Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment examples
Answer: Our templates use asset-based risk assessment approach, so our available material goes in that direction.
As an example of process-based risk assessment I suggest you to take a look at this paper from GIAC:
- Performing a Process-Based Information Security Risk Assessment https://www.giac.org/paper/gsec/3776/performing-process-based-information-security-risk-assessment/106086
For other approaches I suggest you to take a look at ISO 31010, the IOS standard for methods and techniques for risk management. For information about IOS 31010, please see this article:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/ -
Data processor
Answer:
The documents in the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ are relevant to both controllers and processors with some exceptions. For example, the folder dedicated to “Managing data subject rights” is not relevant for processors because this part needs to be handled only by controllers, the same goes for the “Data protection impact assessment” folder as well. The rest of the documents can be used by both controllers and processors alike.
However, if you are a company established in the EU and have employees that makes you a controller in terms of the data of your employees.
To find out more about controllers and processors you can check out our article “EU GDPR controller vs. processor – What are the differences?” https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/ -
Software validation in medical device
Answer:
The purpose of the software validation is to provide objective evidence that software specifications conform to user needs and intended uses, and that the particular requirements implemented through software can be consistently fulfilled.
Depending on the type of software and its role within the medical device, the organization can apply different methods for validation.
Software validation is difficult because a developer cannot test forever, and it is hard to know how much evidence is enough. In large measure, software validation is a matter of developing a "level of confidence" that the device meets all requirements and user expectations for the software automated functions and features of the device. Measures such as defects found in specification document, est imates of defects remaining, testing coverage, and other techniques are all used to develop an acceptable level of confidence before shipping the product. -
Investments on ISO 27001
E faz parte da estratégia, realizar a implementação da ISO 27001, como objetivo melhor posiciona-la no mercado, além dos demais benefícios da certificação / implementação 27001. Pode me auxiliar com isso?
A empresa está na estaca 0 (zero) com relação a segurança, não possui PSI, não possui firewall em harware ou software e também não possui pessoal especializado em SI. A atividade fim dela, é fabricação de sofware.
Seria realmente uma certificação de uma empresa com (20 funcionários) em "nível 0", contaria com aquisições do tipo:
Materiais (a própria normal e livros)
Horas de consultoria
Custos da avaliação
Custos com tecnologia (firewalls)
Custos com capacitação da equipe
Porém eu não tenho noção de quantitativo e provavelmente mais itens que se façam necessários para conseguir a certificação. Além, do temo necessário.
Pode me ajudar com isso?
(I am working on a business plan that involves among a number of factors, the most important for the 27001 subject is that it is the acquisition of a small software manufacturing company.
And it is part of the strategy, to implement the implementation of ISO 27001, as the best goal to position it in the market, in addition to the other benefits of certification / implementation 27001. Can you help me with this?
The company is at stake 0 (zero) with respect to security, does not have PSI, does not have firewall in hardware or software and also does not have personnel specialized in IS. The end activity of it, is the fabrication of software.
It would really be a certification of a company with (20 employees) in "level 0", would have acquisitions of type:
Materials (own normal and books)
Consulting hours
Evaluation costs
Technology costs (firewalls)
Team empowerment costs
But I have no idea of quantitative and probably more items that are needed to achieve certification. In addition, the necessary time.
Can you help me with this?)
Answer: There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information it's not possible to precise a value. What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated / implemented
- Employee's effort and time
- The certification process
Regarding knowledge on costs, I suggest you these articles:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project -
Should you integrate AS9100
Answer:
I would not recommend having 2 systems for the following reasons:
1) ISO 13485 is the odd standard since it does not follow the same format as the others, so this would be the logical standard to maintain as a separate management system. However, you indicate that you already have this standard integrated with ISO 9001 & ISO14001 so there would be no benefit to have AS9100 as a separate system.
2) Even with ISO 13485 standard following a different format many of the support processes are still the same and have not really changed with the new requirements. These include internal audit, competence assessment, management review, documentation control, etc. Having a separate management system for AS9100 would mean you lose the benefit of integrating these support processes. -
Context and multiple sites
Hello. Thank you. I have another question. The auditor for ISO 14001 2015 asked us if we take into consideration sustainable materials when we buy packaging products. My question is is sustainable materials part of the ISO 14001 2015 audit? unless we consider it a big environmental aspect. Please advise. Thanks.
Maria -
New Quality Processes
I would use a “master list” of all “how we do it” procedures: with their name, current version, where they are used and the owner for approval of changes -
Inventory of assets
Regarding ISO 27001, the inventory of assets must consider only assets associated with information and information processing facilities, including fixed assets like safes, shredders and others, so you can leave non related furniture and fixed assets out of this inventory.
This article will provide you further explanation about assets inventory:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding assets inventory:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Design alterations
New question:
"Thanks for this information – You’ve answered my Question.
I’ve asked this question as Company 1 is the Head Office and they do the design – Thus Holding the ISO Certificate for Design & Development– Company B is the Sister company which only does repairs and they claim they are not doing design but my argument was that they are redesigning the Original Design down to something else therefore their ISO Certificate should include design even if they use the design engineers at company A but documented Information must be in place.
Do you agree?"
My answer:
If Company B only does repairs, repairs are not considered design. Perhaps one should clarify the meaning of “repairs”, presently I’m working with a company that sell new machines, buy used machines from customers, if both parts agree, and then they repair them and sometimes do changes because, for example, new safety requirements, better components, to sell them as second-hand machines. In tha t case design is a must!
Another important point is: who is ordering the design changes? If they do the design changes but the order with the indications come from Company 1, design is not an issue for Company B. -
Controls in third party facility
We received this question:
>I have a further question. Some of the properties and free, public and we do not have a contract. How will this impact your suggestion?
Answer: Without a contract you will not have any support to enforce the properties responsible to implement the security controls you require, and you will be at risk of being legally processed for modifying the facilities to implement the controls by yourself without authorization.