Search results

ISO 9001:2015 Scope

No, it is not a requirement that all customer-facing products and services have to be included in the scope.

It may be useful for an organization to exclude products and services from the management system. For example, different requirements from customers, or different requirements from regulation. It’s not a technical decision, it is a management decision.

For more information about the scope consider the following:

• What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/
• Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Business Development and Sales - core process?

Yes, it makes sense, you can put it as a separate company process. 

Joint Controllers

According to article 26 of GDPR, the joint controllers must “determine their respective responsibilities for compliance with the obligations under this Regulation […] by means of an arrangement between them […]  The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects”. So, since you mentioned that joint controllers A and B have such an agreement, the agreement should include each controller’s responsibilities related to each phase of personal data processing. If Company B suffered a data breach, then company B should be held accountable, but it depends a lot on what is exactly written in the data sharing agreement related to responsibilities, who is doing the reporting to the relevant data protection authority, and of course to what was communicated to the data subjects, as requested by Art 26 GDPR: “The essence of the arrangement shall be made available to the data subject.”.

Please check these links:

• Article 26 – Joint controllers: https://advisera.com/gdpr/joint-controllers/
• Article 24 – Responsibility of the controller: https://advisera.com/gdpr/responsibility-of-the-controller/
• Key roles defined in EU GDPR: https://advisera.com/articles/key-roles-defined-in-eu-gdpr/
• Implementing 3 main accountability principles under the EU GDPR: https://advisera.com/articles/implementing-3-main-accountability-principles-under-the-eu-gdpr/

GSPR

According to the MDR Article 10, point 9, The quality management system shall address at least the following aspects: 

b) identification of applicable general safety and performance requirements and exploration of options to address those requirements;

So there is no direct requirement for the procedure, but as part of your QMS, there must be an explanation for the general safety and performance requirements. 

For more information, see:

• EU MDR Article 10 - General obligations of manufacturers https://advisera.com/13485academy/mdr/general-obligations-of-manufacturers/

• Outsourced development

  Please note that, in a general way, when you have any part of the software development performed by personnel hired by external parties then you have outsourced development, regardless of the level of control your management have over this team, or the organization’s resources they have access to.

• Maintenance

  In the maintenance procedure, basically, how you will do the maintenance, where to register, your failure maintenance intervention method, your periodic maintenance types, your predictive maintenance types, and their frequencies should be explained. It is also good to mention your analysis method and actions to be taken for frequent maintenance failures.

  It may also be necessary to mention how and where to store spare parts and their minimum & criticality levels. Maintenance instructions should be written separately for the equipment. It would be good to have information such as how often equipment will be maintained, where to check, and how often to change.

• How would ISO 27001 help secure system from ransomware attack?

  The systematic approach for information security provided by ISO 27001 can help an organization justify, by means of risk assessment and legal requirements (e.g., laws, regulations, and contracts), why implementing security measures against ransomware attacks is important, and, by means of controls listed in its Annex A, which controls can be used (e.g., A.8.13 Information backup, A.8.8 Management of technical vulnerabilities, and A.8.7 Protection against malware).

  This article will provide you with further explanation about treatment against malware:

  • How can ISO 27001 help protect your company against ransomware? https://advisera.com/27001academy/blog/2016/11/14/how-can-iso-27001-help-protect-your-company-against-ransomware/

• Information security policy review

  Depending upon the quantity and severity of information security incidents, you should review some elements of the Information Security Policy, such as:

  • risk management: are the process steps and acceptance criteria properly defined?
  • responsibilities: responsibilities for implementation, maintenance properly assigned
  • support: all required resources to implement and improve information security are available

  Please note that in most cases the information security incidents will point to minor adjustments in specific controls or processes.

  For further information, see:

  • What is the ISO 27001 Information Security Policy, and how can you write it yourself? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/

• Residual Risk Question

  Please note that the information about measures taken to mitigate risk and the residual risk level can be found in Appendix 2 - Risk Treatment Sheet of the Risk Assessment and Treatment Report

  You can find this document through the link “Documents” in the left panel in Conformio main screen, path ISO 27001 >> Lists reports statements and plans.