Search results

Using ISO 9001 documents for ISO 13485

Yes, you can. This applies mostly to, for example, forms and procedures for internal audit, corrective measures, and non-compliant products.  

On the following link you can find the article that compares ISO 9001 and ISO 13485:

• Similarities and differences between ISO 9001:2015 and ISO 13485:2016 https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/

• Does risk treatment table need to be separate from risk assessment table?

  ISO 27001 does not prescribe how to document risk assessment and risk treatment information, so organizations are free to document them as they see fit.

  Our recommendation is to keep this information in separate documents because the list of treated risks is in general much smaller than the total list of assessed risks.

  Keeping these assessed and treated risks in a single document, to avoid duplication, would only make it unnecessarily big and complex to read.  

  For further information, see:

  • ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/

• Content and scope of External Threat Monitoring

  1 - At present, the most immediate question I have is this – what is the content and scope of External Threat Monitoring?

  I’m assuming you are referring to the Security Procedures for IT Department template.

  Considering that, the definition of what to monitor (content) from which assets (scope) related to external threats will depend on the results of risk assessment and applicable legal requirements. The relevant risks and elements defined in laws, regulations, and contracts you need to fulfill will point out which assets you need to monitor, and which threats you are most exposed to.

  For example, in case you have relevant risks related to zero days vulnerabilities related to operating systems, you may need to include monitoring of related manufacturers. Also, in case you have a contractual clause related to ensuring data availability in the supply chain, you may need to monitor the situation of your suppliers.

  2 - Would it be adequate to comply with US’ FISMA Act 2002 (it is a US Act but is adopted worldwide as a best practice), and, as part of FIMA compliance, should we adopt NIST’s standards, namely, FIPS 199, FIPS 200, and the NIST 800?  

  First is important to note that you only need to implement FISMA and related standards if they are required (e.g., due law or contract). In case they are not required there is no need to go for them.

  Considering that, FISMA is most related to ISO 27001 clauses 4 to 10 (requirements for information security management), not to controls from Annex A (which are more related to FIPS 199, FIPS 200, and the NIST 800). 

  Specifically for implementing threat monitoring, NIST 800-53 has security controls that can be used to implement it, but this standard is not required to implement ISO 27001, and you only should use it if you are prepared to do some extra work.

  This article will provide you with further explanation about threat monitoring:

  • Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/

  • ISO 27001 is being revised: Which standard revision should you implement?

    By 15 I’m assuming you are referring to AS ISO 27001:2015, which is the Australian version of ISO 27001:2013.

    Considering that, once the new ISO 27001:2022 is published, it will be valid worldwide.

    Regarding your question if the new version comes in 2022, until this date, ISO has not changed the expectation for publishing the new version of ISO 27001 in 2022.

    Additionally, since AS ISO 27001:2015 is exactly the same as ISO 27001:2013, the answers provided by the tool for ISO 27001:2013 are also valid for AS ISO 27001:2015 

  • ISMS SCOPE DOCUMENT

    Please note that ISO 27001 does not require internal and external issues, and interested parties’ requirements to be documented, only to be taken into account. Including this information in the ISMS Scope document only would make it unnecessarily complex.

    Regarding interfaces and dependencies, they also do not need to be documented in the ISMS scope. 

    All these inputs are used to define what is part of the ISMS scope (in terms of processes, information, or location), what is excluded from the scope (when not all the organization is in the scope), and the elements the separate what is inside the scope and what is outside (e.g., a firewall is an element that can be used to separate a network the is part of the ISMS scope from other networks that are outside the scope).  

    In the ISMS Scope document template, the information about elements inside and outside the ISMS scope is included, respectively, in sections 3.1, 3.2, 3.3, and 3.5. The information about interfaces and dependencies is not needed to be included in the ISMS scope document. 

    For guidance on how to define the ISMS scope, please see:

    • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
    • Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

    • Management review for ISO27001

      To prepare a management review minute you need to consider at least these inputs:

      • Internal audit reports
      • corrective actions and their status
      • the status of tasks that were decided during the last management review
      • overall changes (internal and external) that could influence the level of security
      • results of measurements (if the objectives have been achieved)
      • new required resources (including financial)
      • lessons learned (from testing, or from real incidents)
      • proposals on how to improve the system

      And at least the following results must be documented:

      • whether the ISMS has fulfilled its objectives
      • which improvements are needed
      • changes to the scope
      • approval of the required resources
      • modification to the main documents (e.g., top-level policies)

      To see a management review minute compliant with ISO 27001, please take a look at this template demo: https://advisera.com/27001academy/documentation/management-review-minutes/

      This article will provide you with further explanation about management review:

      • Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

    • ISO 27001 Conformio questions

      1. In case we have to abide by requirements in several states because we are doing business with both, how should we handle these requirements in the context of ISO 27001 implementation?

      First, these requirements must be included in the Register of Requirements module. After you include these requirements in this module, related controls will be identified as applicable in the Statement of Applicability module, and the responsible person for the requirement can define and upload the related implementation plan.

      2. In case we have defined a security objective and we fail it (i.e., our target was to decrease the number of incidents, and we see that they have risen) will this hamper my possibility of obtaining the certification.

      In case you evaluate that you have not achieved a security objective, this situation will affect your certification process only if any decision regarding how to handle this situation is not made, or if actions related to a such decision are not implemented or do not have the expected results.

      For further information, see:

      • Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

      3. How do we select a certification body?

      Elements you should consider when selecting a certification body are at least these ones:

      • Reputation.
      • Accreditation.
      • Specialization in your industry.
      • Experience.
      • Integrated audit.
      • Flexibility.
      • Required maturity for certification.
      • Language.

      For further information, see:

      • How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

    • Audit Plan non-mandatory

      The mandatory document for ISO 9001:2015 is the audit program. According to the standard, the company must plan, establish, implement and maintain an audit program that includes the frequency, methods, responsibilities, planning requirements, and reporting. The audit plan is the schedule of the audit which is conducted in one or more days.

      For more information about the audit program, you can see the following materials:

      • What is the ISO 9001 audit program and how does it work: https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
      • Free online training - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
      • Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

      • MDR compliance for distributors

        You as distributor need to be in a complaint with MDR in the domain of how long will you keep the documents from the medical devices (10 years for all devices, and 15 years for class IIb implantable and class III). In the Medical device file, you need to have an EC certificate, Declaration of conformity, Label, and instruction of use, and in case of devices that need installation and service, some installation and service manual. 

      • How can we move to 27001?

        First is important to note that the main clauses of ISO 27001:2013 (i.e., clauses 4 to 10) are still valid. The 2013 version of the standard was confirmed in 2019, and the new version of the standard, expected to be published still in this year, will have modifications only related to Annex A.

        Although the total number of controls had been reduced from 114 to 93, none of the old controls have been excluded (most of them have been merged), and you only have 11 new controls.

        Considering that, in case you are currently compliant with ISO 27001:2013, your main effort will be on reviewing risks and legal requirements to check if these new controls need to be considered in your implementation.

        The effort to transition to the 2022 revision is probably 10 to 20% of the time you needed to initially implement ISO 27001; alternatively, this effort can be cca 5% if you are using a tool like Conformio. Click here for more information: https://advisera.com/27001academy/iso-27001-transition-package/

        For further information, see:

        • Main changes in the new ISO 27002 2022 revision https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/
        • Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/
        • Overview of new security controls in ISO 27002:2022 https://info.advisera.com/27001academy/free-download/overview-of-new-security-controls-in-iso-27002/