deGRANDSON Global Blog

ISO 27001, ISO 27701 and GDPR: a natural combination

johnf@degrandson.co.uk (Dr John FitzGerald) — Tue, 21 Apr 2026 10:00:18 GMT

In 2018, many organizations, not only those based in the EU, spent much time and money on compliance with the General Data Protection Regulation (GDPR).

But what actions should we take now to ensure ongoing compliance? It's not enough to have policies and procedures to demonstrate compliance with the requirements. If there is a data breach or similar event, regulators will challenge you to demonstrate how your organization has maintained compliance on a continuing basis. Here's how...

ISO 45001 Risk Assessment & Risk Treatment Tools

johnf@degrandson.co.uk (Dr John FitzGerald) — Thu, 16 Apr 2026 10:44:56 GMT

You'll need OH&S Risk Management Methods & Tools

Unlike ISO 9001, the Occupational Health and Safety Management System (OHSMS) Standard requires the application of OH&S Risk Management Methods in Clause 6.1. So, risk-based thinking alone does not meet requirements. Formal and documented Risk Assessment followed by Risk Treatment is required for compliance.

ISO Auditor Competence: who decides?

johnf@degrandson.co.uk (Dr John FitzGerald) — Wed, 15 Apr 2026 12:54:04 GMT

Your ISO Auditor Certificate doesn't make you competent

Being on a professional ISO auditor register isn't enough either

Competence is defined as the ‘ability to apply knowledge and skills to achieve intended results.’ And so it is with ISO Auditor Competence. Your Lead Auditor Certificate alone does not ensure competence. Nor, when competent, do you suddenly become incompetent three years after receiving your certificate.

Confused? Don't be. For Lead Auditors and their Audit Team Members, the requirements for competency have been defined in ISO standards.

Medical Devices: Residual Risk and Risk Tolerance

johnf@degrandson.co.uk (Dr John FitzGerald) — Tue, 07 Apr 2026 09:22:24 GMT

QMSR & ISO 13485: On 02-Feb-26, the FDA Final Rule comes into force. The amendments incorporate by reference (and so align more closely with) the international standard ISO 13485:2016, Medical Devices - Quality Management Systems - Requirements for regulatory purposes.

Managing residual risk and understanding risk tolerance are crucial aspects of ISO 13485 compliance.

ISO 13485:2016 is an international standard that outlines the requirements for a quality management system (QMS) in the medical device industry. Clause 7.1 requires risk management in relation to operations and, in a note (not, therefore, a requirement), refers to ISO 14971. How, then, should you approach questions of residual risk and risk tolerance?

Why ISO 14001 Matters to SMEs

johnf@degrandson.co.uk (Dr John FitzGerald) — Wed, 25 Mar 2026 12:50:40 GMT

Even the smallest organization has a lot to gain from a certified Environmental Management System (EMS)

New businesses often ponder the benefits of ISO 14001 Certification and, being busy with start-up priorities, postpone certification until it is asked for in a tender document or by a prospective customer.

At that point, it is, of course, too late. Optimistically, getting certified takes at least five months, and the opportunity is lost.

It would be best if you were proactive about your business's impact on the environment (and the law requires it). The list of benefits here can help persuade you and your colleagues to get started sooner rather than later on the path to becoming ISO14001 Certified.

ISO 27001 in Manufacturing & Service Industries - the FAQs

johnf@degrandson.co.uk (Dr John FitzGerald) — Tue, 10 Mar 2026 10:15:00 GMT

Have you considered this possibility?

If you wait until this message greets you at work, a Notebook PC is stolen from a company vehicle, or staff members are working on their own PCs from home, it will be too late. It's not a question of whether your business will be targeted. You're already a target but have been lucky to date.

ISO Certification vs ISO Accreditation: what's the difference?

johnf@degrandson.co.uk (Dr John FitzGerald) — Fri, 06 Mar 2026 12:48:35 GMT

You've got the Certificate, but are you certified to the ISO Standard or accredited?

It may seem unimportant in the scheme of things, but people, like potential customers, will judge you based on your correct use of technical and allied terms.

Measuring Effectiveness with ISO 27004

johnf@degrandson.co.uk (Dr John FitzGerald) — Thu, 26 Feb 2026 15:52:31 GMT

On this topic, ISO 27001 provides no guidance and is of little help.

In deciding what to monitor and measure regarding your Information Security Management System (ISMS), ISO 27001 specifies no mandatory requirements (as emphasized in our ISO 27001 training courses).

Thankfully, ISO 27004 provides guidelines and principles for measuring and reporting the effectiveness of an organization's ISMS. The standard helps organizations to evaluate information security management processes, identify weaknesses, and take corrective actions.

This article will explore ISO 27004 and the importance of measuring information security effectiveness.

Most SaMD to be reclassified as MDR Class 1

johnf@degrandson.co.uk (Dr John FitzGerald) — Thu, 19 Feb 2026 10:45:00 GMT

The proposed EU MDR changes for Software as a Medical Device (SaMD) will be revolutionary.

And will be a relief for SMEs, University spin-offs, and Start-Ups, for whom a 6-figure buy-in for Notified Body services has been an insurmountable barrier. Currently, Europe-based developers of SaMD and those in other locations are avoiding the EU market and initially launching their products in the USA and the UK, where market-entry costs are much lower. The result is that European citizens who would benefit from these products are deprived of access to them.

deGRANDSON: your best choice

johnf@degrandson.co.uk (Dr John FitzGerald) — Tue, 17 Feb 2026 10:44:59 GMT

Master ISO Standards - Advance Your Career

Earn internationally recognized ISO auditor certification through flexible, self-paced online courses. Trusted by professionals in over 90 countries.