Search results

ISO 20000 vs ITIL

ITIL and ISO 20000 complement each other. So, if you have ISO 20000, there is no problem if you start implementing ITIL. Quite contrary, during ISO 20000 implementation you already implemented a lot of processes and related activities that are recommended by ITIL.

This free whitepaper can help you: „ITIL vs. ISO/IEC 20000: Similarities and Differences & Process Mapping“https://info.advisera.com/20000academy/free-download/itil-vs-iso-iec-20000-similarities-and-differences-process-mapping

Annex A

1. ISO 27001 Annexe - I have a question regarding A 14 System acquisition, development, and maintenance. We are a software development company. Does this part apply to software we develop (as a business) or only for internal soft we could develop I mean for internal use?

The application of this control for customers or internal purposes will depend on the scope of your ISMS. If the ISMS scope covers software development for clients, then you need to include these activities with applicable controls.

For further information, see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

2. ISO 27001 A 15 - May I apply this measure to the Critical IT supplier Only? Or should I apply to all suppliers?

You do not need to apply controls from section A.15 to all your suppliers. You can limit the application only to those for which you have identified unacceptable risks, or to those you have a legal requirement (e.g., law, regulation or contract), demanding the application of the control.

For further information, see:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

3. In annex A can we justify that we do not choose a measure by saying "company capacity is to light" or things like that?

Your suggested justification most probably won't be accepted by a certification auditor. A good justification for not choosing a control would be "We do not have unacceptable risks or legal requirements, demanding the implementation of this control." because it covers the two most common reasons to implement a control.

Fast-track information risk assessments

First is important to note that not all persons will give you direct answers about assets, threats, and vulnerabilities. This is because of their backgrounds (e.g., technical or non-technical), and knowledge about information security.

Broadly speaking, you should consider at least these questions to identify assets:

• which information you have to deliver? To whom? (this last question will help direct you to the next person you should talk to)
•  which information you need to do your work? From whom? (this last question will help you map if all relevant persons were already covered)
• which resources you need to work on? (depending on the role of the person this can lead to general answers, like information system abc, or to a detailed list of assets)

For identification of threats and vulnerabilities, you should consider these questions:

• In your opinion, what can negatively affect the information and resources you mentioned? And why?

In short, the questions have to be focused on the context of the interviewed and form their answer you have to mine the assets, threats, and vulnerabilities.

As a support tool, if you have experience and knowledge about the process involved, it is to build a checklist with the most common answers and try to validate them with the interviewed.

ISO 22301 Communication Plan

First is important to note that ISO 22301 does not prescribe how a communication plan must be documented, so it is up to the organization to decide if it will be a separate document or not.

For small and medium-sized organizations we understand that a separated document would increased administrative effort unnecessarily, so information related to communication plan is available in the several templates, for example:

• Disaster recovery plan, located on folder 07 Business Continuity Plan
• Activity recovery plan, located on folder 07 Business Continuity Plan
• Business Continuity Policy, located on folder 03 Business Continuity Policy
• Incident response plan, located on folder 07 Business Continuity Plan

In each document information related to communication is defined according to the document purpose.

For further information, see:

• Enabling communication during disruptive incidents according to ISO 22301 https://advisera.com/27001academy/blog/2016/12/19/enabling-communication-during-disruptive-incidents-according-to-iso-22301/

Question about PII data

Even if you have Personally Identifiable Information (PII) in your ISMS scope, ISO 27001 does not require a specific policy for PII to be developed, but you have to verify if any of the laws you identify as legal requirements for your ISMS because of PII requires such a policy. In case any of them requires a policy for PII, you will have to develop one.

ISO 17025 implementation

ISO 17025 clause 6.4 covers requirements for Equipment; where the requirement is that equipment should be suitable, maintained and monitored to ensure a laboratory produces consistently valid results. It is important to know what is required of specific equipment to ensure suitable performance. In all cases mandatory specifications, regulations or guidelines should be followed; if applicable for your sector.

The document you refer to, is an Annex of the document “Qualification of Equipment”, published for European Union (EU) Official medicines control laboratories (OMCL). Such laboratories support quality control regulations for medicinal products.
I cannot tell by your question which sector your laboratory supports and whether the document your refer to is prescribed as mandatory by a regulatory body or your accreditation body; or just a guideline you are using to meet ISO 17025 requirements. Either way, if you have assessed your processes thoroughly against ISO 17025 requirements as well as the OMCL Annex, and there are no gaps; then surely you are meeting requirements ?

The following may be of interest

Article What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
The ISO 17025 toolkit or ISO 17025 document template: Equipment and Calibration Procedure and associated appendices: List of Laboratory Equipment, Calibrated Equipment Record, Calibration Record and Equipment Maintenance Record, available at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure//
 

ISO 9001:2015 vs ISO 17025

The answer to your question is most likely no, but depending on the extent of your ISO 9001:2015 management system and the planned ISO 17025 scope. As mentioned above, a laboraory will need to develop the management system to include the requirements of ISO 17025:2017 clauses 4 to 7. The clauses do not stand alone – they are intertwined, which means you need to make sure the requirements of clauses 4 to 7 are covered by, or added to, the existing management system processes and activities.

Once you have established the scope of accreditation, i.e. which tests are going to be included for accreditation; a gap assessment should be done. Here you will perform an audit to see to what extent the existing activities, processes, procedures and records (created for ISO 9001:2015) meet the requirements for ISO 17025. For example, you may have an audit program (ISO 17025:2017 clause 8.8) that meets ISO 9001:2015 requirements; however if technical audits had not been included, or your scope has changed, you may not have audited the method validations (clause 7.2) or monitored the environmental conditions (clause 6.3) of a test which is part of your ISO 17025 accreditation scope. Another example is risks and opportunities (clause 8.5), where assessments would be required and the register updated, to cover ISO 17025 activities.

I suggest the following article may provide some more insight  What is ISO 17025? especially the section Practically speaking, what are the steps to becoming ISO/IEC 17025 accredited?  Available at https://advisera.com/17025academy/what-is-iso-17025/

Privacy Policy for internal Employees and Privacy notice on Website

These are two different documents with different purposes, data retention periods and data collected.

Privacy notice on the website allows web users to know how you will process their data (navigation data, data coming from cookies, account data, etc.), for which purposes and how long you will process it. You may want to ask the consent of website use for marketing purposes and transfer their data to the third party processor (i.e. social networks). Maybe you will process users' data for two years.Privacy notice aims to inform data subjects what data will be collected, for which purposes and how long the data controller will process it. It must be specific and inspired to data minimization principle (ask only  necessary data)

You should also have a privacy notice, attached to the job contract to inform employees about how you will process their data because the purposes of processing, the legal ground, the data retention period will be different from data collected from website users.

Privacy policy for employees is another document that aims to teach employees how to handle personal data collected. You must set some internal rules on data processing. Some basic rules are to not leave personal data accessible, do not share personal data with unauthorized persons, if they suspect a data breach inform the security officer or DPO (if there is one), how to handle data subjects requests, and so on.

You may find some useful information in the following articles: Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/

Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

How the GDPR could impact your HR department https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/

Contents of the Data Protection Policy according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/contents-of-the-data-protection-policy-according-to-gdpr/

Question on ISO 13485 & MDR

Dear Kristina,

Many thanks for your reply, which confirms exactly what I already expected it to be. Unfortunately my supplier "tries" to collect my list of clients in order to get in touch with them directly. Simply because their sales are decreasing worldwide, which can be explained of course, as I have my experience with them for over 10 years. Guidelines have changed in the medical world and in our case not to the benefits of the supplier/manufacturer. And therefore they think they can contact clients better directly...... Imagine. Now they used the argument that I "must" supply them the list of clients because ISO 13485 "demands" this....

Once more many thanks your cler answers.

Best regardds,

René van Liemt

www.arteriograph.nl

Developing risk and opportunity matrix

First of all, there is no mandatory requirement in ISO 9001:2015 for a risk management matrix. However, a methodology can definitely help the organization to identify risks and opportunities and plan the necessary actions to effectively address them. 

The risk and opportunity matrix could be a spreadsheet, a document, a database, but the most common and clear format is usually a table that may include:

- Description of the risk
- Type of risk (business, project, stage)
- Likelihood of occurrence
- Severity of the risk , that is, the impact that the occurrence of this risk has;
- Countermeasures or actions carried out to prevent, reduce, or transfer the risk. 
- Risk status, either is a current risk or is a past risk

This risk identification should be conducted with the relevant people of your organization and if possible, the relevant parties such as contractors, stakeholders and suppliers. A SWOT analysis can help with this identification, but then you will need to evaluate the level of significance of those risks by applying certain criteria selected by the organization. 

The following material will provide you information about risk and opportunity matrix: 

- How to identify risk significante in ISO 9001:2015: https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/

- How to identify risk controls in ISO 9001:2015: https://advisera.com/9001academy/blog/2019/01/21/how-to-identify-risk-controls-in-iso-90012015/

- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/