Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Scope definition considering suppliers
We received this question:
>"If the client is allow to exclude the service provider or outsourcer from the scope since they do not have control over them, can they put a justification as such in the SOA to exclude the A15 control? The only concern we seen on some client, they will overlook the security matter related to services provider/outsourcer as to their understanding it has been excluded from the scope. How could we address such misunderstanding?
Answer: Only because suppliers are excluded from the ISMS scope it doesn't mean controls from Annex A can be excluded from the SoA based on that. The scope definition and SoA elaboration are different processes that do not have this relationship.
Considering that, a control can only be excluded from SoA if:
- There are no law, contract or similar legal requirement demanding the control to be implemented, and
- There are no unacceptable risks related to the outsourced service identified on risk assessments, or the organization consciously accepted the risks identified as unacceptable
So, the fact that service providers or outsources are excluded from the ISMS scope is not the reason enough to justify excluding controls from section A.15. An organization has to evaluate first the legal requirements involved and the risks associated to the outsourced service.
To handle this kind of misunderstanding, you can ask your clients this question: If you would consider security controls if you were running the service yourself, why do not require the same commitment from your suppliers? -
Defining LOT number for medical device
For the implants, yes it is necessary that the lot number must be on the device except the device is not too small. For all implants, there should be an implant card. According to the MDR 2017/745, Article 18. implant card must have the following information:
- information allowing the identification of the device, including the device name, serial number, lot number, the UDI, the device model, as well as the name, address, and the website of the manufacturer
- any warnings, precautions, or measures to be taken by the patient or a healthcare professional with regard to reciprocal interference with reasonably foreseeable external influences, medical examinations, or environmental conditions
- any information about the expected lifetime of the device and any necessary follow-up
- any other information to ensure the safe use of the device by the patient, including the information in point (u) of Section 23.4 of Annex I.
- EU MDR Annex 1 – General safety and performance requirements https://advisera.com/13485academy/mdr/general-requirements/
- EU MDR Article 18 – Implant card and information to be supplied to the patient with an implanted device - https://advisera.com/13485academy/mdr/implant-card-and-information-to-be-supplied-to-the-patient-with-an-implanted-device/
-
SoA availability
But then how do you (as a customer) really know what the true value is of a suppliers IOS27001 certification if you don't know what controls are or are not implemented? -
Scope definition
Answer: You can exclude business units you do not consider relevant to be part of the ISMS scope (they would be treated as external parties), but you should evaluate if the administrative and operational effort resulting from this separation wouldn't be greater than considering some or all units as part of the scope. For example, business units operating on a different floor are easily to segregate, but for those in the same office room the segregation effort probably wouldn't be worthy.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -
Employess trainning and awareness
Answer: Although there are some common knowledge the employees should be trained about, for a precise answer you should consider your risk treatment plan, because there you will find information about all controls that must be implemented, and then you can evaluate for each control the level of training you have to provide, considering technical staff, managers and final users.
You should note that the employees do not need to be trained in the whole ISO 27001 standard (except perhaps the person responsible for the ISMS), only for the particular controls related to their activities.
For the more common training to be considered, I suggest you take a look a this article:
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-traini ng-and-awareness-program/
This article will provide you further explanation about awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301
These materials will also help you regarding awareness and tranning:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISMS scope definition
Thank you so much for this clear explanation! -
Stakeholder info to document
Yes, the information you are gathering will provide you a good overview for the understanding of needs and expectations of interested parties and it is covering the clause's requirements:
- which interested parties are relevant to the ISMS
- which requirements of these interested parties relevant to information security
For stakeholders analysis you should also consider if there is any implemented control to meet these requirements
These articles will provide you further explanation about interested parties analysis:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
This material will also help you regarding interested parties ana lysis:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Product requirements review record
Answer:
The purpose of the product/service requirements review records (clause 8.2.3.2) is for organization to ensure that it can provide required product in required quantity and quality. Basically this is a review of the customer requirements and all you need is a record where you will document the customer requirements and also whether your organization is able to meet the requirements.
This of course is not required in retail where you cannot record and review requirements of every customer but rather is wholesale process or when the customer has requirements that are not part of your usual products and you what to evaluate whether it is feasible and profitable to met the customer requirement. Here you can download free preview of our Customer Requirement Review Checklist https://advisera.com/9001academy/documentation/customer-requirement-review-checklist/ -review-checklist/
As far as the records for controls, outputs and changes goes, in my opinion it is best to use Quality Plan https://advisera.com/9001academy/documentation/quality-plan/ -
Language of the work instructions
Many thanks for your help - that answers my question fully.