Search results

Register of external correspondence

Please note that the section regarding external correspondence refers to electronic and physical documents you need for your ISMS that come from external parts like customers, suppliers, regulatory agencies, etc. If an external document is irrelevant to the ISMS, you do not need to control it as an external correspondence.  

For example, specifications sent from a customer contracts from a supplier and a law from a government agency. The ISO 27001 standard is an example of an external document required by the ISMS.

For further information, see:

• How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

How to implement ITIL into an environment that doesn't react to change well?

We are talking here about people aspect of change. One of ITIL4 practices „Organizational change management“ is covering that topic, so I suggest you look in that practice.

Is ISO 13485 for fertility company?

Yes, ISO 13485 will be the right option since it includes Research and development part. There are some specialties within ISO 13485 that are requested for the design and development of in vitro medical devices that are not covered in other standards or norms. We have developed Desing and development toolkit that is in compliance with  both ISO 13485 and EU MDR 2017/745.

Preview of the some of documents you can find on the following links:

• Procedure for Design and Development https://advisera.com/13485academy/documentation/procedure-for-design-and-development-iso-13485-2016/
• Design and Development File https://advisera.com/13485academy/documentation/design-and-development-file-iso-13485-2016/
• Project Plan and Review https://advisera.com/13485academy/documentation/project-plan-and-review-iso-13485-2016/
• Change Review Record https://advisera.com/13485academy/documentation/change-review-record-iso-13485-2016/

• Annual Audit Program

  I’m assuming you are referring to a certification audit perspective.

  Considering that, your assumptions are correct. The standard, internal policies and procedures, and applicable legal requirements (e.g., laws, procedures, and contracts) related to the ISMS are mandatory criteria for the internal audit.

  The point about the audit criteria definition in the standard is that you can decide how to perform the audit to cover the ISMS scope (several small audits or a single one). You can use the audit criteria to set groups of elements to be audited. For example, you can decide to audit first IT processes then SW development processes, and then HR processes. Or you can decide to audit first processes related to the higher risks. Or you can perform more than one audit in areas with a history of a high quantity of incidents or non-conformities.

  Additionally, you can decide to include references, like ISO 27002 or NIST Special Publications, if they were used by the organization to implement their controls.

• Expired reagents

  Yes, Clause 6.4.9 does apply, as the expired reagents are “outside specified requirements”. The laboratory must assess whether they can be used without invalidating test method results. This is the performance risk assessment that must be done. Consider the risk. It is the Laboratory’s decision whether to spend resources on testing if the expired reagents can be used or not. It depends on the nature of the reagent and test method in terms of possible breakdown products and interferences, or perhaps the reagent will be ineffective due to other reasons.  Typically use a new batch of reagent (which is not expired) and do a comparison, running the usual QC samples plus test samples in the two batches. You will need to decide on what basis you will continue using the expired reagent as it may change with time. For example if the reagent blank, and control samples fall in the expected analytical range (pass QC) then continue using and run the batch.

• Energy Management

  Unless you have specific legal requirements (e.g., laws, regulations, or contracts) demanding implementation of ISO 27019 controls, you do not need to include them in the ISMS implementation.

  Please note that ISO 27001 controls are comprehensive enough to be applied to any industry, and ISO 27019 only provides specific implementation guidance and controls for the energy utility industry.

  In case you need to include ISO 27019 in your implementation, based on the results of risk assessment and applicable legal requirements, you include relevant additional recommendations to existent controls they refer to (e.g., in case there are specific recommendations for control A.9.1.1 – Access control policy, you included these specific recommendations in the way you implement it), or you include a new control specific of the standard (e.g., control 12.9.1 – Integrity and availability of safety functions).

• How to treat risk with own control?

  I'm assuming that this question is about Conformio.
  
  Considering that, first of all, we are sorry for this situation.

  At this moment it is not possible to include other sources of controls besides ISO 27001 Annex A in the risk register, because large majority of companies do not find it necessary to add controls not listed in Annex A.

  ISO 27001 Annex A is a comprehensive set of controls, and if we know which control you are planning to use, we may be able to link to an equivalent control from ISO 27001 Annex A.

  In case there is no possible relation to Annex A controls, a workaround would be for you to upload to Conformio document informing which risk (i.e., asset, vulnerability, threat, risk value) will be treated by controls not related to ISO 27001 Annex A, also stating the residual risk.