Search results

Integrating ISO 13485 and ISO 27001 & GDPR

You can use the following documents for both ISO 13485 and ISO 27001 because they are practically the same:
- Internal audit procedure
- Procedure for document and record control
- Corrective action procedure

All the other documents are different because they fulfill requirements specific to each standard, so these other documents cannot be integrated.

This way you can have an integrated system and reduce your administrative effort.

Development of an ISMS

For development of an ISMS compliant with ISO 27001, the leading ISO standard for information security management, I suggest to take a look at the free demo of our ISO 27001 Documentation toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

These articles will provide you further explanation about ISMS compliant with ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISMS compliant with ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Handling and storing of reference accessories of Multi-product calibrator

From your question, I assume you are asking how to include such items in your existing equipment procedure, as you may not have covered all the components and accessories. To include the accessories of your Multi-product calibrator, you can reference documented criteria as guided by the manufacturer of the components in the product manual. If not specified, simply reference best practices for a particular item, for example “roll electrical cable to avoid kinks, and secure with a suitable tie”. Remember, a record is mandatory, so create a checklist with the required acceptance criteria, listing for example “cables were coiled”, “transported in a case”, “no visible kinks or damage evident”. When using the equipment, use the checklist to acknowledge that the criteria were met and retain your record as evidence.

For an overview of ISO 17025:2017 requirements, please read the following article:

What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/  

Controls from Annex A

1 - Is there a documentation by specific Advisera that encompasses the controls in Annex A?

Answer: In your toolkit the documents which cover controls from Annex A are located on Folder 08 Annex A Aecurity controls. To know which document covers which control, please see the List of documents file included in your toolkit.

Additionally, at Advisera site you have access to several articles and free downloadable materials covering controls from ISO 27001 Annex A (without more details about your needs we cannot point specific material, but feel free to send additional emails with specific doubts).

2 - Is a specific document necessary for each of the 114 controls?

Answer: ISO 27001 does not require you to document each and every control - in the List of documents that you received together with your toolkit you will see which documents are mandatory, and which are not.

In the toolkit you bought you have not only documents covering the mandatory requirements of the standard, but also documents covering the most common controls and practices adopted.

These articles will provide you further explanation about mandatory documents and controls from Annex A:

- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

Surveillance audit for a new facility

Is this new facility within the scope of your quality management system? If the answer is no, your organization does not need to do anything

If the answer is yes, your organization should communicate that change to the certification body, together with a plan for the integration of that new facility in the quality management system.

For example, when an organization acquires another facility, ISO 9001:2015 clause 6.3 is used, some of the things that need to done can be: training people in the new practices and procedures; introducing the new procedures; creating/changing quality control plans; integrating infrastructure in the system, calibrating monitoring resources, … 

As an auditor I would like to see an integration planning and evidences of implementation and effectiveness verification. For example, everything can start with determining risks and opportunities coming from that new facility added into the quality management system. 

You can get much more detailed information in the following links:

- Article - QMS Change Management in 7 steps – https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
- Article - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Enroll for free - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 audit and certification

You are mentioning our ISO 9001:2015 Premium Documentation Toolkit. With the toolkit you can speed-up the design and implementation of your quality management system. After customizing the documentation and finishing the implementation you can select one of several certification bodies operating in your country to get ISO 9001:2015 certification. Certification costs depend on the number of days needed to audit an organization (normally a function of number of employees and complexity)

The following material will provide you more information to help you:

- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Buying the documentation is not miraculous, there is still work to be done - ISO 27001 documents – Why the templates are not enough? - https://advisera.com/27001academy/blog/2012/04/24/the-documentation-myth-why-the-templates-are-not-enough/
- How should you pick an ISO 9001 certification body? - https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
- Please check this free webinar on demand - How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Steps for ISO 9001 implementation

The first step that I recommend is to perform a Gap analysis, to determine the amount of work to be done.

With this information you can develop your project plan, listing what needs to be done, by whom, until when.

After implementation, perform an internal audit and the management review. There you can decide that your organization is ready for certification audit.

You can get much more detailed information in the following links:

- Article - Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
- Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
- Article - Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
- Project Plan for ISO 9001 implementation - https://info.advisera.com/9001academy/free-download/project-plan-for-iso-9001-implementation-ms-word
- Free webinar on demand – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

ISO 9001 document name requirements

Writing the name on documents is not a specific requirement in ISO 9001. However you need to make sure you control your documents and records according to the requirements of the standard and to do so you will need to identify them somehow. Usually the steps into document and record control are the following:

1. You need to identify that kind of document, assining it a name or designation, and assigning it an appropiate version.
2. You have to determine the authority that will approve that document and evidence that approval, for example by signature.
3. You need todetermine where and how will those documents be available and whom should have access to them.

The following material will provide you more information about document control:

- Article - New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Enroll for free in this course -  ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Risk assessment internal and external criteria and factors

What are the internal and external criteria and factors that apply in the risk assessment?

Considering ISO 27005, the ISO standard for information security risk management, you have some of the following:

• Internal factors: business objectives, business processes, organizational structure, information assets
• External factors: geography, marketing trends, political and economical issues
• Risk evaluation criteria: strategic value of processes which handle business information, legal, regulatory and contractual requirements, business value of confidentiality, integrity, and availability
• Impact evaluation criteria: classification level of impacted information, affected operations (internal or of third-parties), breach of legal, regulatory or contractual requirements
• Risk acceptance criteria: business-related, legal and regulatory related, operational related, technological related, and financial related

This material will also help you regarding ISO 27001 risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

EU GDPR and Personal Data Processing

1.Who is responsible for the personal data which is processed with a third company (like a booking or a paying system)?

Booking companies and payment facilitators are acting as independent data controllers so they are responsible for all data they collect and process when providing the service to the data subjects.

2. If the Company can access the data (by e-mail, online account, etc,...) but doesn't hold those data?

If the data can be accessed it means the processing of personal data according to art 4 of the GDPR: Storing the data, is not a condition for processing.

If you want to find out more about the EU GDPR check out this free EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course/