Search results

Context of the organization

In ISO 45001:2018 clause 4.1, context of the organization is understanding the internal and external issues that affect your ability to implement and maintain your OHSMS. Do you have an internal culture of safety or not? This would be an internal issue. A supplier notifying you that they are stopping production of a cleaning chemical you use (where the replacement is more hazardous) would be an external issue. This helps you to understand your organizational context; how it fits into the world around you.

You can learn more in this article: Defining the context of the organization according to ISO 45001, https://advisera.com/45001academy/blog/2016/02/03/defining-the-context-of-the-organization-according-to-iso-45001/

Audit requirement

Please consider ISO 9001:2015 clause 9.3.2 c) 6).

One of the relevant inputs to a management review is the result of audits. 

You want to have a comprehensive global insight about how the system is being performing and why. Audits give you a picture beyond results from performance indicators.

So, a good management review will include information from audits.

The following material will provide you information about the management review:

- Article - How to make Management Review more useful in the QMS - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Preparing for ISO Certification Audit: A Plain English Guide - https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

First qualified person

The first qualified person is a person who, because of his/her knowledge, training and experience, is qualified to perform that task safely and properly. This person can be trained for example by the manufacturer of the equipment used in the validation process, or this person can even be someone who developed certain validation process.

In ISO 13495:2016 section 7.5.6 Validation of processes for production or service provision, there is no requirement for procedure that specifies the first person to be qualified.

For more information on how to manage the validation process, please read the following article: 

Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/

ISO27001 - Who should sign off on a risk?

Never mind, I got the answer as per https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ 

Thanks

Template contents

Control A.18.1.2 is covered by the IT security policy template.

Regarding the other mentioned controls, we do not have those included in our toolkit. Please note that Advisera's ISO 27001 Documentation Toolkit does not have a document for each and every control from ISO 27001 because of the following reasons:

    1) ISO 27001 does not require each and every control to be documented
    2) If the toolkit had a document for each control, there would be too many documents, and this would be an overkill for smaller and mid-size companies.

Since our target are SMEs, we have decided to include an optimum amount of documents for companies of this size - the toolkit includes:

    All the mandatory documents - e.g. Information Security Policy, Statement of Applicability, Risk Assessment Methodology, Access Control Policy, etc.
    Documents that are not mandatory, but are commonly used - e.g. BYOD Policy, Classification Policy, Password Policy, Backup Policy, etc.

You can see a full list of documents included in the toolkit in this page: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

Cyber-security Career

First, it is important to note that cybersecurity covers several areas, then you should first decide which one to focus on. For example:
- Security Architect
- Security Consultant
- Penetration Tester/Ethical Hacker
- Chief Information Security Officer (CISO)

Once you have chosen one field, you should consider the most relevant certifications and best practices related to it. For example, for CISO some examples are CISM and CISA certifications.

For security consultants who wish to work cybersecurity based on ISO 27001 standard, the leading standard for information security management, there are two options:
- ISO 27001 Lead Implementer – this certification recognizes people who have competency on the ISO 27001 implementation process.
- ISO 27001 Lead Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and want to become certification auditor (and with this provides more confidence to an organization for being certified).

These articles will provide you further explanation about ISO 27001 personnel certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

This material will also help you regarding ISO 27001 personnel certifications:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/

Remote audit

A remote internal audit is possible, provided that required evidence of conformance does not need the physical presence of the auditor on-site. For example, to audit the conformance of an information system that can be remotely accessed or the conformance of a procedure, there is no need for the auditor's presence (he only needs to have access to the system or receive a scanned copy of physical documents and records). On the other hand, to audit the conformance of physical security controls, it might be necessary for the auditor to be on-site if the company cannot provide evidence of such controls remotely (e.g. through photographs, plans, maps, etc.).

Complaint handling and vigilance reporting

You can include determination of vigilance reporting in the Customer compaint procedure when receiving a complaint for device malfunction, deterioration in device performance, inadequate instructions, or inadequate labeling results in death, serious injury, or may lead to death or serious deterioration in state of health if it were to recur. 

For more information about ISO 13485:2016 requirements for handling complaints, please read the following article:How to comply with ISO 13485:2016 requirements for handling complaints  https://advisera.com/13485academy/blog/2017/03/21/how-to-comply-with-iso-134852016-requirements-for-handling-complaints/

If you need more information on how vigilance system has to be prepared in EU according to MDD please read the following guidelines: https://ec.europa.eu/growth/sectors/medical-devices/current-directives/guidance_en, and look for MEDDEV 2.12-1 rev 8 - GUIDELINES ON A MEDICAL DEVICES VIGILANCE SYSTEM.

If you need more information how vigilance system has to be prepared according to FDA please read the following guidelines https://www.fda.gov/medical-devices/medical-device-safety/medical-device-reporting-mdr-how-report-medical-device-problems

Risk assessment

ISO 27001 does not prescribe who must be the asset owner, so you can define that the Information Security Officer is the asset owner for all assets.

These articles will provide you further explanation about asset management:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

ISO 22301 book

thanks a lot - if possible please inform me as soon as you publish it