Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • How to use ISO 27001 in the hospital

    ISO 27001 was designed to be implemented in organizations of any size and industry, and broadly speaking, these are the general steps to implement it on any organization:

    1. get support for your project (through approval of the ISMS project plan);
    2. develop the Procedure for Document and Record Control:
    3. define the ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties;
    4. develop risk assessment and treatment methodology;
    5. perform a risk assessment and define the risk treatment plan;
    6. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
    7. people training and awareness;
    8. controls operation;
    9. performance monitoring and measurement;
    10. perform an internal audit;
    11. perform management critical review; and
    12. address nonconformities, corrective actions, and opportunities for improvement.

    Regarding ISO 27001 implementation approaches, you have three options:

    • Implementing with your own employees (in general the cheapest and longest)
    • Hiring a consultant (in general the costliest and fastest)
    • Implementing by yourself with external support (a balanced solution)

    Each one of them has its advantages and disadvantages, related to time, resources, and knowledge. For more information, I suggest the following materials:

    Advisera is specialized in the third approach. We offer toolkits with templates and expert support, and also free material in the form of articles, papers, and webinars, to help you with your implementation project. Please see these materials for more information:

    This article will provide you a further explanation about ISMS implementation:

    These materials will also help you regarding ISO 27001 implementation:

  • Where do you see ISO 27001 in the future?

    I'm assuming that by the second reference you mean ISO 14001.

    Considering that, with the increase in the attacks aiming private and corporate information, the increase in the dependence of information to provided services, and potential impacts due to realized risks, we see an increase in the adoption of ISO 27001 by organizations, but not to be the most important standard (since ISO 9001 is focused on customer satisfaction, it will remain the most popular ISO management system standard).

  • IVD Medical Devices for Infectious Diseases

    For IVD Medical Devices for Infectious Diseases e.g. Covid-19 are these classified in IVDR as high-risk Class D?

    In which class is some IVD for COVID-19 depends on what type of the test it is. There are three main types of detection assays relevant for COVID-19 diagnostic testing and screening:

      1. Nucleic acid tests that detect the presence of viral RNA. 

      2. Antigen tests that detect the presence of a viral antigen, typically part of a surface protein.

      3. Antibody tests detect the presence of antibodies generated against SARS-CoV-2; like immunosorbent assays (ELISA), chemiluminescence assays (CLIA) and lateral flow assays (LFA).

    According to IVD Directive 98/79/EC Article 9, on conformity assessment procedures, for COVID-19 diagnostic devices that are not intended for use as self-tests, the manufacturer shall, in order to affix the CE marking, draw up the EC declaration of conformity required before placing the devices on the market. This is a self-declaration procedure based on satisfying essential safety and performance requirements listed in the Directive and specifications of the device performance characteristics, stated by the manufacturer.  In case of self-tests, the involvement of a third-party conformity assessment body is necessary. 

    European Commission has published a document which proposes a tentative definition of COVID-19 diagnostic test performance criteria (analytical sensitivity, analytical specificity, clinical sensitivity, and clinical specificity) - Current performance of COVID-19 test methods and devices and proposed performance criteria - Working document of Commission services https://ec.europa.eu/docsroom/documents/40805

    European Commission also published a searchable database. The objective of the JRC COVID-19 In Vitro Diagnostic Devices and Test Methods Database is to collect in a single place all publicly available information on the performance of CE-marked in vitro diagnostic medical devices (IVDs) as well as in-house laboratory-developed devices and related test methods for COVID-19. - COVID-19 In Vitro Diagnostic Devices and Test Methods Database https://covid-19-diagnostics.jrc.ec.europa.eu/

    And must the CE Mark have the NB 4 digit Number next to the CE Mark?

    This depends again on what kind of diagnostic test it is. If it is self-test than it needs NB 4 digit numbers, if it is not then there is a self-declaration and there is no need for the NB 4 digit numbers next tot he CE mark.

  • Interested Parties

    First is important to note that ISO 27001 does not prescribe how to document interested parties, so documenting them by name or by category are acceptable approaches.

    But please note that, to fulfill clause 7.4 - Communication, you need to determine with whom to communicate, and depending on the information to be communicated, maybe it will be necessary to identify clients individually in certain circumstances.

