Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Merging ISO 9001 & ISO 17025

    Whether you apply for the laboratory’s accreditation with Option B depends on your organizational structure and whether ISO 9001 applies to just the laboratory, or to other departments in the organization. Have a look at the Q&A at https://community.advisera.com/topic/implemention-of-iso-17025/ for more information and links.

    If you choose option B,  ensure that the laboratory activities and ISO 17025 requirements covered in the ISO 9001 processes and procedures are met sufficiently. You should identify this through a gap audit.  

  • Is ISO 27001 certification relevant for us?

    Please note that ISO 27001 can be used to help protect the information in any media, either electronic or physical format.

    Since your business is related to physical records storage, many controls suggested in ISO 27001 Annex A can help you increase the confidence of your customer in your business.

    For further information, see:

  • Some question about certification ISO 27001

    1. On which documents do we have to write the information like “User, Version, Change History etc.”.  In the document “00_Verfahren_zur_Lenkung_von_Dokumenten” is written that this procedure encompasses all documents and records, stored in any possible form – paper, audio, video – if the documents are related to the ISMS. But which documents does it concern exactly?  

    The easiest way to figure out what documents you need to apply control document information is to check which documents you mention in the policies and procedures included in your toolkit.

    For example, in the Secure Development Policy, section 3.3 Secure engineering principles it is mentioned that procedures for secure information system engineering will be issued, so these procedures must contain document control information.

    Please note that user/version / change history is applicable only for documents.

    For further information, see:

    2. Similar question: Which documents have to include the master list and which the incoming mail book?

    First is important to note that ISO 27001 does not require a master list to be created.

    Considering that, in a master list you include information about all documents related to the ISMS scope (e.g., policies, procedures, reports, etc.), while in the incoming mail book you include information about documents from the external origin, like customer and supplier documents, standards, laws, etc.

    3. And then we need to know, which information could be confidential? The entire certification process of the ISMS isn’t confidential but completely public for us.

    First is important to know that you only need to classify information in case you have risks, or legal requirements, demanding the implementation of control 5.12 Classification of information.

    Considering that, based on relevant risks and applicable legal requirements you can define necessary classification levels (and you can even have a single classification level) and criteria to apply then.

    Considering your statement, in case all information in your ISMS is accessible to your employees, but not to external parties, examples of classification levels to be used would be “internal” and “public”.

    For further information, see:

    • Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

    • ISO 9001:2015 and the Accounting department

      No, ISO 9001:2015 doesn’t apply to accounting department. Please check clause 0.4: 0.4 Relationship with other management system standards.

    • Can small start up be ISO 13485 certified?

      According to the EU regulation, each manufacturer of medical devices needs to have implemented ISO 13485, no matter the size of the company. I know that sometimes is hard to implement a quality management system for only 3 people, but it is doable and mandatory for the EU market. 

      In February this year, the FDA published the Quality System (QS) Regulation / Medical device good Manufacturing practice which has to align the requirements from the FDA to the requirements of ISO 13485:2016. For this reason, yes, our Documentation toolkit for ISO 13485 is in compliance with FDA. Considering the MDR technical documentation part of the toolkit, there are differences between FDA and EU MDR 2017/745 differences

      Differences are described in the following article: https://www.fda.gov/medical-devices/postmarket-requirements-devices/quality-system-qs-regulationmedical-device-good-manufacturing-practices

      For more information, see:

      • FDA vs. EU MDR Technical Documentation Matrix https://info.advisera.com/13485academy/free-download/fda-vs-eu-mdr-technical-documentation-matrix

      • Who should prepare the Quality System documentation?

        Thaznk you.

        Yes, that’s also a possible way of writing the quality system documentation. It is always recommend to involve practitioners because they have first hand experience about what is being done every day.

      • Assets

        ISO 27001 is a cybersecurity standard that contains some controls (safeguards) for the cloud, so most companies do include cloud assets in the scope when implementing this standard. In other words, if you have sensitive data in the cloud, it makes sense to include your cloud environment in the scope even if you do not go for ISO 27017. 

        ISO 27017 provides you with some extra controls for the cloud environment, but this does not mean that the cloud environment should be excluded if you do not go for this standard. 

        See also: 

      • ISO 27001 Auditor Question

        Your assumption is correct. Lack of internal audit is a major nonconformity because it is a mandatory requirement. 

        When a major nonconformity is found the auditor does not need to stop the audit, however, he needs to inform the customer that it will not be possible to recommend for certification.

        Regarding the suggestion of implementation training, although it is common to make such a suggestion, first you need to evaluate if the reason for failing to comply with a mandatory requirement was due to lack of knowledge about the implementation process, or other operational cause, such as lack of personnel or resources.

      • ISO 270001 documentation format

        ISO 27001 does not prescribe a format for document creation, so you can use any format that fits your organization’s needs.

        For further information, see:

      • ISMS scope

        1. Should DC1 to be excluded from the scope and when?

        From your question I'm understanding that only physical space will be rented.

        Considering that, only physical space and its management should be excluded from the scope, by the time you move your assets to the rented space.

        2. How to include systems hosted at DC3 in the Scope and under proper security control?

        Since these systems (i.e., hardware and software) are already in the scope, as part of DC1, and DC3 is out of the scope, you need to state the systems in the scope, instead of the state of a data center.

        3. What will be the recommended scope statement due to the changes?

        An example of changed scope is:

        "Provision of IT services of the Data Centre Facilities at DC2 & remote managed systems at DC 3 to the customers of ***."
Page 47-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +