Search results

Security Master Plan

Security Master Plane is not a concept used by ISO 27001, but considering the following definition from SGW Consulting:

"The Security Master Plan" is a document which comprises of a report, drawings, and illustrations that set out the organization's security strategies, goals, plans, policies, and procedures. It is used to provide a detailed outline of the security risks and mitigation plans agreed between stakeholders."

The closest ISO 27001 related documents are:
- Risk assessment and risk treatment report: outline of the security risks
- Statement of applicability: plans, policies, and procedures
- Risk treatment plan: security strategies (i.e., treatment options)

Studying for certification

Regarding ISO 27001, there is no prerequisite to attend the courses required to take the exams for ISO 27001 Lead Auditor and ISO 27001 Lead Implementer certifications, so you can just enroll in courses with accredited exams, like our ISO 27001 Lead Auditor course (https://advisera.com/training/iso-27001-lead-auditor-course/)

This article will provide you a further explanation about the lead auditor course:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

Regarding PCI-DSS, CISM and CISSP, these aren't our area of expertise, but generally speaking, you have to provide evidence of experience and take an exam (you can study on your own or take a course, this will depend on the time you can dedicate and your discipline to study). For further information, including options for training, I suggest these links:
- PCI-DSS: https://www.pcisecuritystandards.org/program_training_and_qualification/pci_professional_qualification
- CISM: https://www.isaca.org/CERTIFICATION/CISM-CERTIFIED-INFORMATION-SECURITY-MANAGER/Pages/default.aspx
- CISSP: https://www.isc2.org/Certifications/CISSP#

Integrating ISO 27001 and ISO 13485

Unfortunately, we do not have this specific mapping available.

However, you can combine the information provided in ISO 13485 Annex B (which maps ISO 13485:2016 clauses to ISO 9001:2015 clauses) with the information provided in this free downloadable material to have a link between ISO 13485 and ISO 27001:

• ISO 27001 vs. ISO 9001 matrix (PDF) https://info.advisera.com/9001academy/free-download/iso-9001-2015-vs-iso-27001-2013-matrix

ISO 14001 and EIA

Yes, there is a relationship. EIA is used to determine and evaluate environmental impacts of products, processes, investments still in the project phase. So, an organization with an environmental management system when facing new products, new machines, new installations, as a good preventive practice should perform an EIA. It is another way of considering the life-cycle topic.

Please consider the following documentation about environmental aspects and impacts to go deeper in the topic:
Article - environmental aspects identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/knowledgebase/environmental-aspect-identification-and-classification/ 
Article - 4 steps in identification and evaluation of environmental aspects -https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/ 
Free webinar on demand - ISO 14001:2015 Identification and evaluation of environmental aspects -https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar/ 
Enroll for free in the course - ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/ 
Book - The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Enforcing GDPR in the United States

The Supervisory Authorities in Europe cannot enforce the GDPR outside EU borders. However, if that entity has a representative in the EU, that representative will be responsible for any infringement of the GDPR by the US company.

If you want to find out more about the extraterritorial reach of the EU GDPR check out this EU GDPR Foundations course (https://advisera.com/training/eu-gdpr-foundations-course//)

Changes in kit manual or kit inset

Instruction for Use (IFU) for In-vitro medical devices (IVD) must have unique reference to identify the right version of the IFU. This reference should allow the user to retrieve the applicable IFU. Usually, this unique reference mark is in small letter size put somewhere in the corner of the IFU. Each time you change something in the IFU, you need to mark the new revision of the IFU. Changes are best to be documented through the change control process. According to the ISO 13485 4.2.4 c) you need to ensure to differentiate different versions of the documents, and h) to prevent unintended use of obsolete documents.

