Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Is medical device file require for a supplier ?


    Answer:

    Since the plastic injected molded clips are a part of the medical device components, you have to maintain a medical device file in order to be compliant with ISO 13485.

    For more information, please read article:

    How to meet ISO 13485:2016 requirements for medical device files
    https://advisera.com/13485academy/blog/2017/06/28/how-to-meet-iso-13485-requirements-for-medical-device-files/

  • Elaborating documents


    Answer:

    ISO 27001 does not prescribe how documents should be developed, so you can chose the approach that best fits your needs.

    The main criteria to decide to merge documents or not are if they have similar purposes and if by merging them they would not become a document too big to understand or read. So, in this case, if your single document does not become to big to use and manage it may be best to merge them, so you have one less document to manage in your ISMS.

    These articles will provide you further explanation about developing policies:
    - One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • Software assessment


    Answer:

    Points to be considered are:
    - Business needs
    - License type (even for open source software)
    - Know vulnerabilities (you can search on NIST vulnerability database)
    - Software reputation on market
    - Existence of periodic release of security patches
    - Software private policy

    This article can provide further information about risk assessment:

    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

  • Non-risk related reasons for undertake work


    Answer:

    In a general manner, security related actions can be driven by these reasons:
    - the existence of unacceptable risks (as you already mentioned)
    - the existence of legal requirements (e.g., contracts, laws and regulations), demanding a security action
    - a top management decision, based on a business need or on a market best practice

    The last two bullets do not have to be initially related to risks (but at some point you can identify some), neither do ISO auditors will require every action to be related to risks.

  • Disaster recovery plan


    Answer:

    Your toolkit includes an template for Disaster Recovery Plan on folder 8 Annex A controls A.17 Business Continuity

    It is important to note that to ISO 27001 a DRP aims to the recovery of IT infrastructure, and since your question refers to a cloud provider, you must align which activities you must to document in your plan, since most is the activities will be responsibility of the provider.

  • Use of ISO 27001 standard


    Answer:

    ISO 27001 is an intellectual property of ISO, and it is necessary to buy the standard to use it, otherwise you would incur on intellectual property infringement. Depending on buying conditions you may share a limited number of copies of the standard you bought.

  • Retraining requirements


    Answer
    There is no ISO 9001 requirement making that mandatory. Unless there is some important client, or contract, or legislation/regulation making that a requirement it is not mandatory.

    The following material will provide you information about competence:
    - Article – How to ensure competence and awareness in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
    - Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Data processing and transferring


    Answer:

    The personal data can be provided to another third party located in the EU provided that there is a Data Processing Agreement in place.

    If you want to find out more about the transfer of Personal Data check out this free EU GDPR Foundation Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • Obtaining engagement


    Answer: The most effective ways to get engagement of existing customers and their users are:
    - to show them how your actions can benefit them, help them achieve their business results
    - always take their opinion into account on project decisions
    - be transparent with them about what you are going to do and why
    - help them to resolve conflicts of interest with other areas, searching mutual beneficial solutions

    These articles will provide you further explanation about consultancy:
    - How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
    - 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/ (if you know what customers are looking for you can be better prepared)

    To obtain engagement of new customers you should work on your skills to present in a quick and effective way the benefits of information security and ISO 27001

    For further information, see:
    - 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
    - Free webinar – How to sell ISO consulting services https://advisera.com/27001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/

  • Evidences for audit


    Answer: ISO 27001 does not prescribe the need to evidence what did not happen (i.e., if there was no incident or no change), but it could make sense during the measurement and monitoring process to create a record that says that none of these things have happened.

    2. As a part of implementation process we have installed firewall in our organization for log generation. Can we conduct internal audit based on logs of 10 days?

    Answer: A good reference you can use to define the time you need a process or control to be operating to have enough data to be audited is to ensure it has already completed at l east three cycles of operation. For example, if a full backup process is performed once a week, then you should wait at least three weeks to audit this process.
Page 567-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +