Search results

CRM Document Management

Your approach for embedding document management into your CRM will be acceptable by the auditor provided you comply with the standard’s requirements (clause 7.5):

• How, and by whom, documents are approved?
• Who needs to access the documents and how do they do that
• How documents are protected
• How documents are changed
• For how long documents are kept and how they are disposed of when do not need anymore

Please note that if it is not possible to use the CRM to comply with all requirements you can still use a combination of CRM and Conformio to achieve compliance.

For further information, see:

• How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

ISO/IEC 27001 Audit

In fact, such a situation is unusual, but not a sufficient reason for a problem. The auditor will probably make additional checking, considering:

• which conditions you have defined that require opening a non-conformity. For example, in some situations, one or two minor events related to the system may happen, and the system performance still is at acceptable levels, so raising a nonconformity is not required.
• reports on the performance of implemented controls, to check if they were working properly considering the period audited.  

Based on the evidence found related to systems performance conditions and reports about controls performance, the auditor may conclude that in fact, the system is reliable enough and that the lack of incidents and non-conformities (or the low number of incidents and lack of non-conformities) is justifiable.  

For further information, see:

• Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/

Approved Certification bodies

Thanks for your response Rhand, this helps.

ISMS audit

I will keep it as my guidance in after audit programs, thank you.

ISO 13485 for trading of medical devices

If you only make export and import of medical devices, It is not a regulatory requirement to be ISO 13485 certified. What is expected from the importer and distributor of medical devices is stated in Article 13 and Article 14.

For more information, see:

• EU MDR Article 13 - General obligations of importers https://advisera.com/13485academy/mdr/general-obligations-of-importers/
• EU MDR Article 14 - General obligation of distributors https://advisera.com/13485academy/mdr/general-obligations-of-distributors/

• Planned implementation of changes to ISMS

  Please note that ISO 27001 clause 6.3 does not require a specific document to be developed to manage changes in the ISMS.

  Considering that, you can use one of these documents to manage changes:

  • Risk Treatment Plan, located in folder 08 Implementation Plan - through this document you plan for each new security control, process, or activity
  • Change Management Policy, located in folder 09 Annex A Security Controls
  • Security Procedures for IT Department, located in folder 09 Annex A Security Controls

  For further information, see:

  • How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

  • Toolkit documentation

    Please note that ISO 27001 does not require documents to be developed to implement controls A.7.5 and A.7.8, so a brief description of their implementation can be included in the Statement of Applicability, and this template can be found in folder 06 Applicability of Controls (in this template a suggested text on how to document this information is included).

  • DR distance

    Please note that there is no definitive answer about how far apart a disaster recovery site should be.

    Main ISO standards covering this topic (ISO 27001, for information security, and ISO 22301 for business continuity), as well as most regulations and industry practices, do not define any specific distance to recovery sites, because many factors can affect what would be considered a “safe” distance (e.g., type of disaster, access to public services, risk level, etc.). From our experience, we suggest you start a discussion suggesting a distance between 30 miles (50 kilometers) and 100 miles (160 kilometers) away from your primary location, and from that analyze your organization's context (a geographic situation, available resources, required investment, etc.).  

    This article will provide you with a further explanation of the distance of the recovery site:

    • Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

  • Lead Auditor certification

    Please note that accreditation only applies to organizations that certify other organizations' management systems (e.g., ISO 27001, ISO 9001, etc.), or certifies people that are approved on their training (e.g., Lead Auditor, internal auditor, etc.).

    Considering that, once you have passed the Lead Auditor exam from an accredited training provider there is no need to submit your certification for accreditation. The fact that the provider is accredited already validates your certification.

    For further information, see:

    • Accreditation vs. certification vs. registration in the ISO world https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/
    • Accredited ISO certification versus non-accredited: What it means and why it matters https://advisera.com/articles/accredited-iso-certification-versus-non-accredited-what-it-means-and-why-it-matters/