Search results

Asset register

1 - Should all these assets be included in the same column, having for example the categorization in another column or should I have 2 different tables, with a relation between supporting assets and primary ones?

 ISO 27001 does not prescribe how to build the risk register, so you can define it as better fits your organization. The most common approach is to use a single table for all assets, all listed in a single column (you do not need to define them as primary and supporting assets).

2 - Are the threats and vulnerabilities related to supporting assets and thus impacting the related primary assets? How should this be mapped in an Excel file?

ISO 27001 does not prescribe a risk assessment approach, only that you have to define one, so from our experience you do not need to think assets in terms of primary assets and support assets (this would only make your assessment unnecessary more complex). You can just link threats and vulnerabilities to a single level of assets

To see how risk assessment looks like, I suggest you take a look at the free demo of our Risk Assessment Table at this link: https://advisera.com/27001academy/documentation/risk-assessment-table/

These articles will provide you a further explanation about assets and risk assessment:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

  Feel free to enroll in our free course:

• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Change management policy

  ISO does not have a definition for change, but from ITIL, a world-recognized framework for managing IT services, you can have this one: "The addition, modification or removal of anything that could have an effect on IT Services.”

  Considering ISO 27001, examples of change can be:

  • Replacement of a server
  • Adding a new technology (e.g., VPN for remote access)
  • Updating a document (e.g., policy or procedure)

  To see how a change management policy look like, see this free demo: Change Management Policy https://advisera.com/27001academy/documentation/change-management-policy/

  This article will provide you a further explanation about the change management:

  • How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

• ISO 13485:2016/21 CFR 820 requirement question

  In the ISO 13485:2016, requirement 6.2 Human resources, it is stated that the organization must ensure that all employees are aware of the relevance and importance of their activities. The auditor will ask for the proof that employees are familiar with this. Usually, the best way to prove that manufacturer has fulfilled this requirement is to show the signed job description. However, if there is another way that manufacture can prove that employee knows exactly their activities and responsibilities covered in the job description, it can also be acceptable.

  For more details regarding roles and responsibilities, please see in the following article: 

  How to define roles and responsibilities within an ISO 13485-based QMS - https://advisera.com/13485academy/blog/2017/11/16/how-to-define-roles-and-responsibilities-within-an-iso-13485-based-qms/

• Cross-border Transfer of Personal Data

  Cross-border transfer of personal data under GDPR happens when personal data based in the EU are transferred towards third countries (i.e. US, Canada). Those transfers can be based on:

  • An adequacy decision by the European Commission. It means that the European Commission analyzed the data protection rules of the third country and estimated it gives an adequate level of protection for the freedom and rights of individuals. The Commission adopted adequacy decisions for the following countries:  Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the United States (Privacy Shield).
  • Standard data protection clauses adopted by the Commission. Are contractual clauses that grant some protection rights to parties.
  • Standard data protection clauses adopted by a supervisory authority.
  • An approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights or an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

  In the above-mentioned cases, you do not need to notify to DPA cross-border transfer of data because it is considered compliant to the GDPR.  

  Consider that, you will need to consider the impact of Brexit from January 2021 when UK will no longer be part of European Union.

  Here you can find some useful material about data transfer:

  • 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/Standard Contractual Clauses for the Transfer to Processors and Standard Contractual Clauses for the Transfer to Controllers.: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes
  • EU GDPR Article 44 – General principle for transfers: https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/
  • EU GDPR Article 45 – Transfers on the basis of an adequacy decision: https://advisera.com/gdpr/transfers-on-the-basis-of-an-adequacy-decision/
  • EU GDPR Article 46 – Transfers subject to appropriate safeguards: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
  • Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

  You can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• The project management audit

  By auditing a project manager, you want to determine the true status of work performed on a project and its compliance with the project statement of work, including schedule and budget constraints. What work is required to meet project objectives and the adequacy of the schedule and budget to do so.

