Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Clause 8.2.6 ISO 13485

    Yes, you are right, we did not put it in the first version of the toolkit. We are aware of this omission and it will be in the second version of the toolkit that will be released in September.

  • Is antivirus software requirement for companies seeking ISO 27001 certification?

    Antivirus, like other antimalware solutions, is a requirement only if you have relevant risks or legal requirements (i.e., laws, regulations, or contracts) that demand its implementation. In case you have no risks or legal requirements demanding the implementation of antivirus, you do not need to implement it to be compliant with ISO 27001.

    This article will provide you with further explanation about the selection of controls:

  • Requirements in Document Wizard

    1. Why can I select only one person to approve my documents. We have more people so I am not sure how to handle this in our organization? 

    Answer: When you need input from several roles to define a document, you can use the functionality of reviewers, so you can invite specific people to evaluate the document before it is sent to approval.


    2. How are the risks and requirements listed in each step addressed in each policy. Do I need to do something on my side or reference them in specific paragraphs? How do I know which paragraph in the document covers which risk or which requirement so that when I am asked how we are treating those risks or requirements, I can show them?"

    Answer: The relation between risks and documents is that risks define which controls are applicable in the Statement of Applicability, and in the SoA it is defined which documents are used.

    The recommended documents will automatically show the texts that need to be present to cover the controls used to treat the risks, and the specific risks can be seen in the left-hand side of each document for the highlighted text. In your example the risks in the left-hand side panel refers to the firs paragraph of section 4.1.

    This way you can decide how to adapt the text of a document for specific risks.

    Requirements from Register of Requirements will be displayed in similar manner in the left-hand side of a document.

  • Equipment

    The Registry of Records for Retention / Central Archive is used to document and record status changes to all retained records, including when they are made obsolete. 

    For more information on the use, see the associated procedure, Document and Record Control, available for preview at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

  • Using ISO 9001 documents for ISO 13485

    Yes, you can. This applies mostly to, for example, forms and procedures for internal audit, corrective measures, and non-compliant products.  

    On the following link you can find the article that compares ISO 9001 and ISO 13485:

    • Similarities and differences between ISO 9001:2015 and ISO 13485:2016 https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/

    • Does risk treatment table need to be separate from risk assessment table?

      ISO 27001 does not prescribe how to document risk assessment and risk treatment information, so organizations are free to document them as they see fit.

      Our recommendation is to keep this information in separate documents because the list of treated risks is in general much smaller than the total list of assessed risks.

      Keeping these assessed and treated risks in a single document, to avoid duplication, would only make it unnecessarily big and complex to read.  

      For further information, see:

    • Content and scope of External Threat Monitoring

      1 - At present, the most immediate question I have is this – what is the content and scope of External Threat Monitoring?

      I’m assuming you are referring to the Security Procedures for IT Department template.

      Considering that, the definition of what to monitor (content) from which assets (scope) related to external threats will depend on the results of risk assessment and applicable legal requirements. The relevant risks and elements defined in laws, regulations, and contracts you need to fulfill will point out which assets you need to monitor, and which threats you are most exposed to.

      For example, in case you have relevant risks related to zero days vulnerabilities related to operating systems, you may need to include monitoring of related manufacturers. Also, in case you have a contractual clause related to ensuring data availability in the supply chain, you may need to monitor the situation of your suppliers.

      2 - Would it be adequate to comply with US’ FISMA Act 2002 (it is a US Act but is adopted worldwide as a best practice), and, as part of FIMA compliance, should we adopt NIST’s standards, namely, FIPS 199, FIPS 200, and the NIST 800?  

      First is important to note that you only need to implement FISMA and related standards if they are required (e.g., due law or contract). In case they are not required there is no need to go for them.

      Considering that, FISMA is most related to ISO 27001 clauses 4 to 10 (requirements for information security management), not to controls from Annex A (which are more related to FIPS 199, FIPS 200, and the NIST 800). 

      Specifically for implementing threat monitoring, NIST 800-53 has security controls that can be used to implement it, but this standard is not required to implement ISO 27001, and you only should use it if you are prepared to do some extra work.

      This article will provide you with further explanation about threat monitoring:

      • Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/

      • ISO 27001 is being revised: Which standard revision should you implement?

        By 15 I’m assuming you are referring to AS ISO 27001:2015, which is the Australian version of ISO 27001:2013.

        Considering that, once the new ISO 27001:2022 is published, it will be valid worldwide.

        Regarding your question if the new version comes in 2022, until this date, ISO has not changed the expectation for publishing the new version of ISO 27001 in 2022.

        Additionally, since AS ISO 27001:2015 is exactly the same as ISO 27001:2013, the answers provided by the tool for ISO 27001:2013 are also valid for AS ISO 27001:2015 

      • ISMS SCOPE DOCUMENT

        Please note that ISO 27001 does not require internal and external issues, and interested parties’ requirements to be documented, only to be taken into account. Including this information in the ISMS Scope document only would make it unnecessarily complex.

        Regarding interfaces and dependencies, they also do not need to be documented in the ISMS scope. 

        All these inputs are used to define what is part of the ISMS scope (in terms of processes, information, or location), what is excluded from the scope (when not all the organization is in the scope), and the elements the separate what is inside the scope and what is outside (e.g., a firewall is an element that can be used to separate a network the is part of the ISMS scope from other networks that are outside the scope).  

        In the ISMS Scope document template, the information about elements inside and outside the ISMS scope is included, respectively, in sections 3.1, 3.2, 3.3, and 3.5. The information about interfaces and dependencies is not needed to be included in the ISMS scope document. 

        For guidance on how to define the ISMS scope, please see:

Page 74-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +