to mirror the EU GDPR in order to have an adequate decision by the EU Commission and not lose the free flow of data among EU and UK. It is difficult to forecast regular reviews, either on the EU GDPR or the UK GDPR side.We can imagine a coherent evolution for both regulations in order to provide a standard to controllers and processors, but most will depend on how the relationship between the UK and the EU will continue.

  Hypothetically, if the EU were to break up - would the GDPR be able to continue under a unified, but individual country membership?I live in the UK (Scotland) and hope this does not become a reality.

  The EU GDPR is a regulation of the EU and it produces effects in Member State on the basis of the EU Treaties. In the unlikely event of EU break up, the Treaties will not produce their effects anymore and the GDPR will have no effects in the former EU States unless the country mirrors it with internal legislation. The negotiation on the dissolving EU may also end with an international agreement adopting the GDPR as a separate treaty in order to benefit each State of the same regulation. 

  Here you can find more information on the territorial scope of the GDPR

  • What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/

  To have a deeper idea of the list of requirements of GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• GDPR Certification

  There is no certification process of compliance with GDPR. However, some ISO standards like ISO 27001 and 27701 may end up in conformity to GDPR requirements.

  Here you can find more information about ISO 27001 and GDPR:

  • Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
  • Privacy, cybersecurity, and ISO 27001 – How are they related?: https://info.advisera.com/27001academy/free-download/privacy-cyber-security-and-iso-27001

  There is also our Free webinar:

  • How to integrate GDPR with ISO 27001 https://advisera.com/eugdpracademy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/

  To have a deeper idea of the list of requirements of GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Discussion regarding CSR

  If the organization's OEM automotive customer is Ford, Customer-specific requirements (CSR) are already available on the IATF web page and the FORD portal. Therefore, FORD does not give its specific requirements separately.

  Your customer portal usage is opened by the customer and you enter it with your password. Portal usage is available for all automotive IATF OEM customers and CSR’s are also uploaded on the IATF website.

  If your customer is not Ford, you should use your main customers' customer-specifics requirements (CSR). You should request CSR from your main customer. 

  The major finding is that CSRs are not reviewed, included in the quality management system, and not implemented

  For more information, please see the following article:

  • How to satisfy customer-specific requirements when implementing IATF 16949  https://advisera.com/16949academy/blog/2019/07/02/iatf-16949-customer-specific-requirements-how-to-meet-them/

  • Medical Device File

    Yes, it is the same. In the ISO 13485:2016 requirement, 4.2.3 Medical device file is stated that an organization must establish the medical device file with the content not limited to the one that is described there. Also, requirement 4.1 states that the organization must be in compliance with all necessary regulatory requirements. 

    On the EU market, it is not possible to put a medical device without having a technical file under the MDD 93/42/Eec or, from May 2021. according to the MDR 2017/745. 

    For more information please see the following articles:

    • How to determine regulatory requirements according to ISO 13485:2016 https://advisera.com/13485academy/knowledgebase/how-to-determine-regulatory-requirements-according-to-iso-13485/
    • How can ISO 13485 help with MDR compliance? https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/
    • How to use ISO 13485 to fulfill FDA regulatory classes for medical devices https://advisera.com/13485academy/blog/2017/09/14/how-to-use-iso-13485-to-fulfill-fda-regulatory-classes-for-medical-devices/

    • ISO Accreditation 17025

      I assume you are asking how ISO 17025 accreditation would assist you improve the quality of testing ? Your laboratory would benefit from implementing ISO 17025 as the purpose is to guide laboratories to achieve competency and consistently valid results. What you mentioned would be the laboratory’s scope of testing. Method development, validation and measurement uncertainty will be an important focus to achieve your scope.

      For further information see the following:

      • The whitepaper Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/
      • The article What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
      • The ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ and the document template: Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure//

    • Calibration

      That would not be appropriate to calibrate an auto titrator. Note firstly that ”a grade glassware” is not a Certified Reference material.  The glassware does not come with an individual calibration certificates. 

      Your equipment supplier or equipment manual should provide you with suitable information, Simply stated, you would need to use a suitable balance and determine the volume dispensed gravimetrically; or use a primary standard for titration to determine the linearity and correlation coefficient of the auto titrator.  Depending on the methods you use, you would select a suitable primary standard and titrate a range of five quantities as per your method to provide data for the calculations.

      The following toolkit document, with associated records may be of interest Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure//

    • Risk analysis

      It's our policy not to make recommendations about technologies or products, but from our experience with small and midsized businesses, the excel base tool is still the best solution balancing cost and effectiveness.

      To make a usability benchmark, I suggest you see the free demo of our Risk Assessment table (it has been widely used by small and midsized businesses all around the world in their certified ISO 27001 ISMSs). This template used the approach asset-threat, vulnerability.

      You can see a demo of this template at this link: https://advisera.com/27001academy/documentation/risk-assessment-table/

      These articles will provide you a further explanation about risk assessment according to ISO 27001:

      • ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
      • How to organize initial risk assessment according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/04/29/how-to-organize-initial-risk-assessment-according-to-iso-27001-and-iso-22301/
      • ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
      • How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
      • The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

    • CIA, Privacy and risk management

      Please note that ISO 27001 specifies that the CIA is directly related to risks (6.1.2 c 1), and to consequences (i.e., impacts) (6.1.2 d 1), and asset value (in your case privacy severity) is defined in terms of legal requirements (e.g., laws, regulations, and contracts), and their criticality and sensitivity to compromise due to realized risks.

      There is no direct relation between the CIA triad and Asset value to probability.

      For further information, see:

      - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

      - How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

      This material can also help you:
      - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

      - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/