Search results

Specific Documents

Please note that the abovementioned clauses are covered by the following:

• clause 4.1 - Understanding the organization and its context can be evidenced by means of documents “List of Legal, Regulatory and Contractual Requirements”, generated by the 'Register of legal, contractual and other requirements' module, and "Risk Assessment and Risk Treatment Report", generated by the 'Risk register' module.
• clause 5.1 Leadership and commitment can be evidenced by means of documents “Information Security Policy”, “List of Security Objectives”, “Risk Assessment and Risk Treatment Report”, “Risk Treatment Plan”, and “Management review report”.
• clause 6.1.1 General, which refers to risks related to the Information Security Management System itself, can be evidenced by means of the “Risk Treatment Plan”.
• clause6.1.2 Information security risk assessment can be evidenced by means of the “Risk Assessment and Risk Treatment Methodology”.
• clause 9.1 Monitoring, measurement, analysis, and evaluation can be evidenced by means of the records defined on each policy and procedure you have implemented.

A.8.2.2 Labeling of Information

Since you stated in the SoA that control A.8.2.2 Labelling of information is not applicable, then it is sufficient for you to include only N/A in the Labeling column (there is no need to exclude the column).

Regarding controls A.8.2.1 Classification of information and A.8.2.2, you can implement only A.8.2.1 without implementing A.8.2.2 (i.e., you can define classification levels without the need to label media that contains it, although this is not common).

For further information, see:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

Adverse Event Reporting

Yes, you can follow the same procedure. According to Article 16 from the MDR, if the CE mark of the manufacturer stays on the medical device, you do not consider a manufacturer, but rather the distributor.

1 a) makes available on the market a device under its name, registered trade name, or registered trademark, except in cases where a distributor or importer enters into an agreement with a manufacturer whereby the manufacturer is identified as such on the label and is responsible for meeting the requirements placed on manufacturers in this Regulation.

For more information, see:

• EU MRD Article 16 Cases in which obligations of manufacturers apply to importers and distributors or other persons - https://advisera.com/13485academy/mdr/cases-in-which-obligations-of-manufacturers-apply-to-importers-distributors-or-other-persons/

• ISO 27001 vs COBIT

  COBIT is certifiable only for people, although it can be used by organizations to help fulfill requirements from some ISO management standards, like ISO 20000 and ISO 27001.

  For further information, see:

  • ISO 27001 vs. COBIT: A comparison https://advisera.com/27001academy/blog/2019/05/06/cobit-vs-iso-27001-how-much-do-they-differ/

  Regarding ISO, it does not certify organizations. Its purpose is to develop standards, and some of these are management systems standards, against which organizations can be certified by entities known as certification bodies. 

  For further information, see:

  • Accreditation vs. certification vs. registration in the ISO world https://advisera.com/blog/2016/02/29/accreditation-vs-certification-vs-registration-in-the-iso-world/

  • Method validation/verification

    It is through method verification of a standard method the laboratory proves with objective evidence that they can perform the method and achieve the expected performance

    How this can be achieved depends on the method technique. For example for microscopic examinations, if you are the only technician (hance know the makeup of retained sample) get an independent person to issue the samples to you blind. If you don’t have samples across the range, try and identify another laboratory that does have samples, to do a bilateral study with. I can’t comment specifically on the method you describe as “random”. I suggest you engage with your accreditation body to see if they can assess it as part of their scope. If it is a method that involves certain activities, for example weighing or a complex calculation determination, then do what you can by breaking the method up into these activities and verify the activities you can. For example competency to weigh accurately using certified calibration weights and by validating complex calculations for determination of a parameter.

     

  • How to become good assessor for ISO 17025:2017?

    As the principle of Auditing the management component of all Quality management systems, including ISO 17025 involves the same approach and techniques, you could benefit form the Internal Auditor training offered by the ISO 9001 Academy. Have a look her for further information https://advisera.com/training/iso-9001-internal-auditor-course. To strengthen your skills with ISO 17025 technical assessments, I suggest refresher self-learning on the purpose of ISO 17025 and its risk-based approach.

