Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Enterprise Data Centre

    Understanding the physical and logical requirements is always important, regardless of the asset size or complexity, because this will allow you to identify the solutions that will properly support your need, without letting any gaps (if requirements are underestimated), or consuming unnecessary resources (if requirements are overestimated).

    Considering that, without knowing your context and risks it is not possible to define practical solutions. What can be done is mention common practices (which should be evaluated considering your context and risks):

    • physical segregation from other environments
    • logical segregation of servers, networks and services
    • redundancy of single points of failure (e.g., power cable, communication links, etc.)

    For further information see:

  • SOC Reports

    1 - I would like to ask you if you have some resources for learning about SOC reports.

    I am sorry but our content is developed for ISO 27001. Anyway, this information (from the official site of the American Institute of CPAs) about SOC and ISO 27001 can be interesting for you (see the Excel “Trust Services Map to ISO 27001"): https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/soc2additionalsubjectmatter.html

    In Excel, there are some points in common between ISO 27001 and SOC, so for these points, you can use our toolkit “ISO 27001 Documentation Toolkit”: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    2 - Is it worth if a company works on ISO27001 controls and the SOC reports at the same time? Does ISO27001 cover the SOCs?

    SOC 1 deals with controls at a service organization’s Internal controls over financial reporting systems, while SOC II has several common points with ISO 27001:2013: risk management, internal audit, business continuity, access control, etc.

    Considering that, ISO 27001, which is an international standard for information security, can be used to implement some of the controls defined by SOC, but they do not have a direct relation, neither one is required to implement the other.

    These articles will provide you a further explanation about ISO 27001:

    These materials will also help you regarding ISO 27001:

  • Corrective and preventative actions

    All non-conformities require treatment, which means that all non-conformities require a correction.

    Please check ISO 9001 clause 8.7 – you can read something like - “The organization shall take appropriate action based on the nature of the nonconformity and its effect on the conformity of products and services”. There is no mention of corrective or preventative actions.

    Please check ISO 9001 clause 10.2.1 a) – when a non-conformity occurs organizations have to react to control, correct, and deal with the consequences.

    Please check ISO 9001 clause 10.2.1 b) – you can read something like – “evaluate the need for action to eliminate the cause(s) of the nonconformity”. Evaluate the need means that organizations may decide to develop a corrective or preventative action after correcting a non-conformity or may decide otherwise.

    So, preventative actions are not mandatory to be taken on a non-conformity per ISO 9001 Standards. Organizations should evaluate each case and even trends.

  • Determinaciòn de contexto interno y externo

    Puede simplemente organizar una reunión con las personas relevantes de la organización, como los gerentes de cada departamento y la alta dirección y realizar una tormenta de ideas para determinar las cuestiones internas y las cuestiones externas de la organziación.

    Otra forma de identificar el contexto de la organziación es mediante un análisis FODA, donde se consideren las fortalezas, oportunidades, debilidades y amenazas. Este análisis no sólo va a proporcionar información sobre el contexto de la organización sino que va a ayudarnos durante la posterior identificación de riesgos y oportunidadeds. 

    Por otro lado, el análisis PEST, que versa sobre el contexto político, económico, social y tecnológico, puede también ayudar a la organización a identificar las cuestiones externas del contexto de la organización. 

    Para más inofrmación sobre cómo determinar el contexto interno y externo de la organización puede ver los siguientes materiales:

    - Cómo identificar el contexto de la organización en ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/

    - ISO 9001:2015 case study: context of the organization as a success factor in a manufacturing company: https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/

    - Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

    - Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • ISO 9001 Lead auditor - keeping up with latest developments in the field

    A responsible auditor should invest in keeping up to date with the latest developments:

    • Keeping an eye on relevant standards evolution
    • Keeping effort for continual learning about the standards, reading books, article or participating in relevant fora
    • Keeping an eye on relevant compliance obligations status

    The following material can provide more information:

  • Necessity of implementing ISO 14971 to obtain ISO 13485

    Yes, it is necessary to implement ISO 14971:2012 Medical devices — Application of risk management to medical devices. This standard is the only standard on the list of harmonized standards that talk about risk. Since all manufacturers of medical devices need to be in compliance with a list of harmonized standards published by the European Commission, it is obligatory to have implemented this standard.

    For more information, see:

    • EU MDR Article 8 – Use of harmonized standards - https://advisera.com/13485academy/mdr/use-of-harmonised-standards/
    • List of harmonized standards https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/medical-devices_en

    • MDR QMS requirements

      Thank you for pointing this out to us. You are right, we will correct it. Control of suppliers and subcontractors is definitively covered by 7.4  Purchasing, and strategy for complying with regulation is in 4.1General requirements and 5.1 Management commitment.

    • ISO 27001 certification

      What are the requirements for a company to have this certification?

      Broadly speaking, to be ready for ISO certification, an organization needs to:

      • get support for the project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control
      • define the ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties;
      • develop risk assessment and treatment methodology;
      • perform a risk assessment and define the risk treatment plan;
      • implement controls (e.g., policies and procedures documentation, acquisitions, etc.);
      • perform people training and awareness;
      • operate controls;
      • perform monitoring and measurement;
      • perform an internal audit;
      • perform management critical review; and
      • address nonconformities, corrective actions, and opportunities for improvement.

      This article will provide you a further explanation about ISMS implementation:

    • DPIA

      1. Appreciate your support to provide me with your advice regarding the followingAs a processor, should I perform DPIA (is it required)

      Article 35 GDPR defines Data Protection Impact Assessment (DPIA) as an obligation of the controller. Among the obligation of the processor, Article 28 GDPR requires however to “inform the controller of that legal requirement before processing”. This means that if DPIA is required to the controller and the processor becomes aware of it, processor should represent to the controller that a DPIA is needed. Of course, it is an obligation to inform, so it is the controller who shall perform the DPIA and the consequences shall be on the controller.

      2. If the controller is not in compliance with the GDPR and didn't share any direction with the data processor (in other words the controller didn't ask the processor to be in compliance with the GDPR). In this case will data processor be liable if any security breach occurs.

      From your question I understand that the controller transferred data to the processor without giving any instruction on the basis of a commercial agreement without clauses on data processing.

      In this case, the processor will be liable if any security breach occurs for data processed by the processor on behalf of the controller. In fact, article 28 GDPR requires the processor to adopt security measures in compliance with Article 32 GDPR which requires “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. Therefore, if you are processing personal data on the behalf of someone else, you are liable for security. As stated in the answer to the first question, you should inform the controller about requirement and you can propose your own data processing agreement (i.e. as Google does with its clients).

      Article 28 (3) GDPR requires on the processor a duty of information and supervision over the compliance with GDPR requirements of the controller. Therefore, increasing awareness on the controller on the applicability of GDPR and helping controllers to comply with GDPR requirements can be considered as a market additional value for processor and a legal requirement to avoid liability.

      In fact, accepting to process personal data without questioning over the applicability of GDPR can be interpreted as a violation of the processor’s vigilance duty laid out in Article 28 GDPR in case the Regulation is applicable and a data breach occurs. Article 28 (f) states that the processor “assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;”

      Of course, if the controller stated that the GDPR is not applicable and no information are available to the processor despite the requests, it could not be considered liable in case of a data breach.

      3. is it required for the traffic containing PII between a company and service provider to be encrypted."

      GDPR leaves up to the controller and the processor to determine the appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Of course, encryption is considered nowadays a good security measure so it is highly suggested.

      Here you can find more information:

      You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

       

    • Training Validation for ISO 13485

      Yes, you are right that ISO 13485:2016 does not specify how to handle the training validation. The only requirement in 6.2 Human resources is to evaluate the effectiveness of actions taken for the training. So, it is up to you how you will do it. I would like to point it here that it is also stated in the note of requirement 6.2 that the methodology used to check effectiveness is proportionate to the risk associated with the work for which the training is provided. It means that you decide which training there is a necessity to perform validation and to which there is no need for it (based on the risk).

      Sometimes, the method can be a quiz, sometimes it can be checking the person in everyday work, sometimes during an internal audit, you can check is whether everything is done in the prescribed and appropriate manner.

      The following article can provide you more information about effectiveness:

Page 258-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +