Search results

Detailed explanation of 11 new security controls in ISO 27001:2022

Only controls from ISO 27001 Annex A may be excluded. All requirements from clauses 4 to 10 are mandatory if you want to be compliant with ISO 27001.

For further information, see:

• Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001

ISO/IEC 17025 Certificate duration

ISO 17025 accreditation is valid for the length of the specified accreditation cycles. This period varies depending on the accreditation body and sector. The accreditation bodies must comply with the ILAC (International Laboratory Accreditation Cooperation) policy that accreditation cycles must not be longer than 5 years. Typically, this period is four years for some laboratories, but for others, it can be as short as two years or the maximum five years. Accreditation cycles begin at the date of the decision for granting assessment. After that date, accreditation bodies perform surveillance assessments to continually monitored the competency and compliance of the laboratory. A full reasseement must be scheduled, and accreditation granted before the expiry date of the certificates.

For specific information for your laboratory, I advise you to contact the accreditation body you will use for assessment. This information should be available on their websites, as it is policy-driven.

For more information have a look at the webinar What are the steps in the ISO 17025 accreditation process? at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar/

ISMS 27001 processes

1- I am in the process of setting up the ISMS with your tool kit. What I miss (or haven't found) the processes (structure) for change management or patch management.

To be compliant with ISO 27001 you only need a Change Management Policy, which can be found in folder 08 Annex A Security Controls >> A.12 Operations Security

For an optional more robust documentation (this is not required for ISO 27001), please take a look at this toolkit:

• ITSM Change Management Toolkit https://advisera.com/20000academy/itsm-change-management-toolkit/

It is designed for compliance with ISO 20000, but can be adjusted to be used with ISO 27001. IT covers the following documents:

• Request for Change and Change Record- Minutes of Meeting CAB
• Change Schedule
• Change Management Process
• Change Management Policy

For further information, see:

• An overview of the ITIL Change Management Process [free webinar on demand] https://advisera.com/20000academy/webinar/an-overview-of-the-itil-change-management-process-free-webinar-on-demand/
• How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

2 - As well as the subdivision into management, core and support processes. This is required for the process landscape.

Regarding processes classification, ISO 27001 does not require processes to be mapped. It is not generally required for the toolkit implementation (for that you only need to implement the documentation in the order they are presented in the toolkit’s folders).

In a general manner, you can consider this classification:

• management processes: management review
• core processes: risk management, security operations, processes monitoring
• supporting processes: document and record management, internal audit

• Design and Development Agreement

  Do you have a template for "Design and Development Agreement". I mean for outsourced process?

• External audits

  No, a certified organization must go through yearly surveillance audits. It is not an ISO 9001 requirement, it is a requirement from your organization’s contract with the certification body.

• Design and Development Agreement

  No, we do not have a direct Design and development agreement, but we do have a document that is part of the folder 10_Purchasing and evaluation of supplier, 10.7_Appendix_7_Quality_Agreement_for_Subcontractor, that covers what is necessary for the provider of outsourced process. You can just tailormade it for the design process. 

• Gaps From MDR to CFR

  There are some differences between documentation. You can find it in the following article:

  • FDA vs. EU MDR Technical Documentation Matrix - https://info.advisera.com/13485academy/free-download/fda-vs-eu-mdr-technical-documentation-matrix

  For any other questions, do not hesitate to contact us.

• Risk-based approach

  Yes, a risk-based approach is a requirement stated in 4.1.2 of the ISO 13485:2016 - apply a risk-based approach to the control of the appropriate processes needed for the quality management system. This means that for each process you need to be aware of possible risks that can occur, and you must have a mechanism for how to control them. 

  Definitively it can be in a table where you will have your processes, risks than can occur, and then control measures.

  Some approaches regarding the risk you can find in the following article:

  • Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits  - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/

  • Conformio expert questions

    1. In the Project Plan document under section 3.4.3. the document is referencing a project team, however later on the title of the table is "Participants in the project". There is an inconsistency in the understanding of who are the members of the project team as there can be more participants in the project than the team members, especially if it is a larger company. Can you please clarify this section for me in this document? 

    Answer: Please note that the project team, in general, refers to people involved in the tasks of the project, while participants cover not only the project people but also people who provide knowledge about the organization’s processes and information (e.g., key users), and decision-makers (e.g., managers and department heads). Is a good practice to identify the last ones early in the project to ensure engagement with the project.

    Considering that, you use the table "Participants in the project" in the Project Plan Document as it is to include members of the project team as well as the other relevant users for the project.

    For further information, see:
    - RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/

    2. We are a very small company and we do not have Head of IT department, but only the Senior IT technician and two IT support guys. In Conformio I can only define one IT support job title for one of the guys, but I cannot give the same job title to the second IT support person even though both of them have the same job title in our company. Can you explain why this is so?

    Answer: Defining the same job title to different persons is not allowed to prevent conflict of responsibilities in the responsibility matrix (if two persons have the same job title it is not clear who needs to perform a task attributed to this job title). As an alternative, you can differ the job titles by a number (e.g., IT support 01 and IT support 02).

    3. We want to declare all printed documents as unreliable and therefore uncontrolled, but we were not able to find a way to do that in the Procedure for document and record control. Can you advise how we can add this statement in this document or where we can add this statement?

    Answer: Currently it is not possible to define treatment for uncontrolled documents in the Procedure for Document and Record Control. As an alternative solution, you can develop a simple procedure to document this rule (e.g., a Procedure for Labeling Uncontrolled Documents), or a simpler solution would be not to define written rules for paper documents, and apply the Procedure for Document and Record Controls only for the digital documents.