Search results

Gxp versus 13485

Yes of course that you can.

Offshore Requirements

1- I didn't plan to separate offshore vs. domestic work. Is that typical?

By offshore vs. domestic work, I’m assuming that you refer to people that work outside your country of operation (offshore), and people that work in your country of operation (domestic).

Considering that, ISO 27001 does not prescribe how to define the ISMS scope, so organizations can develop it as best as it fits their needs.

It is acceptable to cover work performed in the country of operation and foreign countries in a single scope, and you should make your decision based on the quantity and complexity of the legal requirements related to foreign places you operate.

For example, you may have different requirements related to the protection of information stored and/or processed offshore that you may apply to all your scope, and you can avoid that by defining separated scopes.

2 - Please let me know if these requirements will be fulfilled: I think these would be, but I don't quite understand Incident Response vs. Incident Plan vs. Incident handling - aren't these all covered by the same Policies and Procedures and part of the overall plan? IR-1.1 Develop policies and procedures for Incident Response. IR-6.1 Report security incidents to appropriate personnel or government authorities in a timely manner. IR-8.1 Develop a comprehensive Incident Response Plan for the organization. IR-5.1 Implement mechanisms for tracking and documenting security incidents. IR-4.1 Develop an incident-handling process for the organization. Does this have to be separate?

First is important to note that incident response, incident plan, and incident handling refer to different things:

• incident handling refers to the general steps to treat an incident (e.g., incident communication, incident classification, incident treatment, and incident closing)
• incident response refers to a response to a specific incident (e.g., in case of data loss the incident response is to recover the data from backup)
• incident plan refers to defining specific steps to be followed and resources to be used

Considering that, the Incident Management Procedure document covers incident handling, and in its section 3.4 (Treating Major Incidents) you can either define incident responses and their plans in the procedure or make reference to external documents covering the specific incident responses and related incident plans.

For further information, see:

• How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/

3 - Offshore-48 Complete a security assessment of the organization's offshore location(s) and/or third party's offshore location(s) annually. Offshore-20 Requires antivirus software to be active and up to date on workstations.

I’m assuming that by Offshore-48 and Offshore-20 you mean different business units.

Considering that, you can have different plans for different business units, considering the results of risk assessment, but please note that since such plans are unique for each company, it is unfeasible to provide templates for such plans, so you will need to develop them by your own. In case you need support to develop such specific plans, you can schedule an online meeting with one of our experts in this link: https://advisera.com/27001academy/consultation/

Measuring Equipment

If your production is outsourced, you need to have information on which measuring equipment is used for the production, quality control, and storage of your medical device and definitively you need to have proof that that equipment is regularly calibrated (you need to see the calibration certificates). 
Usually, you will check this during the audit that you will conduct on your outsourced production. 

Possible risks associated with clauses of ISO 17025

Note that the Risks will differ between laboratories, depending on the organisation structure and field of work. For example some laboratories have addition regulations to comply with, e.g. Veterinary or Medical Cannabis testing or calibration laboratories.

In all cases the priority is to identify possible risks that could impact on you not meeting your objectives.

Some Examples:

1. Ineffective QMS - A common example is the risk that laboratory policies and objectives are not aligned with your context. For example while turnaround time is a key performance requirement for an internal quality control laboratory due to production impact, yet turnaround time is not one of the established objectives. Impact a) operational performance.
2. Risks to impartiality – examples are given in the standard, for example personal relationships, shared resources. Example Impartiality due to Shared Resources, where Preference given to production personnel for use of shared resources. Impact a) operational performance (Delay in turnaround time for lab test results). b) Quality (undue pressure on lab personnel, resulting in deviations).
3. Risks related to statements of conformity if the decision rule to include or exclude Measurement Uncertainty is not suitable. This can result in a false pass or false fail Impact a) Quality b) Legal / Regulatory
4. Risk levels not considered when taking corrective action for nonconforming work. Impact a) Financial (wasted resources) and b) Quality and Operational (reoccurring non-conformances).
5. Ineffectiveness of activities, for example Management Review. Impact a) If MR itself is not effective, then risks will go unidentified. Impact a) Financial, Operational and Reputation
    

A tip – find out or ask your accreditation body about the top 5 or 10 deficiencies in laboratories in your sector – and then look at the risk you may have vulnerabilities on those topics, for example Technical Records.

