Search results

Processes in Risk assessment vs. business impact analysis article

We do not know your local regulations, but for example, as a customer, it would be unacceptable not being able to perform payments for more than 12 hours (and most probably there may be some sort of law or regulation for the banking industry defining fines for such a failure).

General Information Security Policy

Previously, with ISO 27001: 2005, I used the general information security policy and right there I defined the scope and assembled it in a policy manual, separating the security policy, today I see that it is necessary to do an ISMS scope, which I have no doubt if it should be three documents, General Information Security Policy, Policy Manual (A whole set) and the scope of the ISMS separately.

ISO 27001 (even the previous 2005 version) does not prescribe how to document the Information Security Policy, the ISMS scope, and other developed policies, so organizations are free to document them in a single or separate document as best fit their needs.

Regarding policies, our recommendation is that these are documented as separate documents, because the information security policy is a high-level policy, while other policies are more specific, and developing them as a single document would only create a document too big and too complex to read and manage.

These articles will provide you a further explanation about developing policies:

• Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
• One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding developing policies:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

LGPD and ISO 27001 conformity

First of all, thanks for the compliment to our material.

With regards to the material on LGPD and ISO 27001, I suggest that you seek the Brazilian version of the ISO 27701 standard, because the last annex of this standard makes a correlation between LGPD clauses and controls in Annex A of ISO 27001.

This article will provide you a further explanation about ISO 27701:

• Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/

LGPD e ISO 27001 conformidade

Primeramente, obrigado pelo elogio ao nosso material.

Com relação a material sobre LGPD e ISO 27001, eu sugiro que você busque a versão brasileira da norma ISO 27701, porque o último anexo desta norma faz uma correlação entre cláusulas da LGPD e controles do Anexo A da ISO 27001.

Este artigo fornecerá mais explicações sobre a ISO 27701:

• Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/

PSCR Audit

As you know,  PSCR means is Product Safety & Conformity Representative. 

Every organization within the automotive supply chain is obliged to ensure the safety and conformity of its products. To this end, in the respective countries and regions, current legal statutes on product integrity must be observed, also the justifiable safety expectations of the public must be fulfilled. With products conspicuously “ unsafe “ in the market, or whose conformity to legal requirements is questionable, those responsible are obliged to initiate the necessary actions. In order to be aware of and to understand the many demands addressed to a product safety representative, comprehensive information and qualification are necessary. 

The central topics of product integrity are explored, and competence as product safety representative is developed in the scope of these five modules including integrity tasks in the product life cycle, delegation guidelines, and non-conformity management. Therefore, the following topics are important issues for PSCR audit.

• The product safety requirements and critical parameters are in product drawings, technical specifications, Design, and Process FMEA’s.
• The legal requirement for products for safety regulation.
• Product special characteristics, monitoring methods, and results of critical parameters. 
• If there is a problem related to product safety issues, the escalation process, respond to immediate and corrective actions.
• Product-related errors, complaints from the field or OEM Customer or Tier n customer, corrective actions, and lessons learned.
• Comparison and benchmark analysis of nonconformance products in similar products produced by competitors.Organization training for product and product safety topics.
• Product Financial Liability, Insurance Policies for re-calls.  

For more information, please see the following article:

• Ensuring product safety according to IAT 16949 

  https://advisera.com/16949academy/blog/2017/09/20/ensuring-product-safety-according-to-iatf-16949/

• Document coding system

  A coding system in our toolkit is just a suggestion. It means that you can use your own system however it suits you and how you feel you and your employees will do better. It is just necessary to ensure that current revision status of and changes to documentation are identified; that relevant versions of applicable documents are available at the point of use, and to that documents remain legible and readily identifiable. 

  If you would like to differentiate stated documents and records, you can use the system from your previous company. So, you can code your documents with SOP, WI, FORM, and REP and just add a number, or you can also add a department code. Here are some examples:

  SOP-01 can be procedure for Document management, SOP-02 can be Internal audit procedure.SOP-Q-01 can be code for the first standard operating procedure for Quality department; SOP-SAL-01 can be first standard operating procedure in the Sales department.  

  This is only the suggestion. 

  For more details please see the following article:

  • What are Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them

  • SOP related to IFU

    You are right, there is no procedure for translation labels and instruction of use. We concentrated on this toolkit on documentation related to ISO 13485 and documented requirements from MDR. Nowhere in the MDR is it stated that it is necessary to document the translation procedure. Your labels and Instruction for use must have proper symbols according to harmonized standards, and you need to ensure that translation is correct and professional. Usually, medical device manufacturers use certified translation companies for this. 

    For more details on mandatory documentation from MDR, please see the following white paper:

    • EU MDR Checklist of Mandatory Documents: https://info.advisera.com/13485academy/free-download/eu-mdr-checklist-of-mandatory-documents

    • Data Protection Officer as a legal counsel

      Understanding the Oregon Equal Pay Act stands as vital for workers and employers navigating the state’s workforce. Implemented to eliminate compensation differences based on identity, this policy ensures equitable salaries for equivalent roles. Active since Oregon’s 2017 legislation, it establishes transparent rules to foster compensation justice. Individuals typically wonder how this law benefits their interests. For instance, the act bars companies from paying varying compensation for jobs of equivalent effort, no matter identity. It moreover mandates fair availability to promotions and incentives. To enhance your knowledge of how the Oregon’s pay equity law relates, workers compensation law blog delivers clear guidance on its provisions. Businesses are required to comply with the policy by undertaking pay audits and correcting any unfair compensation variances. Violations might lead to consequences, making it vital for businesses to keep aware about their duties. Workers who suspect they’ve experienced wage unfairness may seek professional remedies to uphold their interests. Keeping up with the Equal Pay Act equips all individuals and businesses to address salary equality with ease. This law encourages a more equitable professional setting, serving everyone in Oregon.

    • Needs and expectations of interested parties

      I am looking for the needs and expectations of interested parties as per the ISO 9001:2015 standard.

    • Corrective action in ISO

      ISO 27001:2013 does not have requirements for preventive actions, however, preventive actions are in fact included in the risk assessment and treatment because the essence of risk management is to recognize a potential problem before it happens, and by treating it to prevent such an incident from happening.

      • Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
      • Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits https://advisera.com/9001academy/blog/2015/09/08/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/