Search results

Audit requirement

Please consider ISO 9001:2015 clause 9.3.2 c) 6).

One of the relevant inputs to a management review is the result of audits. 

You want to have a comprehensive global insight about how the system is being performing and why. Audits give you a picture beyond results from performance indicators.

So, a good management review will include information from audits.

The following material will provide you information about the management review:

- Article - How to make Management Review more useful in the QMS - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Preparing for ISO Certification Audit: A Plain English Guide - https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

First qualified person

The first qualified person is a person who, because of his/her knowledge, training and experience, is qualified to perform that task safely and properly. This person can be trained for example by the manufacturer of the equipment used in the validation process, or this person can even be someone who developed certain validation process.

In ISO 13495:2016 section 7.5.6 Validation of processes for production or service provision, there is no requirement for procedure that specifies the first person to be qualified.

For more information on how to manage the validation process, please read the following article: 

Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/

ISO27001 - Who should sign off on a risk?

Never mind, I got the answer as per https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ 

Thanks

Template contents

Control A.18.1.2 is covered by the IT security policy template.

Regarding the other mentioned controls, we do not have those included in our toolkit. Please note that Advisera's ISO 27001 Documentation Toolkit does not have a document for each and every control from ISO 27001 because of the following reasons:

    1) ISO 27001 does not require each and every control to be documented
    2) If the toolkit had a document for each control, there would be too many documents, and this would be an overkill for smaller and mid-size companies.

Since our target are SMEs, we have decided to include an optimum amount of documents for companies of this size - the toolkit includes:

    All the mandatory documents - e.g. Information Security Policy, Statement of Applicability, Risk Assessment Methodology, Access Control Policy, etc.
    Documents that are not mandatory, but are commonly used - e.g. BYOD Policy, Classification Policy, Password Policy, Backup Policy, etc.

You can see a full list of documents included in the toolkit in this page: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

Cyber-security Career

First, it is important to note that cybersecurity covers several areas, then you should first decide which one to focus on. For example:
- Security Architect
- Security Consultant
- Penetration Tester/Ethical Hacker
- Chief Information Security Officer (CISO)

Once you have chosen one field, you should consider the most relevant certifications and best practices related to it. For example, for CISO some examples are CISM and CISA certifications.

For security consultants who wish to work cybersecurity based on ISO 27001 standard, the leading standard for information security management, there are two options:
- ISO 27001 Lead Implementer – this certification recognizes people who have competency on the ISO 27001 implementation process.
- ISO 27001 Lead Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and want to become certification auditor (and with this provides more confidence to an organization for being certified).

These articles will provide you further explanation about ISO 27001 personnel certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

This material will also help you regarding ISO 27001 personnel certifications:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/

Remote audit

A remote internal audit is possible, provided that required evidence of conformance does not need the physical presence of the auditor on-site. For example, to audit the conformance of an information system that can be remotely accessed or the conformance of a procedure, there is no need for the auditor's presence (he only needs to have access to the system or receive a scanned copy of physical documents and records). On the other hand, to audit the conformance of physical security controls, it might be necessary for the auditor to be on-site if the company cannot provide evidence of such controls remotely (e.g. through photographs, plans, maps, etc.).

Complaint handling and vigilance reporting

You can include determination of vigilance reporting in the Customer compaint procedure when receiving a complaint for device malfunction, deterioration in device performance, inadequate instructions, or inadequate labeling results in death, serious injury, or may lead to death or serious deterioration in state of health if it were to recur. 

For more information about ISO 13485:2016 requirements for handling complaints, please read the following article:How to comply with ISO 13485:2016 requirements for handling complaints  https://advisera.com/13485academy/blog/2017/03/21/how-to-comply-with-iso-134852016-requirements-for-handling-complaints/

If you need more information on how vigilance system has to be prepared in EU according to MDD please read the following guidelines: https://ec.europa.eu/growth/sectors/medical-devices/current-directives/guidance_en, and look for MEDDEV 2.12-1 rev 8 - GUIDELINES ON A MEDICAL DEVICES VIGILANCE SYSTEM.

If you need more information how vigilance system has to be prepared according to FDA please read the following guidelines https://www.fda.gov/medical-devices/medical-device-safety/medical-device-reporting-mdr-how-report-medical-device-problems

Risk assessment

ISO 27001 does not prescribe who must be the asset owner, so you can define that the Information Security Officer is the asset owner for all assets.

These articles will provide you further explanation about asset management:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

ISO 22301 book

thanks a lot - if possible please inform me as soon as you publish it

ISMS documentation

Please note that ISO 27001 does not require Business Impact Analysis to be performed or documented, and it does not require the register of risks and opportunities related to clause 6.1.1. Only risks related to information security need to be recorded (see clauses 6.1.2 and 6.1.3). To try to convince your management to document this information you need to show them that there is some added value for your organization (e.g., it can be used to support other processes, not related to your ISMS scope).

To help you with ISO 27001 implementation, I suggest you take a look at our ISO 27001 documentation toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

This toolkit contains templates covering the mandatory requirements of the standard, and the most commonly used documents. Additionally, each template is almost 90% complete (you only have to include the details of your organization). As part of the toolkit, you have access to expert advice in the form of our Expert community and online meetings.

These articles will provide you further explanation about ISO 27001 implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Conformio (online tool for ISO 27001) https://advisera.com/conformio/