Search results

Timing requirements for quarantine areas and non conforming areas

ISO 9001:2015 does not include any concrete requirement regarding the timing for closing a non-conformity. However, clause 8.7.1 includes this "prevent their unintended use or delivery" which can be used by an auditor to raise the risk that a long-term nonconformity in the quarantine zone could be confused with conforming product and be treated as such. Of course, this will depend on the fragility of the means of identifying non-conformities and on the greater or lesser capacity for effective segregation of the quarantine area. A padlocked zone is safer than a zone simply marked on the floor. Long stays in the quarantine zone can be a symptom of a deficient capacity to deal with non-conformities.

The following material will provide you information about nonconformities:

• ISO 9001 – Understanding dispositions for ISO 9001 nonconforming product - https://advisera.com/9001academy/blog/2014/11/18/understanding-dispositions-iso-9001-nonconforming-product/
• ISO 9001 – Difference between correction and corrective action - https://advisera.com/articles/complete-guide-to-corrective-action-vs-preventive-action/ ion/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Accessories to Medical Device

Yes, both electrodes and cable are accessories. 

ISO 13485 Certification in company without manufacturing processes

Yes, it is possible to certify a company with outsourced production of devices. Actually, it is rather common these days. Company A first has to have a proper quality agreement with company B. In this agreement will be stated all mutual responsibility.   

The most important thing is that Company B undertakes to carry out production as Company A tells it and in accordance with the necessary regulations. If Company B does not have any of the documents according to ISO 13485, either Company A or Company B must prepare them.  Next, it is important to define who is responsible for what - for ordering bulk materials, for control points, releasing the product, and the like.   

The next important item is that Company B agrees to the audits that will be conducted for Company A on the premises of Company B. These are both announced audits and unannounced audits.

All these elements, as well as some others, are included in the Quality agreement and are in our toolkit: 

https://advisera.com/13485academy/documentation/quality-agreement-for-subcontractor/

GDPR intermediary

The professional, when using third-party tools, acts as a Data Controller and must make sure that it understands the fact that it needs to respect the relevant data protection legislation. If this legislation is GDPR, the professional must understand Calendly’s Terms and Conditions and determine whether Calendly is a Data Processor or a Data Controller, by assessing it’s level of autonomy in establishing the scope and means of personal data processing. Once the role is established, the professional needs to sign either a Data Processing Agreement, as requested by article 28 GDPR - Processor, a joint controller agreement as requested by article 26 GDPR – Joint controllers, or a controller to controller data processing agreement. Also, it should establish if the consent is the best legal ground for processing, or other legal grounds for processing should be established, per article 6 GDPR – Lawfulness of processing.

More details here:

• Article 6 GDPR – Lawfulness of processing: https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/
• Article 26 GDPR – Joint controllers: https://advisera.com/eugdpracademy/gdpr/joint-controllers/
• Article 28 GDPR – Processor: https://advisera.com/eugdpracademy/gdpr/processor/
• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

Is Conformio for us?

In the context of offices in different countries in case you need documents defining global information security rules (applicable to all offices) and documents defining local rules (according to local legal requirements and/or relevant risks), Conformio up to this moment does not have such feature. The Backup Policy and the Access Control Policy are possible examples.

In terms of the number of people, in case you need different people to approve the same document this feature is not available (you only can have multiple reviewers).

In any case, you can try Conformio for free for a 14-day period and test its features to see if it can fulfill your needs.

Question about ISO-27001

1 - Would it be acceptable to rent a bare office where no actual work happens? Wouldn't that mean that risks at the office location are being minimized or eliminated altogether and that the security control A.11 (physical and environmental security) becomes non-applicable?

If no actual work happens in this office, it wouldn’t make sense for the auditor, so probably this alternative wouldn’t be acceptable. The address should be related to a local where any activity related to the ISMS scope happens, or where the management responsible for the scope works.

2 - How does that compare to a rented room or desk in a co-working space?

I understand that the answer may depend on the CB and/or the kind of business being audited, but some generic advice would already be helpful for us to know our options on this matte

The same applies. If some business or management activity takes place in the local it may be used as the address for the certification scope, but this shared scenario is more complex to protect than the rented office.

Additionally, please note that the space needs to be rented for the duration of the certification. If you change the location, this will need to be notified to the certification body, and if no activity is performed there, this may represent resources are not properly allocated.

ISO 27001 Risk Assessments

To be compliant with ISO 27001 information security risks cannot be identified randomly, they need to be identified according to the defined risk assessment and treatment methodology.

These articles will provide you with further explanation about the risk assessment process:

• 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
• Risk assessment methodology https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section3
• Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

These materials will also help you regarding risk management:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

EU GDPR & ISO 27001 Integrated Documentation Toolkit questions

1.We have completed the GDPR Assessment (file 1.1) and most of the answers are negative since we have just started working on the GDPR as well. It's mentioned in the file itself that "If you answered, “No,” to some questions, it will indicate where you need to focus your compliance efforts."

Does this mean that we have to first work on what is missing from the GDPR hence, turn the "no's" into "yes" and then proceed with the ISO documents (Requirements, ISMS Scope etc.)? Or is there a different process we should follow?

You can work both implementations at the same time, following the order of documents and folders as they are presented in the toolkit. The answers from the questionnaire will help you focus on the documents which cover the missing points from GDPR.

Included in the toolkit you have a List of documents file that shows you which documents cover which requirements from both ISO 27001 and GDPR.

For example, if you identify that GDPR article 28 needs to be treated, you need to consider that when working the Supplier Security Policy

2. Once we finish the first draft(s) of our ISMS scope, we would like you to review it as part of the package services we have purchased together with the documentation. Is there a certain procedure we should follow? Given the fact that the Scope is the baseline for implementing ISO, we believe that it would be wise to ensure that our ISMS scope is reasonable and meets all the necessary features.

For document review, you can simply sent the document through email to our support email: support@advisera.com

Merging IT Infrastructure and ISO 27001

To ensure your organization keeps compliant with ISO 27001 in this merging you should treat this merge as an implementation project with some adjustments:
1) reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the merged organizational context and requirements of interested parties;
2) review of risk assessment and treatment methodologies, to see which elements can be merged and which ones need to be kept separate;
3) review the risk assessment and define the updated risk treatment plan;
4) adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new merged context;
5) people training and awareness;
6) controls operation;
7) performance monitoring and measurement;
8) perform internal audit;
9) perform management critical review; and
10) address nonconformities, corrective actions, and opportunities for improvement.  

These articles will provide you with additional information:

• Three strategies for ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#options
• ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/