Search results

Register of requirements: Granularity of entries

ISO 27001 does not prescribe the granularity related to requirements registering, so you can define the granularity to be used as best it fits your organization. 

For example:

• You can use a general entry covering contracts with the same content
• You can use specific entries to associate contracts with specific customers
• You can add entries related to specific clauses present in different types of contracts

You can apply one or all criteria suggested or create your own additional criteria.

Data breach

If your employer did a mistake by sending the wrong data about you to the authorities, this is a breach of Art 5.1.d – the Accuracy Principle – in UK GDPR and of Art 5.1.f – the Integrity and Confidentiality Principle – in UK GDPR. You can file a complaint, per Article 77 GDPR - Right to lodge a complaint with a supervisory authority or to seek an effective judicial remedy against your old employer, per Art 79 GDPR - Right to an effective judicial remedy against a controller or processor.

Please also consult these links:

• Article 5 GDPR - Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
• Article 77 GDPR - Right to lodge a complaint with a supervisory authority: https://advisera.com/eugdpracademy/gdpr/right-to-lodge-a-complaint-with-a-supervisory-authority/
• Article 79 GDPR -  Right to an effective judicial remedy against a controller or processor: https://advisera.com/eugdpracademy/gdpr/right-to-an-effective-judicial-remedy-against-a-controller-or-processor/

Privacy Act in Canada

I’m assuming that by PIPEDA you mean the Personal Information Protection and Electronic Documents Act.

Considering that, since you have customers in other countries, you should assess privacy-related laws and regulations in these countries to check if those define some kind of requirement related to the protection of their citizens’ private data stored/processed in other countries.

In case there are no such requirements, it would be sufficient to specify conformance with PIPEDA.

For further information, see:

• How to comply with EU GDPR, UK GDPR, and Data Protection Act https://advisera.com/eugdpracademy/blog/2021/05/25/how-to-comply-with-eu-gdpr-uk-gdpr-and-data-protection-act/
• Comparison of GDPR With Leading Privacy Regulations Worldwide [free webinar on demand] https://advisera.com/eugdpracademy/webinar/comparison-of-gdpr-with-leading-privacy-regulations-worldwide-free-webinar-on-demand/

Server's decommissioning

ISO 27001 does not prescribe how to proceed with the server decommissioning, but you can consult the NIST Cybersecurity Framework for guidance:

• PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition https://csf.tools/reference/nist-cybersecurity-framework/v1-1/pr/pr-ds/pr-ds-3/

Please note that NIST standards are not mandatory for ISO 27001 implementation or certification.

BCM policy

First is important to note that, at the document level, to be compliant with ISO 27001:2013 Annex A.17 controls you only need to document disaster recovery plans. Controls from section A.17 do not require a business continuity management document.

In case you consider this auditor observation relevant to your business, the document you should consider is a Business Continuity Plan, and you can take a look at a demo of this document at this link: https://advisera.com/27001academy/documentation/business-continuity-plan/

This article will provide you with a further explanation of Disaster Recovery: 

• Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

Data Center and Disaster Recovery Site

Please note that ISO 27001 does not prescribe how far apart a data center and a disaster recovery site should be.

Additionally, most regulations and industry practices also do not define any specific distance to recovery sites, because many factors can affect what would be considered a “safe” distance (e.g., type of disaster, access to public services, risk level, etc.). From our experience, we suggest you start a discussion suggesting a distance between 30 miles (50 kilometers) and 100 miles (160 kilometers) away from your primary location, and from that analyze your organization's context (a geographic situation, available resources, required investment, etc.).  

This article will provide you with a further explanation of the distance of the recovery site:

• Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

This material will also help you regarding the distance of the recovery site:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

MDR Device Labelling

This symbol is not required to be on the labels according to the MDR 2017/745 and harmonized standard ISO 15223-1:2021 Symbols to be used with information to be supplied by the manufacturer — Part 1: General requirements. But it is not forbidden. So, you just need to explain in your technical file what is the meaning of this symbol. 

For more information check https://www.iso.org/standard/77326.html

Gxp versus 13485

Yes of course that you can.

Offshore Requirements

1- I didn't plan to separate offshore vs. domestic work. Is that typical?

By offshore vs. domestic work, I’m assuming that you refer to people that work outside your country of operation (offshore), and people that work in your country of operation (domestic).

Considering that, ISO 27001 does not prescribe how to define the ISMS scope, so organizations can develop it as best as it fits their needs.

It is acceptable to cover work performed in the country of operation and foreign countries in a single scope, and you should make your decision based on the quantity and complexity of the legal requirements related to foreign places you operate.

For example, you may have different requirements related to the protection of information stored and/or processed offshore that you may apply to all your scope, and you can avoid that by defining separated scopes.

2 - Please let me know if these requirements will be fulfilled: I think these would be, but I don't quite understand Incident Response vs. Incident Plan vs. Incident handling - aren't these all covered by the same Policies and Procedures and part of the overall plan? IR-1.1 Develop policies and procedures for Incident Response. IR-6.1 Report security incidents to appropriate personnel or government authorities in a timely manner. IR-8.1 Develop a comprehensive Incident Response Plan for the organization. IR-5.1 Implement mechanisms for tracking and documenting security incidents. IR-4.1 Develop an incident-handling process for the organization. Does this have to be separate?

First is important to note that incident response, incident plan, and incident handling refer to different things:

• incident handling refers to the general steps to treat an incident (e.g., incident communication, incident classification, incident treatment, and incident closing)
• incident response refers to a response to a specific incident (e.g., in case of data loss the incident response is to recover the data from backup)
• incident plan refers to defining specific steps to be followed and resources to be used

Considering that, the Incident Management Procedure document covers incident handling, and in its section 3.4 (Treating Major Incidents) you can either define incident responses and their plans in the procedure or make reference to external documents covering the specific incident responses and related incident plans.

For further information, see:

• How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/

3 - Offshore-48 Complete a security assessment of the organization's offshore location(s) and/or third party's offshore location(s) annually. Offshore-20 Requires antivirus software to be active and up to date on workstations.

I’m assuming that by Offshore-48 and Offshore-20 you mean different business units.

Considering that, you can have different plans for different business units, considering the results of risk assessment, but please note that since such plans are unique for each company, it is unfeasible to provide templates for such plans, so you will need to develop them by your own. In case you need support to develop such specific plans, you can schedule an online meeting with one of our experts in this link: https://advisera.com/27001academy/consultation/

Measuring Equipment

If your production is outsourced, you need to have information on which measuring equipment is used for the production, quality control, and storage of your medical device and definitively you need to have proof that that equipment is regularly calibrated (you need to see the calibration certificates). 
Usually, you will check this during the audit that you will conduct on your outsourced production.