On the following link you can find information on what information must be in the IFU and what is the purpose of Unique reference number: https://ec.europa.eu/docsroom/documents/10293/attachments/1/translations

For more about what are common mistakes in ISO 13485 documentation control please read the following article: 

Common mistakes with ISO 13485:2016 documentation control and how to avoid them  https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/

Label printing validation

Following things need to be considered for label printing validation:

1. Print quality and durability (Printability of the design, Computer printer selection, Abrasion resistance; preprint and imprint, Chemical and solvent resistance)

1. Adhere samples to appropriate substrates at accepted sample size.

- ASTM D3330, Peel adhesion of PS material

- ASTM D5264, Sutherland abrasion and smudge resistance test

- ASTM F1319, Crockmeter abrasion and smudge resistance test

- ASTM F2252, Ink adhesion tape test

- ASTM F 2250, Chemical exposure, inks & coatings

- ASTM D4169, Distribution testing, “Shake, rattle, & roll”.

- ASTM F1980, Accelerated aging

However, with regard to the need for process validation, the label printing operation can be rendered "non-special" since the process output is fully verifiable through subsequent inspection. 

ISO 45001 Certification

When you ask about the need to certify to ISO 45001 you could mean one of two things, so I will answer both questions:

First, the ISO 45001:2018 standard has the option to either certify your OHSMS with an external organization, or to self-determine and self-declare conformance to the standard by the company. This could then be confirmed by interested parties or others; this is all captured in section 0.5, Contents of this document. What this means is that you can use the ISO 45001 requirements to implement an OHSMS at your organization, and then declare that you meet the requirements without having a third-party certification body audit your organization; you could not use the term certified though with self-declaration.

Second, if you are asking if there is a requirement to implement the ISO 45001 standard and create an OHSMS at your company, then this is something that you need to verify with your customer and legal requirements. If you have a customer or legal entity demanding this, then implementation is something you will need to do. ISO itself has no legal authority to impose these requirements on an organization, so you will need to verify your own industry, customer and legal requirements.

There are good reasons to implement the OHSMS even if not required, and you can read more about these benefit in the article: 4 key benefits of ISO 45001 for your business, https://advisera.com/45001academy/blog/2015/09/30/4-key-benefits-of-iso-45001-for-your-business/

Questions about certification

1. How many organizations implemented ISO 27001 and got certificated?

There is no way to rise information about how many organizations implemented ISO 27001 since it is not mandatory for organizations to publicize that they adopted practices of this standard.

Regarding information about ISO 27001 certified organizations, unfortunately, there is no central list of certified organizations (you must consult each certification body to track which companies are certified by them).

However, the ISO site provides an ISO survey where you can find general information about certifications, like total quantity, quantity per country, quantity industry, etc. It does not nominate organizations.

You can find this survey at this link: https://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objAction=browse&viewType=1

According to this survey, in 2018 we had a total of 31910 ISO 27001 certified organizations around the world.

2. How long to get ISO 27001 certification?

The duration of the implementation project varies according to many variables (e.g., available resources, experience with standard's requirements, top management involvement, etc.), but for small and medium-size organizations the implementation generally varies from 3 to 12 months.

To get an insight into the time duration for your organization, please access our ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/

This article will provide you a further explanation about the implementation process:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

3. How much cost for ISO 27001 certification?

There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information, it's not possible to precise a value. What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated/implemented
- Employee's effort and time
- The certification process

Regarding ISMS maintenance costs, the above-mentioned costs also have to be considered, but at different levels, and you have to add the surveillance audit costs for certification maintenance.

These articles can provide you more information:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/

Business continuity and ISO 27001

ISO 27001 requirements regarding business continuity are covered by section A.17 of its Annex A (Information security aspects of business continuity management), and they are mostly related to IT disaster recovery.

ISO 27001, like other management standards, does not prescribe how to implement solutions, only what must be implemented, and this approach makes it easier to integrate these controls with practices of other standards, like BIR 31111 & ISO 22301.

These articles will provide you a further explanation about business continuity and ISO 27001:
- How can ISO 27001 and ISO 22301 help with critical infrastructure protection? https://advisera.com/27001academy/blog/2017/09/25/how-can-iso-27001-and-iso-22301-help-with-critical-infrastructure-protection/
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/