Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
How to fill Statement of Applicability
For example this has for (6)
A.6.1.1 Information security roles and responsibilities
A.6.1.2 Segregation of duties
A.6.1.3 Contact with authorities
A.6.1.4 Contact with special interest groups
A.6.1.5 Information security in project management
Yet document "A.6.1_Bring_Your_Own_Device_BYOD_Policy_Cloud_EN.docxx" has the following in the table of contents. How are they linked ?
Table of contents
1. PURPOSE, SCOPE AND USERS 3
2. REFERENCE DOCUMENTS 3
3. SECURITY RULES FOR USING BYOD 3
3.1. COMPANY POLICY 3
3.2. WHO IS ALLOWED TO USE BYOD, AND FOR WHAT 3
3.3. WHICH DEVICES ARE ALLOWED 3
3.4. ACCEPTABLE USE 3
3.5. SPECIAL RIGHTS 4
3.6. REIMBURSEMENT 4
3.7. SECURITY BREACHES 5
3.8. TRAINING AND AWARENESS 5
4. MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT 5
5. VALIDITY AND DOCUMENT MANAGEMENT 5
Plus I do not see: 08_Annex_A_Security_Controls in the download yet it asks for them in 6_Statement_of_Applicability_Cloud
A.5, A.5.1, A.5.1., A.5.1.2
Answer:
To fill out Statement of Applicability (SoA) you have to:
1) Complete the List of legal, regulatory and other requirements, and the Risk treatment table - those two documents will be your main inputs for writing the SoA.
2) Based on those two inputs you decide whether a particular control is applicable or not, i.e. whether you need that control to satisfy a requirement, or to decrease a risk.
3) If a control is applicable, you simply have to look for a document that covers this control - in the "List of documents" (based in the root folder of the toolkit) you will find a cross reference on which controls are covered in which document. In the SoA template there are already suggested documents for most of the controls.
By the way, together with the toolkit you have received the access to the video tutorial which explains how to fill out the Statement of Applicability - there you will see lots of examples on how this is done. -
Is vendor agreement mandatory for ISO 13485?
We received another question:
>Purchase order mailed to supplier prior to purchase, can Purchase order be considered as an agreement. We are into manufacturing of class 1 medical devices , hence Purchase order can be considered as an agreement of ISO 13485 clause 7.4.2. As Some suppliers are unwilling for sign agreements
Answer:
If the purchase order contains the purchasing information of the products or services that you are sourcing from the supplier, it is valid. However, there should also be some email communication between your company and the supplier to ensure that the supplier will notify you of any changes made to the purchased product or service which could have an impact on the quality and performance of the medical device that you are dealing with. -
Privacy Laws outside EU
Answer:
You can find out more about privacy legislation around the world here: https://www.dlapiperdataprotection.com/ -
List of Legal, Regulatory, Contractual and Other Requirements
Answer:
In the List of legal, contractual and other requirements first you need to identify an external document where a requirement is specified - therefore “Intellectual property rights” is not precise enough - instead you should find out which law in your country regulates the intellectual property rights, and then copy from this law the requirements applicable to your business.
The rules you have specified in your message are much more appropriate for the IT Security Policy (you can f ind the template in our toolkit) - there you can formulate your own rules (based on the requirements you first identified in the List of legal, contractual and other requirements). -
ISO documents for IT
Answer: ISO 27001 does not prescribe a standardized reporting procedure or any other similar document, however it does list mandatory and suggested documents you might use - here is an article that might help you:
List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
2. On the other hand, may you guide us which ISO documents best suites us a IT .
Answer: If your question is about which standards might be the most suitable for IT, here are the 3 most popular:
- ISO 27001 (information security) https://advisera.com/27001academy/what-is-iso-27001/
- ISO 22301 (business continuity) https://advisera.com/27001academy/what-is-iso-22301/
- ISO 20000 (IT service management) https://advisera.com/20000academy/what-is-iso-20000/
If your question is about which IT documents to use for ISO 27001, here’s an article that can help you: How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/ -
Implementation of ISO 27001
Answer:
Here’s a short article that will explain you the basics: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
But the best way to learn about the implementation is this free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
"Shall be documented" phrase
Answer:
Any time when you see a phrase “shall be documented” in a standard this means you have to write a document to be compliant.
These articles will help you:
- Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
- Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/ -
ISO 27001 clauses
Answer:
ISO 27001 is a standard published by the ISO organization, you can purchase the standard here: https://www.iso.org/standard/54534.html
You can also download this free material Clause-by-clause explanation of ISO 27001: https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001 -
Confidentiality levels
ISMS Scope Document: Public (As customers might have to know for what you are certified) ?
Information Security Policy: Public
Inventory of Assets: Restricted
Security Procedures for IT Department: Internal
IT Security Policy: Internal
Password Policy: Internal
Access Control Policy: Internal
Mobile Device & Teleworking Policy: Internal
Bring Your Own Device Policy: Internal
Incident management procedure: Internal
Statement of Acceptance of ISMS Documents: Internal
NDA for Suppliers: Restricted
NDA for Employees: Restricted
Security Clauses for Suppliers and Partners: Internal
Information Classification Policy: Internal
Competence (document describing what your profile and responsibilities must be as a potential employee): Public
Internal Audit Report: Internal
Internal Audit Checklist: Internal
Training and Awareness Plan: Internal
Results of access rights review: Internal
Results of the management review / Management Review Minutes: Restricted
Incident Log: Internal
Measurement Report: Internal
Records of monitoring and reviewing suppliers and partners: Internal
Erasure & destruction records: Internal
Records of testing backup copies: Internal
List of Legal, Regulatory, Contractual and Other Requirements: Internal
Corrective Action Form: Restricted
Answer:
The confidentiality level of particular document is directly related to the potential damage if such document leaks to the unauthorized persons. Therefore, I cannot provide you a concrete feedback because I do not know what your risk assessment results are.
For example, if NDA for suppliers contains no sensitive information then it could be classified as Public, but if it contains highly sensitive information then it should be classified as Restricted.
See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Environmental aspects versus environmental impacts
Answer:
Look the example below.
At the maintenance warehouse, lubricating oils are handled to apply in preventive maintenance activities. Because people handle lubricating oils there is the possibility of spillages or leakages. If a spillage or leakage occurs, there is the possibility of contamination of soil or water.
The potential spillage or leakage is an environmental aspect, an element of an organization’s products, services and activities which can interact with the environment. Other examples of environmental aspects are, for example, discharges to water, emissions to air, use of natural resources and materials, or generation of wastes. Environmental impacts are the consequences of the environmental aspects.
At the example above, the environmental aspect is permanent but the environmental impact depends of the context, depends on the use of preventive and responsive measures.
The following material will provid e you information about assessment of environmental interactions:
- ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/