Search results

Reviewing and approving suitability and adequacy documents as an office administrator

You can answer that during review and before approval you ask opinion of participants in the documented activities about its suitability and adequacy. You can answer that you make sure that while documents are being developed participants are invited to give their contribution. You can also answer that after approval in the first month you monitor suitability and adequacy by following its implementation.

You can find more information about ISO 9001:2015 below:

• How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Isolation of Sensitive Systems

This question can be answered from two points of view: auditor and pen tester.

From the auditor's point of view, you need to check the evidence that shows isolation is implemented (e.g., network topology, pentest report, etc.)

From a pen tester's point of view, to check isolation you need to try to access the systems from outside their defined perimeter of work (i.e., environment).

For example, if a system stated environment is the companies premises, you should try to access it from outside the companies premises, like:

• from a side street, trying to find out a hide wireless connection
• from the company's website, trying to explore a site vulnerability

In case the system stated environment is a single room int the companies premises, or it is disconnected from the main company's network, you should try to access by:

• trying to find out a hide wireless connection
• trying to explore an intranet vulnerability
• trying to physically access a network device connected to the system
• trying to get physical access to the room

This article will provide you a further explanation about exploring vulnerabilities:

• How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

ISO 9001 Documentation requirements

There may be more than one interpretation to your question. Let us assume that documentation requirements is another way of saying which are mandatory according to ISO 9001:2015 requirements?

Please check this article about mandatory documentation - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ Based on that approach I say that the only one is 2-Audit reports (see in the article Results of internal audits (clause 9.2)). 

It is not mandatory to have a Quality Manual or quality procedures for example.

You can find more information about ISO 9001:2015 below:

• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

ISO 27001 certification for subsidiary companies

1 - Is it possible to certify the two together or is it necessary to seek certification for each one individually?

It is possible to have a single certification for your organization and its subsidiary, but please note that implementing a certification in multiple geographic locations is a complex, and more expensive, task and you should go for it only if it is really necessary for business strategies and objectives. Instead, you should consider the prioritization of locations and implementing the certification one location at a time.  

2 - Similarly would we need a separate ISMS for each?

ISO 27001 does not prescribe how to manage information security in multiple organizations, so you can manage them using a single platform. But is important to note that you need to ensure that the specifics in the implementation of each organization are clearly identified and separated.

For example, you may have the same control (e.g., access control) implemented in different ways in several organizations, and your platform needs to help you track this condition, so activities like internal audit and management review can work on the real situation of each organization.

MDR labelling

Yes, the company will be compliant under MDR if the label attached to the medical device is only provided in English

In MDR Annex II – Technical documents, in subparagraph 2. Information supplied by the manufacturer is stated that the manufacturer needs to set the label and Instruction of use in the languages accepted in the Member States where the device is envisaged to be sold. Of course, you can provide information on English as a universal language. However, as part of your Quality management system, you need to provide a procedure for translation where you will describe how you will manage to provide labels and instruction of use if somebody will ask for it.

For more information, see:

• Annex II – Technical documentation - https://advisera.com/13485academy/mdr/technical-documentation/

• Re-calibration time

  How often you perform external or internal calibrations and whether you need to perform intermediate checks (verifications), and how often; depends on the process steps and what equipment is used. 
  No auditor can dictate the period or specific day when calibrations and verification must take place, unless there is a requirement in your proceure, in the method or from a regulatory body. For example, for analytical balances it is straight forward – a laboratory would use a set of weights that they own, where each piece has metrological traceability to SI, where they were previously calibrated by an external calibration provider (at a suitable frequency, based on risk and need).  So here you have reported uncertainties on the calibration certificate that you confirm are acceptable for each piece. Then you perform intermediate checks (verifications) on your balances at suitable time intervals (also based on risk), across the range of use (g) of the balance. For balance, this is typically daily.
  
  For further information have a look at the ILAC G24:2007 Guidelines for the determination of calibration intervals of measuring instruments (note currently under revision) available for download at https://ilac.org/?ddownload=818

  These may also be of interest 

  • Response to another Expert Advice Community Question, Are intermediate checks required for calibration laboratories? at https://community.advisera.com/topic/are-intermediate-checks-required-for-calibration-laboratories/
  • The article What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
  • The ISO 17025 document template: Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure//

• Sub-Processors

  Yes, you need to share your third-party list with the processor. The chain of data processors must be clear and transparent to the controller. The controller can authorize the processor to engage a sub-processor with a specific authorization or with a general authorization. In case of general written authorization, the Article 28 GDPR requires the processor informing the controller “of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.”

  Here you can find more information:

  • Article 28 GDPR https://advisera.com/eugdpracademy/gdpr/processor/
  • EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
  • EU GDPR document template: Processor GDPR Compliance Questionnaire https://advisera.com/eugdpracademy/documentation/processor-gdpr-compliance-questionnaire/
  • EU GDPR document template: Supplier Data Processing Agreement https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/
  You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• GDPR - holding data

  It depends on the privacy policy and the data you shared with the app. In privacy notice, the data controller will tell you what kind of data the app will have access to and ask for your consent.The data subject can withdraw the consent at any time and for any reason. 

  According to Article 15 GDPR you can demand access to data stored by the data controller (right of access ) and of course you can demand that data based on consent shall be erased under Article 17 GDPR unless there is another legitimate ground of processing. I.e., if the app required your consent to access your image gallery and some photos of you had been processed (i.e., stored in the cloud), you can demand the cancellation of images stored but you may not be able to demand the cancellation of some information related to your account if they are processed under another legitimate grounds. I.e. billing information can be stored for longer periods because of tax laws provisions.

  The data controller shall erase your data without undue delay. In your request, you can refer to the data minimization principle demanding to cancel all the information that is no longer necessary to be processed. Of course, this is a general answer, based on your statement that the data processing is based on consent. You should check in the privacy notice which is the legitimate ground and what information is stored before demanding to proceed under Article 17 GDPR.

  Here you can find more information:

  • Article 15 GDPR: https://advisera.com/eugdpracademy/gdpr/right-of-access-by-the-data-subject/
  • Article 17 GDPR: https://advisera.com/eugdpracademy/gdpr/right-to-erasure-right-to-be-forgotten/
  • Right to be forgotten in the era when everyone seems willing to be remembered: https://advisera.com/eugdpracademy/blog/2019/08/26/gdpr-right-to-be-forgotten-an-easy-explanation/

  You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//