  You can ask for the project plan and check topics like:

  • Is it approved and updated?
  • Are monitoring and control procedures implemented?
  • Were risks determined and countermeasures developed?
  • Are staffing needs considered?
  • Are reports being made?
  • What about customer feedback?
  • What about subcontractor relations?
  • What about cost versus budget?

  These materials will also help you regarding internal audit:

  • What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
  • Free online training ISO 9001 Internal Auditor - https://advisera.com/training/iso-9001-internal-auditor-course/
  • Book ISO Internal Audit: A Plain English Guide - https: //advisera.com/books/iso-internal-audit-plain-english-guide/

• Corrective action process

  I would use a lot of diplomacy and tact, and politely would tell them that my audit has nothing to do with an internal audit. As an external auditor, I would like to do my own audit, collect my own evidence and arrive at my own findings. So, I could not delete that department from the audit plan.

  The following material will provide you information about audits:

  • What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
  • Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
  • Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
     

• Internal Audit Frequency

  Let us start with a flow diagram:

  

  ISO 9001 allows you to set your own frequency and audit scope, however you need to perform at least one internal audit per year to the whole quality management system (QMS) because of the certification body surveillance visits.

  These materials will also help you regarding internal audit:

  • What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
  • Free online training ISO 9001 Internal Auditor - https://advisera.com/training/iso-9001-internal-auditor-course/
  • Book ISO Internal Audit: A Plain English Guide https: //advisera.com/books/iso-internal-audit-plain-english-guide/

• ISO 13485 or ISO 9001

  It is not a question of preference, but what the legal regulations are and what requirements must be met in order for a medical device to comply with its regulations. ISO 13485:2016 is a standard that is specific for Manufacturers of medical devices (Medical devices — Quality management systems — Requirements for regulatory purposes). Besides that, on the web pages of the European Commission (https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/medical-devices_en) are stated which standards are applicable for all types of medical devices. On that list, which has around 300 standards, only ISO 13485:2015 is the standard for the quality management system.

  For more information, see following articles:

  • How can ISO 13485 help with MDR compliance? - https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/

  • EU MDR – Easy-to-understand basics - https://advisera.com/13485academy/what-is-eu-mdr/

  • ISO 9001 certification for tobacco factories

    I’m not working with the tobacco sector. Normally, there are no legal obligation to be certified. Certification is supposed to be a voluntary decision.

    Why do organizations decide to get certification? Normally, for two reasons:

    A customer demands it (in the Business to Business world);
    Improving credibility and image 

    An organization with a strong brand may decide that certification is not relevant once the brand power is what gives credibility and image.

    Just implementing a quality management system (QMS) can be very useful for an organization, like a tobacco factory, that processes millions of units, in terms of improving efficiency and reducing costs. After implementing, getting the certification is just a small step.

    Please check more information about ISO 9001 below:

    • Article – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
    • Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
    • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    • ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
       

  • ISO 13485 planning related query

    Yes, your understanding is correct. If you implement ISO 13485:2016 you can still label reagents as research use only. ISO 13485:2016 is applicable to the manufacturing of both medical devices and in-vitro devices.

    • For Similarities and differences between ISO 9001:2015 and ISO 13485:2016, please see following article: https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/

    • Here is a Checklist of ISO 13485 implementation and certification steps: https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

    ISO 13485:2016 is a process-oriented standard. Product-specific regulation for your type of the product is In vitro diagnostic directive (current valid IVDD 98/79/Eec, and new version IVDR 2017/746).

    For more details about ISO 13485 please read the following articles:

    • ISO 13485 structure and requirements https://advisera.com/13485academy/what-is-iso-13485/ What are the consequences of noncompliance with ISO 13485 for manufacturers of medical devices? https://advisera.com/13485academy/blog/2017/11/02/what-are-the-consequences-of-noncompliance-with-iso-13485-for-manufacturers-of-medical-devices/

    • How to use ISO 13485 to comply with In Vitro Diagnostic medical devices (IVD) requirements in UK https://advisera.com/13485academy/blog/2017/10/26/how-to-use-iso-13485-to-comply-with-in-vitro-diagnostic-medical-devices-ivd-requirements-in-uk/