Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Revision of assignment

    First is important to note that, as part of the transition period, an organization can still certify against ISO 27001:2013 until October 31, 2023, so considering you wanted to be certified by this summer, this deadline may give you the extra time you need.

    In case you are not fully compliant with some of your documents, you can postpone their implementation until after the certification audit under the following conditions: (1) if the document is not related to the main part of the standard (clauses 4 to 10), (2) if the related risks are not very high, (3) if you mark related risks as "Accepted" in the Statement of Applicability, and (4) if in the Risk Treatment Plan you define the deadline for the implementation of this document for after the certification audit.For further information, see:

    • ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

    • Setting up and passing the audit

      1 -Is the setup, documents, actions etc. enough for both entities, or I will have to prepare two different setups?

      Please note that in case these two sites are separated legal entities with different core businesses, then you need to treat them through separate implementations.

      2 -Also do we have to pass an audit to certify both entities or only the regulated body is enough?

      The certification scope can be only one entity or both entities. To make this decision you should consider the requirements of your customers and applicable laws and regulations.

      For further information, see:

      This tool can also help you:

    • ISO 9001:2015 Scope

      No, it is not a requirement that all customer-facing products and services have to be included in the scope.

      It may be useful for an organization to exclude products and services from the management system. For example, different requirements from customers, or different requirements from regulation. It’s not a technical decision, it is a management decision.

      For more information about the scope consider the following:

    • Business Development and Sales - core process?

      Yes, it makes sense, you can put it as a separate company process. 

    • Joint Controllers

      According to article 26 of GDPR, the joint controllers must “determine their respective responsibilities for compliance with the obligations under this Regulation […] by means of an arrangement between them […]  The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects”. So, since you mentioned that joint controllers A and B have such an agreement, the agreement should include each controller’s responsibilities related to each phase of personal data processing. If Company B suffered a data breach, then company B should be held accountable, but it depends a lot on what is exactly written in the data sharing agreement related to responsibilities, who is doing the reporting to the relevant data protection authority, and of course to what was communicated to the data subjects, as requested by Art 26 GDPR: “The essence of the arrangement shall be made available to the data subject.”.

      Please check these links:

    • GSPR

      According to the MDR Article 10, point 9, The quality management system shall address at least the following aspects: 

      b) identification of applicable general safety and performance requirements and exploration of options to address those requirements;

      So there is no direct requirement for the procedure, but as part of your QMS, there must be an explanation for the general safety and performance requirements. 

      For more information, see:

      • EU MDR Article 10 - General obligations of manufacturers https://advisera.com/13485academy/mdr/general-obligations-of-manufacturers/

      • Outsourced development

        Please note that, in a general way, when you have any part of the software development performed by personnel hired by external parties then you have outsourced development, regardless of the level of control your management have over this team, or the organization’s resources they have access to.

      • Maintenance

        In the maintenance procedure, basically, how you will do the maintenance, where to register, your failure maintenance intervention method, your periodic maintenance types, your predictive maintenance types, and their frequencies should be explained. It is also good to mention your analysis method and actions to be taken for frequent maintenance failures.

        It may also be necessary to mention how and where to store spare parts and their minimum & criticality levels. Maintenance instructions should be written separately for the equipment. It would be good to have information such as how often equipment will be maintained, where to check, and how often to change.

      • How would ISO 27001 help secure system from ransomware attack?

        The systematic approach for information security provided by ISO 27001 can help an organization justify, by means of risk assessment and legal requirements (e.g., laws, regulations, and contracts), why implementing security measures against ransomware attacks is important, and, by means of controls listed in its Annex A, which controls can be used (e.g., A.8.13 Information backup, A.8.8 Management of technical vulnerabilities, and A.8.7 Protection against malware).

        This article will provide you with further explanation about treatment against malware:
Page 44-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +