Search results

Distributor vs Supplier quality agreement

Quality agreement should be with the actual manufacturer because you need to be sure that the device is produced in accordance with ISO 13485 and MDR.  

ISM Policy

ISO 27001 does not prescribe which objectives to define, so you can use objectives related to your business strategy, to specific customers and regulators you must comply with. Additionally, you can also use more specific objectives related to security controls, security processes, etc.

Some specific examples are:

• win a new customer in 6 months
• increase market share by 3% in 12 months

For further information, see:

• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

• Custom Control Creation

  Considering your stated situation (Having operating system software and databases that are at the end-of-support life cycle), suggested assets, vulnerabilities, and threats, with respective controls are:

  • Assets: “Operating systems” and “Database management systems”
  • Vulnerabilities: “Rules for software and its databases not clearly defined” and “Requirements for software development not clearly defined”
  • Threats: “Maintenance errors” and “Application error”
  • Controls: “A.8.25 - Secure development life cycle” and “A.8.8  Management of technical vulnerabilities”

  Please note that end-of-support is part of the retirement step of an asset life cycle management process (in this case, applied to assets operating system software and databases), and so it is an expected situation for IT operations.

  Considering that, the vulnerability, in this case, would be related to not knowing what to do by this time.

• ISO 27001 certification

  a) Is it necessary for me to artificially amend the risk evaluation to achieve the 10% Unacceptable risks?

  First of all, sorry for this confusion.

  This message is intended for companies that are implementing ISO 27001 for the first time. Since you already have implemented controls that reduce risks to an acceptable level, you do not need to include additional risks if you do not need to.

  However, security risks are evolving very quickly, so it is likely that you do have some unacceptable risks that you did not record previously. It is recommended that you try to identify these new risks.

  b) Will the certification auditor not pass the certification audit if there is no risk treatment actions?

  Please note that risk treatment actions are needed only in case you have relevant risks to treat or want to make changes in existing controls (e.g., to update technologies or include improvements).

  Since it is likely that your company is facing some new risks, the certification auditor will want to see if you managed to identify them. If you can convince the auditor that there are certainly no new risks, then you will pass the surveillance audit.

   c) What is your recommendation?

  In your situation, recommendations are:

  • Regarding risk assessment, take this opportunity to review your risk assessment, because after the last assessment new risks may have risen that may require treatment
  • Regarding risk treatment actions, in case you do not have relevant risks to treat, try to look for improvement opportunities in implemented controls and document them as risk treatment actions. This will show the auditor a greater level of maturity of your ISMS.

  For further information, see:

  • Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

  • ISO 17025 audit

    You said:
    
    I know "what" to look out for, but not "how" to or "who" to."

    For clarity, the “what to look at for” are the audit criteria and in this case any ISO 17025 mandatory as well as additional laboratory defined requirements for calibrations. These are clause 6.4 and 6.5 requirements of ISO 17025.

    To answer how to go about it and who the auditee is, you need to identify what documented information exists within the management system – all polices, plans, processes, and procedures which have been put in place. Using an ISO  17025 audit checklist firstly record whether mandatory documentation is in place. Secondly read through the documentation and determine how the laboratory documents their approach to support a requirement and or policy. Look for objective evidence to see that what is stated as done is in fact being done. In each case documentation should clearly define responsibilities. These are the personnel which should be interviewed during the audit (the auditee) and asked to provide evidence against the audit criteria. For example there is a mandatory need for calibration programme (ISO 17025 6.4.7) . Ask to see the programme, select a few items from the list and call for the calibration certificates as evidence of the programme working. Also look for evidence that the programme is reviewed and adjusted as necessary in order to maintain confidence in the status of calibration. For example, if there was a nonconformance raised or risk identified about lack of calibration or the external calibration interval, the programme should reflect that.  Find out if the laboratory specifies their review period and if so, assess whether that review period is complied with. If they do specify the review period, best practice is at least yearly or before / after management revied as required to keep the program active

    The following will provide more information for you on Auditing and ISO 17025:
    The White paper (free for download) How to perform an internal audit using ISO 19011 at https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011
    The article ISO 17025 technical internal audit: The basics at https://advisera.com/17025academy/blog/2020/11/10/iso-17025-technical-internal-audit-the-basics/
    The ISO 17025 document template: Internal Audit Procedure at https://advisera.com/17025academy/documentation/internal-audit-procedure
    The Five Internal Audit Procedure appendices Internal Audit Program, Internal Audit Checklist, Audit Nonconformity Report, Internal Audit Process Checklist and Internal Audit Report are available separately from the procedure link above; or included in the toolkit for preview and purchase.