    This article will provide you a further explanation about interested parties:

    These materials will also help you regarding interested parties:

  • Annex A.17.1/2/3

    I'm assuming you are referring only to controls from section A.17.1

    Considering that, controls from ISO 27001 Annex A section A.17 (Information security aspects of business continuity management) aims to minimize risks that, in case of an event that disrupts business operations, the information will be kept protected, and operations that rely on them will be resumed as quickly as possible.

    To show compliance with controls of this section an organization needs to:

    • identify and include information security requirements in its reparations for business continuity
    • ensure processes, procedures and controls required for information security are documented, implemented, and maintained
    • regularly review its information security continuity elements to ensure its effectiveness and relevance to business

    This article will provide you a further explanation about business continuity for ISO 27001:

    These materials will also help you regarding business continuity for ISO 27001:

  • Data integrity

    1. How can ISO 27001 ensure data integrity in a company that needs to create all its security policies from scratch

    ISO 27001 Annex A has controls that can be applied to minimize risks that information is changed or destroyed without authorization (e.g., A.9.1.1 Access control policy, and A.12.1.2 Change management), and that changes performed can be tracked and undone if needed (e.g., A.12.4.1 Event logging, and A.12.3.1 Information backup), thus helping protect information integrity.

    For further information, see:

    This material will also help you regarding ISO 27001 controls:

    2. is the return on investment of an ISO 27001 project feasible?

    ISO 27001 was designed to help organizations apply controls based on relevant requirements and in levels related to their risk tolerance.

    Considering that, provided that the ISO 27001 project is aligned to the business' and interested parties' (e.g., customers, regulation bodies, suppliers, etc.) needs and objectives, its return on investment is feasible.

    This article will provide you a further explanation about ISO 27001 implementation:

  • IS responsive culture

    To develop a security culture you must consider these points:

    • definition of clear objectives and targets
    • definition of roles and responsibilities
    • providing awareness about the importance of information security and the consequences of incidents and non-compliances
    • providing training about how to perform required activities
    • measure and analyze performance and provide feedback

    For further information, see:

    This material will also help you regarding awareness and training:

  • ISO 9001 - Management Representative Audit

    You are going to audit the Management Representative. An audit is about collecting evidence from the contrast between reality and audit criteria. You should start by collecting the audit criteria. Which documents, in your QMS, mention the Management Representative and its authorities and responsibilities? Then, read that documentation and look for situations that you think you want to check, that you want to confirm. For example, you may read that the Management Representative is responsible for conducting quarterly performance reviews about processes and action plans. You can ask to see evidence that the performance review took place, what its decisions were, and if it has a positive impact on the organizations’ performance. For example, you may read that the Management Representative is responsible for ensuring that corrective actions are implemented, effective, and closed. You can ask to see evidence that shows if corrective actions are defined, implemented, evaluated as effective, and closed.

    You can find more information below:

     

  • Are we allowed to change ISMS policies on our own

    You can change ISMS policies anytime you identify the need to, but you need to evaluate who will be impacted by the changes, and what the impacts will be, to decide who needs to be informed, and what is the information to be communicated. For example:

    • a change in the Information Security Policy needs to be communicated to all personnel
    • a change in a Backup Policy, regarding the change in technology, may need to be communicated only to IT personnel
    • a change in a Supplier Management Policy may need to be communicated to the organization's suppliers

  • Personal vs. Generic emails regarding B2B email marketing

    A “generic” email address is an email address that does not incorporate personal information (i.e. info@company.com or marketing@company.com ) while a “personal” email address refers to a specific individual (i.e. name.surname@company.com, or n.surname@company.com, or surname@company.com, etc).

    Germany and the UK are both ruled by the European Union General Data Protection Regulation 2016/679 which has direct application across all EU. 

    In the UK the GDPR will be enforceable until the 31st December 2020 when the Brexit transition period will end and of course, it will continue even after for companies subjected to its application (companies processing personal data of individuals living in the EU). However, UK privacy law has many principles in common with GDPR which has been taken as a model for data protection law across the world.

    You can find more information about GDPR and email marketing here:

    You can also consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// 
Page 344-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +