Search results

Procedure for document and record control

1. Could be tell me what you guys exactly want from the Procedure for document and record control document? In detail please + I got a couple of questions too, my scope is the whole organization.

The purpose of the Procedure for document and record control is to establish a structured and unified approach for creating, updating, controlling, and protecting documents and records within a company. This ensures that the documented information is available for use, fit for purpose, and adequately protected against damage or loss of integrity and identity. The procedure defines the rules for creating and identifying documents, approving and publishing them, controlling access and distribution, withdrawing outdated documents, and managing updates and changes. It helps provide clarity to all employees on how to manage documents and records, ensuring compliance with ISO standards and facilitating effective information management within the organization.

2. "This procedure is applied to all documents and records related to the ISMS ", so in my case is it all company's documents ?

The organization can decide whether to apply the Procedure only to ISMS related documents, or to all documents in the company scope.

3. Document approval

I understood that the CEO must approve all documents and is there something else?

In a small ISMS scope, it is common practice for the CEO to approve all documents. This is because, in smaller companies, the CEO is usually the top-level management and has the authority to make decisions and approve important documents. However, it is important to note that the responsibility for approving documents can vary depending on the company's size and structure. In mid-size and larger companies, the responsibility for approving documents may be divided between senior management, security officers, and heads of departments. 

4. 3.3. Publishing and distributing documents; withdrawal from use

There are some parts conformio is mentioned there I dont thing this is a professional way for the word " confirmo " is written there, " the Conformio platform will automatically inform all employees listed as users of the document by email...."

First of all, sorry for the confusion.

Conformio is our platform to help organizations implement and operate an ISMS. In the text you mention, our platform will automatically inform users when a new document is published and retrieve old versions.

5. tell me more about record control and also document of external origin what do you want from me exactly, I could not figure it out.

Record control refers to the management of records within an organization. It involves defining how records are created, stored, accessed, retrieved, used, protected, and disposed of. The control of records ensures that they are available when needed, suitable for their intended use, and adequately protected. ISO 27001 requires organizations to have controls in place for the distribution, access, retrieval, and use of records, as well as for their storage, preservation, control of changes, and retention and disposition.

The control of documents of external origin refers to the management of documents that are not owned or controlled by the organization but are necessary for its operation. These external documents can include laws, regulations, standards, contracts, service agreements, product specifications, operation manuals, and more.

To control documents of external origin, the organization should define what are the relevant external documents for the Information Security Management System (ISMS) and who will be responsible for identifying and reviewing them. The frequency of verification should also be established.

One approach to controlling external documents is to have each head of a department responsible for the applicable external document. For example, the Head of the IT department can identify encryption standards for the website as a relevant external document and ensure it is controlled by the company.

It is important to note that external documents can be both physical and electronic. Physical documents can be received at the organization's office or a remote location if necessary. Electronic documents can include emails, digital files, and online resources.

Ativos

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/d7a4c02b-ac63-4bd9-97aa-2578b8cca18f

ISO 27001 Internal Audits

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/a88a0e04-ae4e-4afd-9fd8-192951da69f3

Automated Firewall Review

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/9694e497-ecc8-4a61-8046-eb3ab248f12a

Choose to Not implement a security control

Well explained! Thank you :) 

SOP

There is no mandatory requirement to list risks in an SOP. On the technical side, the overall risk assessment per test or calibration method should be performed according to your risk management procedure. You should, however, document specific controls in the SOPs that are put in place to keep the risk at an acceptable level. i.e. the controls decided on during the risk assessment. Ensure you state clearly if some action is mandatory. For example Shake for 10 min. Do not leave samples standing after 10 minutes, filter immediately.

For more information on risk assessment have a look at the Advisera ISO 17025 toolkit and webinars available. Start here https://advisera.com/iso-17025/

Business continuity plan, RTO and MTPD

Considering your MTPD is 2 hours and the resume of business is taking more than 4 days, then you can raise a nonconformity because recovering is taking more time than the defined MTPD.  

Documentation Hierarchy

Hi I need support to organise and map organisation documentation. How it should be organised as mandatory corporate documents

Level 1 documents

 1 Manuals
1.2 Policy
1.3 Strategy
1.4 Main Process Titles
1.5 Sub-Process

or shall we have policy first and them manuals. What is the diffrence between policy and manual?

Thanks

ISO 17025 and 22716

In all cases, the standard and regulatory body requirements needs must be met. In the case of CGMP as I understand the testing laboratory must be ISO 17025 accredited for the tests being performed. Your company needs to ensure that the laboratory results being used are valid, i.e. fit for your purpose. This includes reports that meet ISO 17025 accreditation requirements. All records must be retained as per your management system processes.

I suggest you reach out to the FDA and establish exactly what is required for stability studies.

Information Security Goals

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/ceebcd7b-9dd8-40b8-b06a-87878bcbbfab