Search results

Applicability of training for suppliers' employees

You can exclude control A.7.2.2 and texts which refer to it, and still be compliant with ISO 27001 requirements, if:

• risk assessment results doesn't require its implementation 
• there aren't legal requirements, or top management decision requiring application of training of suppliers' employees

Management of supplier relationships

Regarding suppliers, ISO 27001 requires only the handling of related unacceptable information security risks, which is only a small part of the supplier relationship management process. Including other documents for supplier relationship management would only make the ISMS management unnecessary complex, so we decided not including then in the toolkit.

If your organization needs such additional documents for management of suppliers relationships I suggest you to take a look at these templates, to see if they can fulfill your needs:
- Supplier Management Process https://advisera.com/20000academy/documentation/supplier-management-process/
- Underpinning Contract https://advisera.com/20000academy/documentation/underpinning-contract/
- Supplier Contract https://advisera.com/20000academy/documentation/supplier-contract/
- Supplier Performance Report https://advisera.com/20000academy/documentation/supplier-performance-report/
- Supplier Agreement Portfolio https://advisera.com/20000academy/documentation/supplier-agreement-portfolio/

This article will provide you further explanation about supplier management:
- ITIL Supplier Management and Service Level Management – How to put the two in balance https://advisera.com/20000academy/blog/2015/11/10/itil-supplier-management-and-service-level-management-how-to-put-the-two-in-balance/

Mandatory documents

No, you do not need those documents. It is just necessary to state in the Quality manual which requirements are not applicable for you and why. For example, you will state in your Quality manual that requirement 7.5.5 Particular requirements for sterile medical device is not applicable for you because you do not produce sterile medical devices.

ISO 13485 certification

It is not necessary for all employees to be educated for ISO 13485. There is no such requirement. However, there is a requirement 6.2 Human resources that all personnel performing work affecting product quality must have competencies or must be trained to achieve those competencies. For example, the person who does the programming alone must know the basics of ISO 13485 that are applicable. While, for example, a marketing person does not need to know the requirements of ISO 13485. QA person does need to be educated in ISO 13485:2016. 

Besides ISO 13485:2016, QA person must have knowledge of any other standard that is specifically for certain medical devices. For example, there is a medical software standard IEC 62304:2006 Medical device software — Software life cycle processes https://www.iso.org/standard/38421.html, so QA person must know which requirement from that standard is applicable or not. Also, any medical device that want to be CE marked must be in compliance with the Medical device regulation https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02017R0745-20170505, regardless of the medical device classification.  

HR policy for personnel security

In terms of Human Resources a policy with such details as you stated is not mandatory by ISO 27001, and to keep the number of documents in the toolkit as small as possible we included in the toolkit only the mandatory documents and the most commonly used.

Considering that your organization needs this document for other reasons (normally an HR Security Policy is not recommendable for smaller companies regarding ISO 27001), you can schedule a meeting with one of our experts to help you develop this document (online live consultation is part of your toolkit). You can schedule a meeting at this link: https://advisera.com/27001academy/consultation/

These articles will provide you information about some topics you raised:
- What to consider in case of termination or change of employment according to ISO 27001 https://advisera.com/27001academy/blog/2018/09/03/what-to-consider-in-case-of-termination-or-change-of-employment-according-to-iso-27001/
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//

Internal audit

For ISO Management System standards the internal audit can be performed either by own organization's employees or by an external company on the organization's behalf.

Please note that this internal audit performed by an external organisation should not be mixed with certification audit, which is performed by a certification body.. 

This article will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

Penetration testing frequency

Neither ISO 27001 nor NIST controls define frequency for penetration testing, but a good start to define pen testing periodicity would be these criteria:
- results of previous penetration tests
- importance and related risks to the processes/systems that will be part of the penetration test's scope

This article will provide you further explanation about penetration tests:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/

Inventory of assets and Risk assessment

1. I am having trouble finding out how these two documents are connected (are both needed?) 11.A.8.1_Inventory_of_Assets_Integrated 07.1_Appendix_1_Risk_Assessment_Table_Integrated In inventory of assets.

The Risk assessment table is a mandatory document if you want to be certified against ISO 27001, while the inventory of assets is needed only if control A.8.1.1 (Inventory of assets) is considered applicable to your ISMS.

The relation between these documents is that all assets identified in the Risk assessment table must be copied to the Inventory of assets provided the control A.8.1.1 is considered applicable.

2. How do we know how to assess "Impact/Consequences"? What do we base that rating on?

The way to perform the assessment of impact is defined in the Risk Assessment and Risk Treatment Methodology, located on folder 10 Risk Assessment and Risk Treatment of your toolkit.

The assessment of Impact/Consequences is based on the impact of the loss of confidentiality, integrity or availability of information.

By the way, included with your toolkit you have access to a video tutorial that can guide you on how to fill in the Risk Assessment table, presenting examples with real data.

This article also can be interesting for you “How to assess consequences and likelihood in ISO 27001 risk analysis”: https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

3. And how do we transfer that rating to the Risk Assessment table

Once you identify the impact/consequence level, which range is defined in the Risk Assessment and Risk Treatment Methodology, you must input this value in column G of the Risk assessment table.

You also can see how this is performed in the video tutorial mentioned in answer 2.

ISO 9001 exclusions

I am not sure I understand what your external auditor recommends.

ISO 9001:2015 does not allow exclusions period. However, if one particular clause is not applicable within the quality management system scope you do not exclude it, you just state that it is not applicable and explain why. Please check an example in this free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/

Check also this article - What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/