Search results

Assets in the cloud

If I understood correctly, you are talking about variations in the available capacity of a virtual server in the cloud. In this case, you do not need to take into account this variation in the asset register, only the server as a logical unit.

For example, if you have a database server in the cloud, in your asset register you can record it as "cloud database server". This way, by the very nature of cloud working, you do not need to take into account configuration related to its required capacity.

This article will provide you further explanation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Market research and EU GDPR

No, the GDPR does not define the term “market research”. All the definitions in the GDPR can be found in article 4.You can get more information on the impact of the GDPR on scientific research, including market researches, in this study of the EU Parliament: https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634447/EPRS_STU(2019)634447_EN.pdf

ISO 27001 and NESA requirements

I'm assuming you are referring to the National Electronic Security Authority from the United Arab Emirates (UAE). Considering that, NESA develops documents based on ISO 27001 and several other established standards (such as NIST publications), but it does not define them as prerequisites, i.e., you do not need to implement ISO 27001 to comply with NESA requirements, although you can use the standard as a support to fulfill NESA requirements. If you already have implemented ISO 27001, then your implemented documents can be used to fulfill NESA requirements.

Filling SoA

Months ago we had a call to talk about the certification process. Reviewing Conformio I find a “Control Objectives” field on which I don't have much clarity to fill it out. For the above, I appreciate if you can share some examples of the information that should go in this field.

If I understood correctly, this field is part of the Statement of Applicability (SoA). Considering that, common practice is that the text of control objectives from ISO 27001 can be used (ISO organization does not seem to have a problem with such an approach, however, you should not copy anything else from the standard). 

An example for control A.7.1.1 (Screening) would be: "To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered."

This article will provide you further explanation about Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Surveillance audit guidance for a mining company

Surveillance audits are made by the certification body after a successful certification audit. While certification audits verify system design and implementation, surveillance audits are more about checking conformity with procedures and the standard.

After certification, your organization will perform one or more internal audits every year. Objectives for those audits can be around verifying that your management system is working as designed. You can add more value and introduce an element of effectiveness and use the audit to verify if the quality management system is helping the organization in meeting its objectives. Those audits are similar to any other audit. Perhaps you can focus your attention on records. Are all the incidents being recorded? Measurements, complaints, corrective actions, non-conformities, internal audits, and management review, etc. Remember, if your organization had any minor non-conformity or observations during the certification audit, be sure that auditors will look into those issues with special care.

The following material will provide you more information about surveillance audits:
- What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
- Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
- Enroll for free course - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book – Preparing for ISO Certification Audit: A Plain English Guide - https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

Maintenance requirements for electrical equipment

NFPA Standard 70 is a national legislative of the USA and also can be used as good practice. IATF 16949 is a standard for the management system and that is a different perspective, requirements for electrical equipment are basic.

IATF 16949 is setting requirements for the system and NFPA Standard 70 is something you must comply with. NFPA Standard 70 has a short scope focused on electrical equipment. 

Here are some articles that may help regarding IATF 16949:

What is IATF 16949: https://advisera.com/16949academy/what-is-iatf-16949/ 

Key benefits of IATF 16949 implementation: https://advisera.com/16949academy/knowledgebase/key-benefits-of-iatf-16949-implementation/ 

ISO 13485:2016 vs 13485:2012

The European standard, EN ISO 13485:2012 Medical Devices - Quality Management Systems - Requirements for Regulatory Purposes, has been published, after approval by CEN on January 24, 2012. This replaces EN ISO 13485: 2003, although the text of the global standard ISO 13485:2003 is unchanged, only the foreword and annexes in the European version have been revised. Therefore, there is no different requirements in ISO 13485:2012 compared to ISO 13485:2003. 

To identified new  requirements of ISO 13485:2016 vs 13485:2003, at the end of the new ISO 13485:2016, in Annex A there is a table - Comparison of content between ISO 13485:2003 and ISO 13485:2016, where you can see all new requirements and differentiation between these two versions. 

On the following link, there is an article with the list of mandatory documents required by ISO 13485:2016: https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/ 

On the following link you can download free matrix ISO 13485:2016 vs. ISO 13485:2003: https://info.advisera.com/13485academy/free-download/iso-13485-2016-vs-iso-13485-2003-matrix

Also, you can find on Advisera 13485 blog a lot of articles considering certain requirements from ISO 13485: 2016 and how you can fulfill them: ISO 13485 Blog https://advisera.com/13485academy/blog/

Internal Auditor

First, each organization has the authority to define the competency requirements of its internal auditors. 

Second, as good practice internal auditors should comply with two basic requirements:

They know the standard;
They know good auditing practices
 

So, your internal auditors for ISO 9001:2015 already know good auditing practices. Do they know ISO 13485:2016? Can you certify their knowledge?

As long as they meet those two criteria, they can be your internal auditors.

The following material will provide you information about internal audits:

- Five main steps in the ISO 13485:2016 internal audit - https://advisera.com/13485academy/knowledgebase/five-main-steps-in-the-iso-134852016-internal-audit/
- Free webinar - How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar/
- free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/ />- Book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
 

Business Continuity and Disaster Recovery Plans

Please note that these templates have different purposes, and will be used separately by different teams during a disruptive event, so it is crucial that some commonly needed information, such as contact details, or authorizations, is displayed in every document.

This article will provide you further explanation about BCP and DRP:
- Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

ISO 13485 and Staff morale

In order for a staff to have confidence in their company they must first have confidence in their management. Implementing ISO 13485 will show that management are committed to taking the steps necessary to running an up to date and competitive company which will give the vital sense of pride that staff needs. When outlining what employees role within the company, it is important that the instructions are explained as clearly and specifically as possible. 

Regardless of that the following article is about ISO 9001, this article that explaines what are the benefits for employees of introducing a quality system, so please read it at the following link: What are the benefits of ISO 9001 for your employees?

https://advisera.com/9001academy/blog/2016/06/14/what-are-the-benefits-of-iso-9001-for-your-employees/