    The following will provide more information for you on Auditing and ISO 17025:

    How to perform an internal audit using ISO 19011 at https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011

    ISO 17025 document template: Internal Audit Procedure at https://advisera.com/17025academy/documentation/internal-audit-procedure/

    The Five Internal Audit Procedure appendices Internal Audit Program, Internal Audit Checklist, Audit Nonconformity Report, Internal Audit Process Checklist and Internal Audit Report are available separately from the procedure link above; or included in the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

    Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

    The Book - ISO internal audit: A plain English guide at https://advisera.com/books/iso-internal-audit-plain-english-guide/

     

  • ISO 27001 single templates

    I’m assuming that by SABS you mean the South African Bureau of Standards, and you are referring to SANS 27001:2015, which requirements are exactly the same as ISO 27001:2013.  

    Considering that, the standard clause 4.1 does not require external and internal issues to be documented, so a template regarding this clause is not necessary.

    For further information about context and external and internal issues, see:

    • How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

    Regarding clause 4.3, you can use the ISMS Scope Document template: https://advisera.com/27001academy/documentation/isms-scope-document/

    For further information about ISMS scope definition, see:

    • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
    • Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
    • How To Set ISMS Scope According to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

    • Documentation request

      Please note that only some of these documents are mandatory for an ISO 27001 certified organization (e.g., ISMS scope, and the Information Security Policy), while others will depend if you have implemented some specific controls (e.g., control A.9.1.1 – Access Control Policy requires an Access Control Policy to be documented), and others are not needed at all (e.g., Context of organization, ISMG Governance and Training Matrix).

      For a list of mandatory documents for ISO 27001-certified companies, please see:

      • List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

      Considering that, unless this request from the customer is based on a contract or service agreement you have with that company, you do not need to have the documents not required by the main clauses of the standard, or by specific controls you implemented.

      You have to consider how important this customer is to you and based on this, decide if you will write these documents.

      Regarding the mandatory documents, you should sign an NDA with the customer before providing the documents.

    • Clause 4.1 in Conformio

      Please note that external and internal issues relevant to the ISMS can be evidenced in Conformio through:

    • The 'Register of legal, contractual and other requirements' module, which generates a document called "List of Legal, Regulatory and Contractual Requirements".
    • The 'Risk register' modules which cover the processes of risk assessment, treatment, and management and generate a document: "Risk Assessment and Risk Treatment Report".

    Both modules take into account external and internal issues for the definition of the mentioned documents.

    For further information, see:

    • 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
    • How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

    • How to implement ISO 45001 in developing countries and small medium scale industries?

      ISO 45001 is implemented in the same way no matter where in the world it is done, because as an international standard ISO 45001 (Health & Safety management) allow your organization to go beyond simply meeting laws for the environment or health & safety, and instead have a coherent system that allows you to proactively manage these parts of your business. The standards help to focus your efforts on identifying OH&S hazards with a focus on identifying the risk that is posed in order to apply controls to prevent environmental damage, injury or ill health.

      It can be difficult to get management commitment for an OHSMS, but this is mostly because it is hard to say how much money will be saved by implementing it, which is how management normally talks. Because it is hard to do this Return On Investment (ROI) type of explanation, the best way to approach this is to talk about the benefits that the management system will bring, many of which are related to money and savings.

      To help with this, the attached blogs have a lot of information to help with the conversation:

      • 4 Crucial techniques for convincing your top management to implement ISO 45001 https://advisera.com/45001academy/blog/2017/08/30/4-crucial-techniques-for-convincing-your-top-management-to-implement-iso-45001/
      • 4 key benefits of ISO 45001 for your business https://advisera.com/45001academy/blog/2015/09/30/4-key-benefits-of-iso-45001-for-your-business/