Search results

Training and awareness plan

To fill in the training and awareness plan you first need to do is identify which gaps of incompetence you have (i.e., which knowledge, or skills your employees need to have). Some examples are:

• Use of passwords
• Backup operation
• Software installation and patching
• Performing of internal audit

Second, you need to define the method to be applied: training sessions, workshops, newsletters? What will work best for your company? On which frequency to perform them (e.g., weekly, monthly, annually?)

After that, you need to evaluate if these gaps can be fulfilled by internal personnel, or if you will need external support.

Once you have these answers, you can start defining your training and awareness plan.

These articles will provide you with a further explanation about awareness:

• 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

This material will also help you regarding awareness:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security

Quality Manual

Some labs applied to copy the whole ISO Standard as their quality manual, may I know is this acceptable? 

Not Applicable Controls for SAAS Environment

Please note that the SoA needs to be developed based on the results of risk assessment and applicable legal requirements (i.e., laws, regulations, and contracts).

In case you do not have a risk relevant enough that justifies the implementation of control, then you do not need to implement it (i.e., state it as applicable in the SoA). 

The same applies to legal requirements. In case you do not have a law, regulation, or contract that justifies the implementation of control, then you do not need to implement it. 

For further information, see:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

To see examples of applicable controls based on risk assessment, please, see:

• Checklist of cyber threats & safeguards when working from home https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home
• Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

Good Manufacturing Practice in pharmaceutical

Yes, there is a certificate for GMP which can be provided both by the notify body or by a competent authority in a particular country (usually the Ministry of health, but you need to check how is in your country that organized). 
A company that has ISO 13485 can not use the GMP mark without approval from notify body or competent authority.  

Record Control Table and Approved Supplier List

You do not need to have a record control table as a separate document, but you do need to have a record control table within each policy or procedure where you require certain records to be created - this record control table is already included in all the document templates in Conformio.

For further information, see:

• Records management in ISO 27001 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

Regarding approved supplier lists, ISO 27001 does not require this record to be kept, so it would be a management decision to keep such a record in case it considers relevant to their processes.

Specific Documents

Please note that the abovementioned clauses are covered by the following:

• clause 4.1 - Understanding the organization and its context can be evidenced by means of documents “List of Legal, Regulatory and Contractual Requirements”, generated by the 'Register of legal, contractual and other requirements' module, and "Risk Assessment and Risk Treatment Report", generated by the 'Risk register' module.
• clause 5.1 Leadership and commitment can be evidenced by means of documents “Information Security Policy”, “List of Security Objectives”, “Risk Assessment and Risk Treatment Report”, “Risk Treatment Plan”, and “Management review report”.
• clause 6.1.1 General, which refers to risks related to the Information Security Management System itself, can be evidenced by means of the “Risk Treatment Plan”.
• clause6.1.2 Information security risk assessment can be evidenced by means of the “Risk Assessment and Risk Treatment Methodology”.
• clause 9.1 Monitoring, measurement, analysis, and evaluation can be evidenced by means of the records defined on each policy and procedure you have implemented.

A.8.2.2 Labeling of Information

Since you stated in the SoA that control A.8.2.2 Labelling of information is not applicable, then it is sufficient for you to include only N/A in the Labeling column (there is no need to exclude the column).

Regarding controls A.8.2.1 Classification of information and A.8.2.2, you can implement only A.8.2.1 without implementing A.8.2.2 (i.e., you can define classification levels without the need to label media that contains it, although this is not common).

For further information, see:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

Adverse Event Reporting

Yes, you can follow the same procedure. According to Article 16 from the MDR, if the CE mark of the manufacturer stays on the medical device, you do not consider a manufacturer, but rather the distributor.

1 a) makes available on the market a device under its name, registered trade name, or registered trademark, except in cases where a distributor or importer enters into an agreement with a manufacturer whereby the manufacturer is identified as such on the label and is responsible for meeting the requirements placed on manufacturers in this Regulation.

For more information, see:

• EU MRD Article 16 Cases in which obligations of manufacturers apply to importers and distributors or other persons - https://advisera.com/13485academy/mdr/cases-in-which-obligations-of-manufacturers-apply-to-importers-distributors-or-other-persons/

• ISO 27001 vs COBIT

  COBIT is certifiable only for people, although it can be used by organizations to help fulfill requirements from some ISO management standards, like ISO 20000 and ISO 27001.

  For further information, see:

  • ISO 27001 vs. COBIT: A comparison https://advisera.com/27001academy/blog/2019/05/06/cobit-vs-iso-27001-how-much-do-they-differ/

  Regarding ISO, it does not certify organizations. Its purpose is to develop standards, and some of these are management systems standards, against which organizations can be certified by entities known as certification bodies. 

  For further information, see:

  • Accreditation vs. certification vs. registration in the ISO world https://advisera.com/blog/2016/02/29/accreditation-vs-certification-vs-registration-in-the-iso-world/

  • Method validation/verification

    It is through method verification of a standard method the laboratory proves with objective evidence that they can perform the method and achieve the expected performance

    How this can be achieved depends on the method technique. For example for microscopic examinations, if you are the only technician (hance know the makeup of retained sample) get an independent person to issue the samples to you blind. If you don’t have samples across the range, try and identify another laboratory that does have samples, to do a bilateral study with. I can’t comment specifically on the method you describe as “random”. I suggest you engage with your accreditation body to see if they can assess it as part of their scope. If it is a method that involves certain activities, for example weighing or a complex calculation determination, then do what you can by breaking the method up into these activities and verify the activities you can. For example competency to weigh accurately using certified calibration weights and by validating complex calculations for determination of a parameter.