Search results

Integrated joint audit

When auditing an integrated management system, one must consider the High-Level Structure of the management system standards. Auditing clauses 4, 5, 7, 9 and 10 is straightforward

When auditing an integrated management system, one must consider two realities of an organization:

• Its processes; and
• Its facilities.

With clause 6 of each standard an organization determines risks around processes, products and business, compliance requirements, environmental aspects, risk of employee injury, and defines action plans and objectives.

When auditing, you follow an itinerary along its facilities where you audit processes (clause 8), and for each location the relevant environmental aspects and risks of employee injury and related procedures.

You follow more information below:

• How to implement integrated management systems - https://advisera.com/articles/how-to-implement-integrated-management-systems/
• ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

MDR Medical device documentation for distributors

• CE certificate
• Declaration of conformity
• Instruction of use and labels are on the proper language

The distributor of medical devices needs to have implemented a quality management system (QMS) (in MDR there is no requirement for certification of the quality management system, only that QMS must be implemented). In ISO 13485:2016 in 1. section – Scope – is stated that this International Standard specifies requirements for a quality management system where an organization needs to demonstrate its ability to prove that medical devices and related services meet customer and applicable regulatory requirements. Such an organization can be involved in one or more stages of the medical device life-cycle including design and development, production, storage and distribution, installation, or service.

Further on, in MDR (Article 1, section 2) is stated that all medical device needs to be in compliance with harmonized standards or state-of. the art standards. On the list of harmonized standards, only one standard that is considering the quality management system is ISO 13485:2016. Therefore, it is expected that distributors and importers will also have implemented a quality management system according to the applicable requirements from ISO 13485:2016.

Here is the link to harmonized standards: https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/medical-devices_en

For more information, please read the following:

• EU MDR Article 1, section 2: https://advisera.com/13485academy/mdr/subject-matter-and-scope/
• Similarities and differences between ISO 9001:2015 and ISO 13485:2016: https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/

ISO/IEC ISMS 27001 Annex A

Please note that ISO 27001 does not require an organizational chart to present how the organization supports information security. The most common way to document responsibilities related to information security is by writing them in the implemented policies and procedures.

To see how documented responsibilities look like, I suggest you take a look at the free demo of our ISO 27001 documentation toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

These articles will provide you a further explanation about documenting responsibilities:

• Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
  How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

This material will also help you regarding documentation:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Query on Annex A Controls - IS027001

Software maintenance is basically covered by controls from section A.14 System acquisition, development, and maintenance (there is no single control specific for this purpose).

Control A.14.1.1ensures that maintenance is done in order to reach some requirements set to protect information.

The other controls you mentioned are more related to the security of information systems implementation and daily operations.

These articles will provide you a further explanation about the software development life cycle:

• How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
• How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/

Performing Security Risk Analysis

I'm assuming that by VAPT you mean "Vulnerability Assessment & Penetration Test".

Considering that, first is important to note that the purpose of risk analysis is to evaluate the risk, quantitatively or qualitatively, and that security audit is used to find out if security is being performed as planned, or results achieved are those expected, and that VAPT is used to find out if there are vulnerabilities in your environment that could be exploited.

All of this considered, security audit and VAPT cannot be used for risk analysis, but they can be used for risk identification because their results can point situations where information can be compromised (i.e., risks).

These articles will provide you a further explanation about the risk assessment process:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk assessment:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Processes and assurance in ISO 20000 and ITIL

You can use ISO 20000 as a management system (or a framework) towards excellence in service delivery. However, use ITIL as well, to manage daily activities and as an improvement model. 
ITIL4 guidelines can help you evolve your organization in a way to converge technology and business.
Here is an introduction article in ITIL4 "ITIL 3 vs. ITIL 4 – What has changed and what is new?“ https://advisera.com/20000academy/blog/2019/07/04/itil-3-vs-itil-4-what-has-changed-and-what-is-new/

SLA in ISO

According to ISO 20000, SLA is "documented agreement between the organization and the customer that identifies services and their agreed performance."

Here are a few articles where you can find more details:

"What’s the content of an ITIL/ISO 20000 SLA?" https://advisera.com/20000academy/blog/2016/06/14/whats-the-content-of-an-itiliso-20000-sla/

"SLAs, OLAs and UCs in ITIL and ISO 20000" https://advisera.com/20000academy/knowledgebase/slas-olas-ucs-itil-iso-20000/