Search results

ISO 27001 A.8. 1.1 Asset Inventory

The equipment’s serial number is a common practice adopted for a unique identifier.

ISO 27001 does not prescribe information to be used to track an asset, so organizations can define the information they see best fits their needs.

This article will provide you with a further explanation of asset management:

• Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Mandatory docs

This information can be located as follow:

• Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4): security roles and responsibilities are defined alongside all documents implemented for the ISMS. You can see a summary of this information by accessing the “Responsibility Matrix” link in the left side panel of Conformio Screen.
• Acceptable use of assets (clause A.8.1.3): this control is implemented by means of the IT Security Policy
• Secure system engineering principles (clause A.14.2.5): this control is implemented by means of the Secure Development Policy
• Business continuity procedures (clause A.17.1.2): this control is implemented by means of the Disaster Recovery Plan document
• Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3): logs are generated and stored in the information systems the organization configures them (these records need to be uploaded manually to Conformio if you want to access them through the platform). Security events can be found in the Incident Register Module.

GDPR applicability

So if we are a non-EU based organization and offer products/services (not SAAS) to a few EU based companies (not all customers in EU) would GDPR apply to us ? Especially if we maintain EU-customer information like email, address and phone number? We are not collecting customer data based on any controller instructions, we have their data because they take subscriptions of our products/services. The only data we retain are email id, phonenumbers and physical addresses.

Article 3 GDPR - Territorial scope states the following: “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union”. So in this case GDPR applies to you.

Many US-based companies find GDPR compliance a little difficult to handle. Advisera's EU GDPR Documentation Toolkit can help you comply with GDPR as a U.S. company - it has all the necessary documents for controllers and processors, as well as support from our GDPR experts.

Please also visit these links:

• Article 3 GDPR – Territorial Scope: https://advisera.com/eugdpracademy/gdpr/territorial-scope/
• Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/
• EU GDPR DOCUMENTATION TOOLKIT: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

MDR vs CFR 21

There are some differences between documentation. You can find it in the following article:

• FDA vs. EU MDR Technical Documentation Matrix - https://info.advisera.com/13485academy/free-download/fda-vs-eu-mdr-technical-documentation-matrix

For any other questions, do not hesitate to contact us. 

Direct part marking for reusable devices class I

In Annex VI of the MDR 2017/745, PART C is stated that 

"Devices that are reusable shall bear a UDI carrier on the device itself. The UDI carrier for reusable devices that require cleaning, disinfection, sterilisation or refurbishing between patient uses shall be permanent and readable after each process performed to make the device ready for the subsequent use throughout the intended lifetime of the device. The requirement of this Section shall not apply to devices in the following circumstances: (a) any type of direct marking would interfere with the safety or performance of the device; (b) the device cannot be directly marked because it is not technologically feasible."

So it means, that UDI must be on the device if it is technically possible, otherwise all other information can be separately prepared. 

Using ISO 9001 policies for ISO 27001

You can use the same documents you developed for ISO 9001 that are also required by ISO 27001, you only need to ensure that the documents are updated according to the results of the information security risk assessment and applicable information security legal requirements (e.g., laws, regulations, and contracts).

These articles will provide you with a further explanation about integrating management systems:

• Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
• How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

Question about privacy notification

From the details you provided, most likely company A is a Data Controller and company B is a Data Processor for company A. However company B, for its own public website, is a Data Controller so that’s why they have a Privacy Notice. The Data Controller needs to take all technical and organizational measures to demonstrate compliance with GDPR, per Art 25 - Data protection by design and by default. That is why, according to Article 5.1.a – the principle of lawfulness, fairness and transparency – and to Article 13 – Information to be provided where personal data are collected from the data subject – company A is accountable for how it informs its own data subjects about the processing operations carried out by company B on its behalf. So company A should take, with the help of company B, all steps to make sure that the data subjects using the company B services purchased by company A, are informed. Also, according to Article 28 – Processor – company A needs to sign a Data Processing Addendum with company B, after they have performed a minimum due diligence on the supplier to make sure that company B offers the same level of protection for personal data as it is offered by company A.

At Advisera we have a great EU GDPR Premium Documentation Toolkit that can help you achieve compliance in this case. We have templates for Privacy Notice, Supplier Privacy Notice (that should be sent by Company A to Company B’s employees), Processor GDPR Compliance Questionnaire, Supplier Data Processing Agreement etc.

Please consult these links as well:

• EU GDPR Premium Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/
• Article 5 GDPR - Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
• Article 13 GDPR - Information to be provided where personal data are collected from the data subject: https://advisera.com/eugdpracademy/gdpr-text/rights-of-the-data-subject/information-and-access-to-personal-data/
• Article 25 GDPR - Data protection by design and by default: https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/
• Article 28 GDPR – Processor: https://advisera.com/eugdpracademy/gdpr/processor/

Common challenges in accreditation process

If you are referring to the process of application and accreditation assessment, typical gaps include:

• Method Validations not extensive enough
• Internal auditing program not fully established
• Reporting of results not compliant
• Internal and External (PT Scheme) Quality checks not sufficient
• Ineffective handling of Nonconformances and corrective action.

These often arise due to organisational structure issues; where responsibilities and authorities are not clear and personnel do not understand the true intention of the QMS, purpose of ISO 17025, how the various activities link and how to take a risk based approach to decision making.

For more information have a look at the question and Answer Accreditation duration at https://community.advisera.com/topic/accreditation-duration/ and the 

Webinar What are the steps in the ISO 17025 accreditation process?  at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar