Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISMS Scope - remote working

    1 - A question on ISMS scope and 3.3 Locations in your toolkit template. Due to covid we no longer have a physical office, it may be that we never return to having one as we mainly all worked remotely in any case. We have 6 people in our business, but 4 remote working locations.

    For the purposes of ISO27001, are those 4 remote working locations to be in scope for our ISMS? I think the answer is no because we are a SAAS company and your webinar on ISMS scope said that SAAS cloud companies did not need to look at HW or SW, just their data.

    Your assumption is correct. Regarding remote workers, normally you do not control the environment where they are, so these are kept out of the scope.

    These articles will provide you a further explanation about defining scope:

    2 - However, what about operational controls to ensure information and data such as passwords are not left lying around? An imposter could in principle log on and get into our system.  Would we need a tidy desk policy or something like that so that no paper passwords or client data/information is on note pads or left out. How would you actually enforce that with remote working? Perhaps a risk you chose to acknowledge but not do anything about as you can’t enforce a locked room in someone’s home. Not sure what other companies are doing on this point now that everyone is working from home.

    Should we be saying that employees log out when they go away from their computer? Should we be keeping a record of when an employee signs in and signs out of their device or applications on that device? We value our flexibility and don’t want to upset our culture by having a big brother approach to how we work and operate.

    In such cases with remote workers, you treat remote access as a risk in your assessment, and treat the unacceptable risks by means of controls from section A.15 - Supplier relationships (e.g., by using contracts and terms of service to enforce security practices).

    This article will provide you a further explanation about the scope definition and supplier management:

  • Disposal of assets

    Please note that while ISO 27001 provides a general objective for the disposal of media, it does not provide technical guidance on how to perform media disposal.


    To see how a Disposal and Destruction Policy compliant with ISO 27001 looks like, please see this free demo template at this link: https://advisera.com/27001academy/documentation/disposal-and-destruction-policy/

    For technical guidance, you should consider these references:

    These articles can also help:

  • Documents and records

    1 - A further point to the below on when a document can become a record.

    This is the principle in the document change history section of documents, that I’ve been basing our document version control journey on:

    V0.1, v0.2, v0.3, v0.4 = Drafts

    V1.0 = Approved version based upon v0.4

    V1.1, V1.2, V1.3 = Updates to the v1.0. Draft status.

    V2.0 = Approved version based upon v1.3

    V2.1, V2.2, V2.3, V2.4 = Drafts

    V2.4 is reviewed and approved

    V3.0 = New approved version.

    I had thought that as soon as a document has approved status then it becomes a record. At that point the document which is now in the record log, is subject to the controls re assigning an owner that must check the content on a given review date to ensure that the information and data contained with the document is accurate, current and relevant.

    From the advice you have given, I realise I have miss-understood what a record can be and also the control that applies to records. The above example of a document, from what you are saying, is not to be considered a record. However, the quality control still needs to take place to review all documents that have information and data in for their accuracy and relevance etc.?

    Please note that a document only becomes a record when you cannot change it anymore (at most you can add an amendment, but the original record is kept intact), and you need to implement controls to ensure unauthorized charges do not occur. While it is subjected to updates, you need to review it when necessary to ensure it is still accurate and relevant, so quality control still needs to perform actions on documents.

    2 - Records cannot be edited or amended and they have retention periods, whereas documents are only required up until the point that they are useful to the business. Therefore, all previous versions of documents can be archived or deleted. Is this a correct statement?

    Filling and exclusion of a number of obsolete versions of documents (i.e., approved versions that were replaced by updated ones) will depend on the applicable requirements for records retention. For example, for some documents, you may need to keep all previous versions, while for others you may need to keep only the two previous versions.

    3 - A secondary point, is the above example of version control a good practice approach or am I leading our team down the wrong path?

    Your example of versioning is a common one used in the marketing and is fine to be used for ISO 27001.

  • Requirements for analytical laboratories under 16949 designation

    When you use an external laboratory, ISO 17025 accreditation is a must.

    If your supplier who produces the product performs the tests in his own laboratory, I think that if he provides you with evidence that he is in compliance with the 7.1.5.3.1 requirements of the standard, that is, that his internal laboratory is in compliance, it will be sufficient with PPAP. ​​

    But again, to be safe, it would be better if you have the tests that are legally required on the product done by an accredited laboratory.

  • QMS Objectives

    Timeframe is one thing, monitoring frequency is another:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/c304d123-6761-45d4-a3ec-7e361dc7b839

    If the monitoring frequency is made equal to the timeframe there will not exist any monitoring during the journey to the desired future. You will have only one verification at the end, and if you fail to meet the objective it is too late to act. For example, in the picture above, before the end of the time frame there are three interim moments of monitoring allowing action if needed.

    What is the best timeframe for an objective? It will depend on the dimension of the change needed and on the availability of resources.

    The following material will provide you more information:

  • ISO 13485 workflow explanation

    Following article explains how to create an ISO 9001 process flowchart, and provides an example of a process flowchart that can be used as a guideline for creating a flowchart for your own company. You will also learn:

    • What the process approach is
    • Why it is important
    • An overview of commonly used terminology

    For more information, please see:

    Also, this webinar may provide additional information:

Page 294-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +