Search results

Horizontal vs Vertical audit

I cannot provide that kind of answer in this space. However, I invite you to look for book titles about auditing that include the word “process”.

For any process you chose, look into the turtle diagram:

You can audit a process and consider one or more ISO 9001:2015 clause(s) relevant from section 8. But for any process, you can use the turtle diagram and list several other clauses that you can audit:

You can find more information about auditing below:

• ISO 9001 Audit checklist: https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
• How to create a checklist for an ISO 9001 internal audit for your QMS: https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/
• Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/(includes a slide about developing checklist questions)

Accreditation for ISO 17025

The ISO 17025 academy provides well-defined instructions, as well as tips via email. Document templates contain an average of twenty comments each, and offer clear guidance for filling them out. For example, square brackets [ ] are used for all fields that must be filled in, as shown in the free Project Plan for ISO/IEC 17025 implementation, available at https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation.

For each document, the Purpose, Scope and Users are defined and references provided. Using the Addressing Risks and Opportunities Procedure as an example, all the requirements of ISO 17025 8.5 and 4.1 (Impartiality) are covered within the template, where the procedure covers what must be done. You complete the procedure by stating who is responsible for the tasks, e.g. “Laboratory Manager". As there are often many ways of achieving objectives towards implementation of specific requirements; you can in this example, list the preferred tools and methods your laboratory chooses for assessing and evaluating risks and opportunities. These records can be added in the table provided, alongside the supplied template Registry of Key Risks and Opportunities.

You can download a free ISO 17025 toolkit demo at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ that could provide further understanding.

The Addressing Risks and Opportunities Procedure Is available at https://advisera.com/17025academy/documentation/addressing-risks-and-opportunities-procedure/

Consent of Conference/Online and In-Person Attendees/GDPR

Thank you! Very helpful information. So that I am clear on what you are saying, do you mean that even if we ask the data subjects for a perpetual license that they can still revoke it at any time? So would be be allowed to ask for a perpetual, irrevocable license under GDPR which to me means that they can't rescind their consent?

Classification of information

 1 - What are the types of data that need to be classified?

Answer: For ISO 27001 certification purposes, the type of information to be classified will depend on the information the organization wants to protect, which is defined in the scope of the Information Security Management System (ISMS).

For example, if the ISMS scope is a software development process, developed code is one example of information type that must be classified. If the scope includes the Sales department, customer information also must be classified. Please note that information must be classified regardless if it is in electronic, physical, or any other format.

For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

2 - Does each and every physical asset, document, data need to be classified?

Answer: In your Classification Policy you can decide which assets need to be classified, but in general only information assets are classified.

 By information asset, you can understand where information is stored (e.g., a paper report in a cabinet, as an electronic data in a database, as a file in a server or pendrive, etc.), where it is processed (e.g., a payment system), or where it flows (e.g., network equipment).

For further information, see:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

GDPR & ISO 27001

I attended your webinar on the integration between GDPR and ISO 27001 yesterday, thank you very much.

Is there anywhere you can see what ISO standards it is possible to be certified against? I have been looking but not been able to find it. You said yesterday that it is not possible to be certified against ISO 27701, which is why I am asking.

I am currently doing a thesis as my final paper in Danish Law School and I am writing on GDPR and ISO and how ISO can help demonstrate compliance to GDPR.

ISO 27001 project presentation

As a way of raising awareness about ISO 27001, I suggest you to take a look at this free presentation:

• Why ISO 27001 – Awareness presentation (MS PowerPoint) https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation

You can adapt the information in this presentation to the material you are thinking to present.

This article will provide you further help about increasing awareness:

• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

Implementation of ISO 13485

R&D of medical devices must be conducted under the requirements that are described in the clause 7.3 Design and development of standard ISO 13485:2016. Therefore, it makes sense for your company to implement ISO 13485. However, the scope of ISO 13485:2016 can be only providing the service. In that case, you won't have a description of the production and related documented procedures, rather a description of the Desing and development process and how you provide that service.

For more information on performing design and development validation and verification according to ISO 13485, please read the article at the following link:

For more information on managing the design and development of medical devices, please read the article at the following link:

Personal Data Protection Policy

No, it is not sufficient because the Data Protection Policy and DPIA (Data Protection Impact Assessment) are different documents for different purposes. 

Data Protection Policy is an internal document that establishes rules on how to process personal data by your organization, while DPIA is a document realized to evaluate risks for the rights and freedoms of data subjects and measures taken to minimize such risks with defined content established in article 35 GDPR. 

Data Protection Policy is a measure taken to increase security in data processing. It is mandatory under article 24 para 2 GDPR only “where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.” 

However, the GDPR allocates the burden of proof of being compliant on the data controller. Therefore, a Data Protection Policy (which is considered an appropriate organizational security measure) is a way to help the data controller to demonstrate compliance.

Of course, most depend on the dimensions and complexity of your organization because any data controller needs to balance costs, complexity, and risks arising from data processing.

You can find more information here:Contents of the Data Protection Policy according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/contents-of-the-data-protection-policy-according-to-gdpr/5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

You may also consider taking our free EU GDPR Foundation course: EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Risk Treatment Table

Please note that ISO 27001 only requires documentation of risks related to information, not about risks and opportunities to the ISMS as a system. Therefore, you should not include them in the Risk Treatment Table, because the purpose of this table is to document the treatment of risks related to information and this can create confusion among users.