ISO 27001 compliance in a system

ISO 27001 compliance or certification would be a must if you have customers who require this standard, or if you have a regulation that would require it, or if your top management decided this has a strategic importance. If none of this is true, then there is no requirement to comply with ISO 27001.

Compliance with ISO 27001:2022

1 - The question is 

1.       Should we start implementing ISO 27001:2022 after the 2nd Surveillance/Maintenance Audit for ISO 27001:2013 and then apply for Certification Audit for ISO 27001:2022 in 2024? 

or 

2.       Should we start implementing ISO 27001:2022 immediately and then apply for Certification Audit for ISO 27001:2022 in 2023? – is this even an option? Or we need to complete the 3-year cycle 

Answer:   Please note that for companies that are already certified against ISO 27001:2013, the transition to ISO 27001:2022 needs to be completed by October 31, 2025.

Considering that, both alternatives are applicable, you should consider available resources (e.g., personnel, money, etc.) and business strategy and objectives to select an alternative.

In case you do not have any urgent reason to make the transition, then you should go for implementing ISO 27001:2022 after the 2nd Surveillance/Maintenance Audit for ISO 27001:2013 and then apply for Certification Audit for ISO 27001:2022 in 2024 because in this scenario you will have more time.

2. Staff training course/certificate completed

ISO 27001: 2013 Lead Auditor Course 
ISO 27001:2013 Internal Auditor Course
The question regarding this courses/certificate is in order to have ISO 27001:2022 Certification we will just need to take and course+exam on ISO 27001:2022 Foundation Course?

For example:

a.       ISO 27001:2013 Lead Auditor Course + ISO 27001:2022 Foundation Course = ISO 27001:2022 Lead Auditor Course Certificate 

b.       ISO 27001:2013 Internal Auditor Course + ISO 27001:2022 Foundation Course = ISO 27001:2022 Internal Auditor Course Certificate 

Answer: For certification purposes, you will need to consider training and certifications related to the 2022 version of ISO 27001.

Please note that some training providers may offer upgrade courses related to changes in the standard, so you won’t need to go through all the certification processes. You should contact your training provider to clarify this information. 

Advisera will offer the ISO 27001:2022 Transition Course for all of its students with ISO 27001:2013 certificates - once this transition course and exam are completed, we will issue the new ISO 27001:2022 certificate - for example, a person having the ISO 27001:2013 Lead Auditor Certificate will receive the ISO 27001:2022 Lead Auditor Certificate.

3.  Also, last year 2021, our company purchase ISO 27001:2013 toolkit. Is there an upgrade option to ISO 27001:2022 and/or guidance on what document(s)/process(es) we need to change or document(s)/process(es) we need to create.

Answer: Customers who have bought the toolkit up to one year before the release of the new version of ISO 27001:2022 (October 25th, 2022) will receive the updated documents at no cost. If you purchased the toolkit before that date, we will send you a discount code for the purchase of the 2022 revision of the toolkit. 

Matrix of Key Performance Indicators

It is a set of KPIs in general, but, yes it can be different for every Management review. 

Building Management Systems and ISO 14001

For a service-providing organization, where most of the environmental aspects are centered in the operations done at the office, the configuration and management of Building Management Systems can help support the journey to ISO 14001. 

A Building Management System manages and monitors equipment such as air-conditioning, energy, ventilation, gas meters, security devices, heating, lighting, and power systems. That equipment may be related to significant environmental aspects. So, a Building Management System helps with what ISO 14001 calls operational control.

You can find more information below:

• Defining and implementing operational control in ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/