  • 27001 query

    From the provided requirement, a risk assessment covering specifically the payment services is enough to fulfill it. Depending upon where this process is performed, you may also consider risks related to supplier management (e.g., the payment process is performed using a cloud service provider).

    For further information, see:

    • ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/

    • Audits and MDR - Internal Audit Requirements

      Yes, you can conduct in-house audits using our internal audit package.

      The only requirement is that your internal auditor(s) comply with competence requirements established by your organization. Normally, those requirements are:

      • Auditor(s) know the audit criteria (the management standard)
      • Auditor(s) know good auditing practices
      • Auditor(s) should not audit their own work to ensure independence (please check ISO 9000:2015 definition 3.13.1 where one can read that an audit is “ a systematic, independent, and documented process.) 

      Usually, organizations translate these requirements into something that can be evidenced like doing an internal audit course and passing an exam.

      Internal auditors don’t need to be professionals approved by a third party, they just have to comply with competence requirements. Of course, if your company requirements say that internal auditors must be approved by a third party, and must have at least 100 hours of audit experience, then that is the benchmark to abide by.

      The following material will provide you with information about audits:

      • ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
      • Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
      • Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

    • GDPR in Sweden

      1. How is GDPR implementation in Sweden different from Germany? We do not all differences. Our focus is the field of customer journey.

      The legislation is overall the same, however, you must check the local laws and regulations related to personal data archiving (like financial data, HR data), mandatory reporting, etc. But GDPR is the same.

      2. Which client data are publicly available in Sweden but not in Germany?

      Public available personal data, although public, is still personal data and protected by GDPR. According to Article 14 GDPR - Information to be provided where personal data have not been obtained from the data subject if you collect personal data from public sources, each processing needs a clear purpose, a legal ground for processing, and the data subject must be informed about the processing, the controllers involved in the processing, the personal data categories that are being processed, the purpose of processing and associated legal grounds for the processing, other processors involved and their roles, retention policies for personal data and about their rights related to personal data. At Advisera, we have some great privacy notice templates, part of our EU GDPR Documentation Toolkit, link below.

      3. Which data can be tracked, e.g. client behavior, websurfing habits etc.?

      Tracking of personal data is the processing of personal data, so you need a purpose (why do you want to track personal data), a legal ground for processing (I recommend Consent for processing operations involving personal data tracking), you need to establish the categories of personal data that are being monitored (applying at the same time the principle of data minimization, as it is described in Article 5 GDPR - Principles relating to the processing of personal data, para 1.c), to establish a retention policy according to GDPR Article 5.1.e and to ensure the security of personal data.

      4. Are there differences in cookie policy?

      The cookie policy is a document that demonstrates that you respect the requirement of transparency as described in GDPR Article 5.1.a, and in this document, you need to outline who are the data controllers, the personal data processed by each cookie, the purpose of processing, to whom the data is transferred and why and how the data subject can withdraw consent. In this respect, there shouldn’t be any differences in how the cookie policy looks. We have a great Cookie Policy template, part of our EU GDPR Documentation Toolkit, link below.

      Please also consult these resources:

      • Article 5 – Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
      • Article 6 - Lawfulness of processing: https://advisera.com/gdpr/lawfulness-of-processing/
      • Article 7 - Conditions for consent: https://advisera.com/gdpr/conditions-for-consent/
      • Article 14 – Information to be provided where personal data have not been obtained from the data subject: https://advisera.com/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/
      • How does GDPR affect digital marketing? https://advisera.com/articles/how-does-gdpr-affect-digital-marketing/
      • How does GDPR impact marketing activities? https://advisera.com/articles/how-does-gdpr-impact-marketing-activities/
      • Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
      • EU GDPR Documentation Toolkit: https://advisera.com/toolkits/eu-gdpr-documentation-toolkit/