Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Implementing ISO without certification


    Answer:

    Implementing any ISO standard can be beneficial for the organization even if the organization decide not to get certified and the ISO documentation as you call it can be useful in implementation and maintenance of the management system.

    For example, in case of ISO 9001, the documentation will help you define the processes and procedures, explain how the processes are carried out and also to make records whether the activities are performed as defined. By implementing this standard you will get all benefits that the standard brings, only without hanging the certificate on the wall. Here you can learn about ISO 9001 benefits: Six Key Benefits of ISO 9001 Implementation https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/

    These materials will also help you regarding the implementation:
    - Book Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
    - Conformio (online tool for ISO 9001) https://advisera.com/conformio/

  • Scope for a small company with outsourced infrastructure to mother company


    Thus, we customer acquire the customer's, contact with them on own name but on behalf of our mother company. Data and customer information is saved in the databases and the portal which belongs to the other company. CRM system which we process is also not ours.

    However, our management has initiated ISO 27001 certification for our service company. I have selected the scope for ISO 27001 certification a business process.

    During the webinar you told me that it is very hard to get the certification if the business process will be certified.

    Answer:

    For a small company such as yours it is very difficult to lim it the scope of the implementation and certification to only one process - this is because once you define what is inside the ISMS scope, all other processes and activities that are left outside of the scope will be treated as external (third) parties. Therefore, for a company of 9 employees, the best would be to include your whole company in the ISMS scope.

    See also this article: Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    The fact that your company is not an owner of the equipment or services that you are providing doesn't change much - your company is responsible for the data because it is the contractual party with your clients. Therefore, you are responsible for safeguarding data even though this data is not placed on your servers. The fact that the processing is done by your mother company doesn't make much difference - the principle is the same as if you hosted this data on e.g. Amazon AWS, in other words you need to treat your mother company as a provider of services, i.e. as a third-party.

  • Scope definition considering suppliers

    We received this question:

    >"If the client is allow to exclude the service provider or outsourcer from the scope since they do not have control over them, can they put a justification as such in the SOA to exclude the A15 control? The only concern we seen on some client, they will overlook the security matter related to services provider/outsourcer as to their understanding it has been excluded from the scope. How could we address such misunderstanding?

    Answer: Only because suppliers are excluded from the ISMS scope it doesn't mean controls from Annex A can be excluded from the SoA based on that. The scope definition and SoA elaboration are different processes that do not have this relationship.

    Considering that, a control can only be excluded from SoA if:
    - There are no law, contract or similar legal requirement demanding the control to be implemented, and
    - There are no unacceptable risks related to the outsourced service identified on risk assessments, or the organization consciously accepted the risks identified as unacceptable

    So, the fact that service providers or outsources are excluded from the ISMS scope is not the reason enough to justify excluding controls from section A.15. An organization has to evaluate first the legal requirements involved and the risks associated to the outsourced service.

    To handle this kind of misunderstanding, you can ask your clients this question: If you would consider security controls if you were running the service yourself, why do not require the same commitment from your suppliers?

  • Defining LOT number for medical device

    For the implants, yes it is necessary that the lot number must be on the device except the device is not too small. For all implants, there should be an implant card. According to the MDR 2017/745, Article 18. implant card must have the following information:

    • information allowing the identification of the device, including the device name, serial number, lot number, the UDI, the device model, as well as the name, address, and the website of the manufacturer
    • any warnings, precautions, or measures to be taken by the patient or a healthcare professional with regard to reciprocal interference with reasonably foreseeable external influences, medical examinations, or environmental conditions
    • any information about the expected lifetime of the device and any necessary follow-up
    • any other information to ensure the safe use of the device by the patient, including the information in point (u) of Section 23.4 of Annex I.
    For more information, see:
Page 844-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +