Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Documents implementation

    1. As part of ISMS implementation, do we have to make all the Advisera Templates be read and understood by all the colleagues in the Organization after filling up the Templates or just only Information Security Policy Document?

    First is important to note that not all templates need to be implemented, only those identified as mandatory by the standard, and those related to controls identified as applicable according risk assessment results need to be implemented (you can see which files are these in the List of Documents file included in your toolkit).

    Considering that, individual people need to read only the documents that are relevant to them, i.e., all employees in the organization do not need to read all documents.

    This article will provide you further information about documents to be implemented:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    2. In every doc, it is mentioned as “Users of this document are [job title].” So here should we mention the concerned approver or the Person e.g. (CISO or all the User in the Department).

    Please note that for every time a doc mentions “Users of this document are [job title].” you need to identify the person(s) or role(s) which need to know the document to perform an information security related activity. So the information here will vary from case to case.

    For example, for the Information Security Policy, all personnel in the scope are users of this document. For the backup policy, it can be restricted to IT staff, and the management review may be limited to top and senior management personnel.

    This article will provide you further explanation about documenting responsibilities:
    - How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

  • Compliancy officer, DPO, and CISO

    Considering these definitions:
    - Compliance officer: professionally responsible to ensure that all requirements (e.g., statutory, legal, contractual, etc.), internal and external, are fulfilled.
    - Data Protection Officer: professionally responsible for the protection of data.
    - Chief Information Security Officer: a senior-level executive responsible for an organization's information and data security.

    In this scenario, the compliance officer has a broader scope of work. He has to work with ALL internal and external requirements (information security requirements are only part of the business).

    The DPO and CISO work more closely but from different points of view. While the DPO focus is to ensure data is protected, the CISO must also balance the need for data protection with business objectives, strategies, and available resources.

  • Handling assets

    In case an inventory of assets is applicable to your organization, ISO 27001 does not prescribe how it must handle assets, so you can group them as best they fit your organization's needs.

    For example, you can group your servers if they have similar characteristics, or share similar risks.

    This article will provide you further explanation about asset register:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • Applicable ISO 9001:2015 clause

    I don’t have enough information about what you consider a project. A project can be about design and development of a new product or service, and a project can be about product realization like a building.

    If the project is about design and development monitoring delays can be used as a way of monitoring, of controlling, project evolution. In that case we are talking about clause 8.3.4 b) (project review activities) and 8.3.4 f) states the need of keeping records of project review activities)

    If the project is about product realization clause 8.5.1 a) 2) can be related with results to be obtained with the project (quality, cost and delivery). Clause 9.1.1 (last paragraph) requires keeping records to evidence results.

    The following materials will provide you more information about mandatory records:

    - Article-  List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
    - Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

  • Processes and records for CE purposes

    1. So if I understand correctly the auditor will also need to audit the relevant processes at our external foreign production facility, as part of our ISO 13485 certification process

    Yes, you understood it correctly - the auditor will also need to audit the relevant processes at your external foreign production facility, as part of your ISO 13485 certification process. When it comes to the manufacture of medical devices, production must be audited during the audit, regardless of whether the production takes place within the company or is outsourced.

    2. How would this relate to the fact that these exact processes are already ISO13485 certified processes? Would this help in any way? Could the auditor (partly) rely on this?

    According to the definition from ISO 13485:2016 who manufacturer is (3.10) - natural or legal person with responsibility for design and/or manufacture of a medical device....; whether or not such a medical device is designed and/or manufactured by that person himself or on his behalf by another person(s). No metter that your manufacturing process is outsourced, it is your responsibility over it and need to be audited as your process. The fact that this company is ISO 13485 certified only helps them as much as they know what to expect during the audit.

  • ISO standard for physical security

    I'm assuming you are referring to an ISO standard for physical security. Considering that, please note that physical security is a broad topic (e.g., from the protection of facilities to protection of credit card readers), so without further detail is not possible to give you a more precise answer.

    What I can tell you is that most of ISO standards related to physical security are related to Information Technology (e.g., ISO/IEC TS 30104:2015 Information Technology — Security Techniques — Physical Security Attacks, Mitigation Techniques, and Security Requirement, ISO/IEC TS 22237-6:2018 Information technology — Data center facilities and infrastructures — Part 6: Security systems, and ISO/IEC NP 24383 Information technology — Physical network security for the accommodation of customer premises cabling infrastructure and information technology equipment)

    In this ISO site, you can make a search more detailed according to your demands: <a href="https://www.iso.org/search.html?q=physical%20security&hPP=10&idx=all_en&p=0&hFR%5Bcategory%5D%5B0%5D=standard

    " class="content-link Link" target="_blank">https://www.iso.org/search.html?q=physical%20security&hPP=10&idx=all_en&p=0&hFR%5Bcategory%5D%5B0%5D=standard

    This article will provide you further explanation about physical security and ISO 27001:- Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/

  • Customer feedback

    For European market there is a guidelines from European comission on the following link 

    https://ec.europa.eu/growth/content/draft-guide-distribution-medical-devices-including-vitro-diagnostic-medical-devices_en

    For American market, please follow guidelines from FDA on the following link

    https://www.fda.gov/medical-devices/device-registration-and-listing/who-must-register-list-and-pay-fee

  • ISO 9001 for R&D

    Who decides the product specification, the supplier, the customer, or a co-creation? If the supplier decides the final product specification, clause 8.3 applies.

    If the customer defines the final product specification, clause 8.3 does not apply. Although remains the question about development (what raw materials to use, what production process to use, what process parameters to follow, what process control to follow, what quality control to follow.

    The following material will provide you information about applicability of clauses:

    - What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
    - Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • GDPR and local legislation

    Do state authorities have to comply with GDPR? Are there any restrictions?

    Yes, all controller entities must comply with the GDPR provisions. There is one exemption for state authorities and these cannot rely on legitimate interest when processing personal data.

    How does the GDPR compare to the national laws?

    The EU GDPR is called in legal terms “lex generalis” meaning that it can be overwritten by special national laws such as Criminal Code, Tax code, etc.

    Which will prevail in a conflict between GDPR and national laws?

    If the conflict is between a special national law and the GDPR the national law will prevail.

    Does an IP constitutes persoanl data?

    Personal data is defined in art. 4 as “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. IP is an identification number thus is considered personal data.

    Can you please provide an example on what automated decision making means?

    A classic example of automated decision making is automated credit checking performed by banks. Basically some algorithm is deployed to calculate the eligibility of a loan based on age, studies, income, gender, etc. to automatically generate a report on the solvability of the potential client.

    If you want to find out more about the EU GDPR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//)

  • Certification bodies in Germany

    Please note that you can be ISO 27001 certified by any organization recognized as a certification body by an accreditation body. In Germany, the accreditation body is the German National Accreditation Body (Deutsche Akkreditierungsstelle, DAkkS).

    From this DAkkS site (https://www.dakks.de/en/content/accredited-bodies-dakks) you can find German certification bodies for ISO 27001.

    This search result (https://www.dakks.de/en/content/accredited-bodies-dakks) provided 9 certification bodies in Germany (TÜV SÜD, SGS-TÜV, and DQS among others). Please note that TÜV is a designation, not the name of an organization, i.e., not all organizations named TÜV are related or part of a bigger company.

    This article can provide you further information about certification bodies:
    - How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
Page 472-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +