Search results

Information security policy review

Depending upon the quantity and severity of information security incidents, you should review some elements of the Information Security Policy, such as:

• risk management: are the process steps and acceptance criteria properly defined?
• responsibilities: responsibilities for implementation, maintenance properly assigned
• support: all required resources to implement and improve information security are available

Please note that in most cases the information security incidents will point to minor adjustments in specific controls or processes.

For further information, see:

• What is the ISO 27001 Information Security Policy, and how can you write it yourself? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/

Residual Risk Question

Please note that the information about measures taken to mitigate risk and the residual risk level can be found in Appendix 2 - Risk Treatment Sheet of the Risk Assessment and Treatment Report

You can find this document through the link “Documents” in the left panel in Conformio main screen, path ISO 27001 >> Lists reports statements and plans.

Information about undesirable event and conducting investigation

1. through which communication channels does the user send a message about an undesirable event to the manufacturer of the medical device?

2. In which cases the competent authority itself conducts an investigation?"

Is proficiency testing required when using outside lab?

While PT performance can be used as objective evidence of individual competence, the laboratory needs to participate in a formal scheme or an alternative external proficiency assessment. Please have a look at https://community.advisera.com/topic/pt-ilc/ which will provide more information on the mandatory requirement for the laboratory to participate in proficiency testing (PT).

Appointing Data Controller

Every company is at some point a data controller, for common personal data processing operations like hiring, payroll, financial reporting, etc, and its responsibilities are detailed in Article 24 – Responsibility of the controller. If your question is related to Data Protection Officer, the requirements of a company whether to designate a DPO or not are detailed in Article 37 GDPR - Designation of the data protection officer. Namely, a company must designate a DPO if it is a public authority or body, or if its core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or if its core activities consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offenses. However, designating a DPO can be seen as a highly-recommended organizational measure to lower the risks related to personal data processing.

If the company decides to designate a DPO, we recommend taking the EU GDPR Data Protection Officer Course on Advisera (link below) and working with the EU GDPR Documentation Toolkit provided by Advisera (link below) that contains all necessary documentation to become GDPR-compliant.

Please also consult these resources:

• EU GDPR controller vs. processor – What are the differences? https://advisera.com/articles/eu-gdpr-controller-vs-processor-what-are-the-differences/
• Key roles defined in EU GDPR: https://advisera.com/articles/key-roles-defined-in-eu-gdpr/
• Article 24 – Responsibility of the controller: https://advisera.com/gdpr/responsibility-of-the-controller/
• Article 37 GDPR - Designation of the data protection officer: https://advisera.com/gdpr/designation-of-the-data-protection-officer/
• EU GDPR Data Protection Officer Course: https://advisera.com/gdpr/processor/
• EU GDPR Documentation Toolkit: https://advisera.com/toolkits/eu-gdpr-documentation-toolkit/
• The role of the DPO in light of the General Data Protection Regulation: https://advisera.com/articles/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/
• How to hire the right DPO?: https://advisera.com/articles/how-to-hire-the-right-dpo/

What are the laws and regulations to be included in the ISO 27001 Register of Requirements?

Please note that information security is not related only to personal information. Some examples of information that also may require to be protected can be related to business information (e.g., strategic plans, product R&D information), and financial information (e.g., tax payment records).

Considering that, depending upon the Information Security Management System scope, besides Personal Data protection laws/regulations, organizations also may have to be compliant with other legal requirements (laws, regulations, or contracts) related to information, like the ones you mentioned.

Our recommendation is for you to consult a legal advisor in your country.

For further information, see:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

• Maintaining ISO 17025 certification for labs (Food, Chemical) in Warzones

  There are accreditation policies in each country, aligned with ILAC (International organisation for accreditation bodies)  requirements. These policies state when an accredited facility needs to be suspended or go into voluntary suspension. I suggest you contact NAAU, the National Accreditation Agency of Ukraine. Their website is https://naau.org.ua/.

• Questions about ISO certification

  1. In the document “List_of_documents_ISO_27001_2013_Documentation_Toolkit_EN” there are check marks with asterisk: (e.g.  #4): are they required at the ISO certification or can we decide if they concern us or not? 

  Please note that the documents with check marks with asterisks are required when controls related to them are identified as applicable in the Statement of Applicability. Considering your example (#4 List of Legal, Regulatory, Contractual, and Other Requirements), the document is required when control A.5.31 is identified as applicable in the Statement of Applicability.

  From our experience, all companies mark control A.5.31 as applicable in the Statement of Applicability.

  2. The document “06_Statement_of_Applicability_27001_EN” has a list of the applicability of controls. How shall we decide which controls are important for us? 

  In the Statement of Applicability, you have to mark a control as applicable if there are unacceptable risks, or if there are requirements from interested parties. Therefore, you have to complete the List of Legal, Regulatory, Contractual, and Other Requirements, and the Risk Treatment Table before you write Statement of Applicability.

  For further information, see:

  • Statement of Applicability in ISO 27001 - What is it and why does it matter? https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  3. The head quarter and main company of ***, Inc. is in ***. We also have a subsidiary in ***, ***, and belonging 100% to ***.How do we have to proceed with the ISO certification? Is the *** certification enough for both companies? Do we need an extra chapter in the ISO certification for the *** subsidiary? 

  A single certification covering both sites, or a certification for each site are acceptable possibilities, and your decision should consider your business objectives and strategies.

  A single certification is more complex to manage (e.g., both sites can be affected by issues related exclusively to one site), while different certificates create redundant costs related to the duplication of similar requirements.

  In any case, you need to align this situation with your certification body first.

  4. We need to set the confidentiality levels on all documents. Is the standard “for employee use only” for all documents good enough for certifier?

  First is important to note that the definition of confidentiality levels is required only if control 5.12 Classification of information is identified as applicable in the Statement of Applicability.

  Considering that, your classification “for employee use only” for all documents may be acceptable for certification purposes.

  Please note that the control does not prescribe confidentiality levels to be defined (you may have only a single classification level) nor which information need to be classified.

  For further information, see:

  • Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

  • Difference between MIR and FSCA report

    Valid version of the MEDDEV 2.12 is Rev 8, published in January 2013. 

    These two documents are not for the same purpose. So, you need both of them. First, you need to make a report regarding some incident, and then, after you report it, you need to prepare the field safety corrective action. So you need both of them.