ISO

The ISO 27001 standard for management of information systems helps organizations of any size to manage the security of data assets such as employee information, financial information, intellectual property, and third-party information.
ISO 27001 is primarily known for providing requirements for an information security management system (ISMS), and is part of a much larger set of information security standards.

An ISMS is a standards-based approach to managing sensitive information to assure that the information stays secure. The core of an ISMS is rooted in the people, processes, and technology through a governed risk management program.

Many organizations follow ISO 27001 standards, while others seek the additional step of obtaining an ISO 27001 certification. Be aware, however, that certification is evaluated and granted by an independent third party that conducts the certification audit. Once the ISO 27001 audit is complete, the auditor gives the organization a Statement of Applicability (SOA) summarizing its position on all security controls.

Why Is an ISO 27001 Checklist Essential?

Information security policies and controls are the backbone of a successful information security program.

Risk assessments, risk treatment plans, and management reviews are all critical components needed to verify the effectiveness of an information security management system. Security controls make up the actionable steps in a program and are what an internal audit checklist follows.

A complete list of controls for ISO 27001 is in Annex A of the standard, but not all of those controls are information technology-related. The best way to think of Annex A is as a catalog of security controls, and once a risk assessment has been conducted, the organization has a guide on where to focus.

These are the control sets of Annex A:

• Annex A.5 – Information Security Policies
• Annex A.6 – Organization of Information Security
• Annex A.7 – Human Resource Security
• Annex A.8 – Asset Management
• Annex A.9 – Access Control
• Annex A.10 – Cryptography
• Annex A.11 – Physical and Environmental Security
• Annex A.12 – Operations Security
• Annex A.13 – Communications Security
• Annex A.14 – System Acquisition, Development, and Maintenance
• Annex A.15 – Supplier Relationships
• Annex A.16 – Information Security Incident Management
• Annex A.17 – Information Security Aspects of Business Continuity Management
• Annex A.18 – Compliance

What Are the Controls in ISO 27001?

The ISO 27001 controls list, divided into 14 sections, may be found in Annex A (domains). Not all of them are IT-related. Following is an overview of the controls within each section.

Information Security Policies, Annex A.5 (2 controls)

This section defines the general direction of the organization’s information security processes based on the organization’s needs.

Organization of Information Security, Annex A.6 (7 controls)

The distribution of duties for particular tasks is covered in this appendix. It consists of two sections, with Annex A.6.1 verifying that the organization has built a structure capable of effectively implementing and maintaining information security standards.

Mobile devices and remote working are covered in Annex A.6.2. It is intended to assure that everyone who works from home or while on the go, whether part- or full-time, adheres to the proper procedures.

Security of Human Resources, Annex A.7 (6 controls)

Making sure that workers and contractors are aware of their duties is the goal of Annex A.7.

There are three parts to it. Annex A.7.1 discusses what obligations exist for people before employment. Job-related tasks are covered in Annex A.7.2. Annex A.7.3 covers requirements to protect the organization when employees are no longer in that job due to leaving the organization or changing roles.

Asset Management, Annex A.8 (10 controls)

This section addresses how organizations define acceptable information protection obligations and identify information assets.

There are three portions. First, organizations’ identification of information assets that fall under the purview of the ISMS is the chief topic of Annex A.8.1.

Information classification is covered in Annex A.8.2. By following this procedure, information assets are assured to receive the proper level of protection.
In Annex A.8.3, media handling must prevent sensitive data’s unauthorized disclosure, alteration, removal, or destruction.

Control of Access, Annex A.9 (14 controls)

Assuring that employees can only read information pertinent to their jobs is the goal of Annex A.9. It is separated into four components covering user access to data, systems, and applications. User responsibilities, such as password management, are also covered.

Cryptography, A.10 Annex (2 controls)

This section covers the handling of sensitive information and data encryption. Its two controls assure businesses employ cryptography to secure the availability, confidentiality, and integrity of data.

Physical and Environmental Security, Annex A.11 (15 controls)

The security of physical assets and property is covered in this section. With 15 controls divided into two sections, it is the longest annex in the Standard.
Preventing unauthorized physical access to the organization’s facilities or the sensitive data kept there is the goal of Annex A.11.1.

Annex A.11.2 focuses on equipment. It is intended to prevent the theft, loss, or damage of the physical files, software, hardware, and other containers that make up an organization’s information assets.

Security for Operations, Annex A.12 (14 controls)

This annex has seven components. Its controls assure that information processing facilities are safe.

Operational duties and procedures are covered in Annex A.12.1, assuring that the correct operations are carried out.Malware is addressed in Annex A.12.2, to assure that the organization has the required defenses to reduce the risk of infection.
Organizations’ obligations for backing up systems to prevent data loss are covered in Annex A.12.3.

The intention of Annex A.12.4 is to guarantee that organizations maintain logs and records of proof when security incidents take place.
The requirements for protecting the integrity of operational software are covered in Annex A.12.5.

Technical vulnerability management is covered in Annex A.12.6, intended to prevent unauthorized parties from taking advantage of flaws in the system.
Information systems and audit issues are addressed in Annex A.12.7 providing guidelines to minimize the impact that audit operations have on operational systems.

Communications Security, Annex A.13 (7 controls)

This section addresses how businesses safeguard data on networks. It has two parts. Network security management is addressed in Annex A.13.1 to maintain the confidentiality, integrity, and accessibility of information in such networks. Annex A.13.2 addresses information security while in transit, whether moving to another company division, a third party, a client, or any other interested party.

Acquisition, Development, and Maintenance of Systems, Annex A.14 (13 controls)

The goal of Annex A.14 is to maintain information security as a critical component of the organization’s procedures over its entire lifespan. The security needs for internal systems and those that offer services via public networks are covered by its 13 controls.

Supplier Relationships, Annex A.15 (5 controls)

This appendix addresses the contracts that businesses have with other parties.
It is split into two halves. First is the protection of an organization’s assets accessible to or affected by suppliers, covered in Annex A.15.1. Second, Annex A.15.2 assures that all parties uphold the agreed-upon standards for information security and service delivery.

Information Security Incident Management, Annex A.16 (7 controls)

This section covers how to handle and report security issues. The procedure entails defining which personnel should be responsible for particular activities to provide a uniform and efficient approach for responding to security incidents.

Business Continuity Management Related to Information Security, Annex A.17 (4 controls)

The goal of Annex A.17 is to create a successful system to handle business disruptions. It has two parts.

First, information security continuity is covered in Annex A.17.1, which also outlines the steps to make sure that information security continuity is integrated into the organization’s business continuity management system. Redundancies are examined in Annex A.17.2 to assure the availability of information processing facilities throughout a disruption.

Compliance, Annex A.18 (8 controls)

Organizations can locate pertinent legislation and regulations thanks to this appendix. This aids in comprehending their contractual and legal obligations, reducing the possibility of non-compliance and the associated fines.

How to Create an ISO 27001 Controls Checklist

A typical ISO 27001 checklist has several key components.

1. The organization must assess the environment and take an inventory of hardware and software.
2. Select a team to develop the implementation plan.
3. Define and develop the ISMS plan.
4. Establish a security baseline.
5. Establish a risk management program and identify a risk treatment plan.
6. Implement a risk treatment plan.
7. Monitor, conduct management reviews and take corrective action by leveraging the ISMS.

Once the ISO 27001 checklist has been established and carried out by the organization, then ISO certification may be considered.

Are you looking for ISO certification or simply strengthening your security program? An ISO 27001 checklist adequately laid out will help accomplish both. In addition, the checklist needs to consider security controls that can be measured. For instance, the checklist should proceed through the issues in Annex A 5-18 to understand whether the organization has the proper security controls.

Create Your Own ISO 27001 Checklist

There are many ways to create your own ISO 27001 checklist. The critical point is that the checklist should be designed to test and prove that security controls in your organization are compliant.

Consult with your internal and external audit teams for a checklist template to use with ISO compliance or for basic security control validation. ISO 27001 standards are an essential baseline for a successful information security program.

Also remember that an ISO 27001 checklist is not a one-time exercise. Proper compliance is a cycle of continuous improvement; checklists require ongoing monitoring to stay ahead of cybercriminals.

How Do You Perform a Gap Analysis?

Companies can compare their present information security systems to the criteria of the ISO 27001 standard to determine where gaps might exist, and what should be done to update their business processes to achieve ISO 27001 certification.

Theoretically an organization can do a gap analysis at any time, but timing is essential to optimize its impact. So perform gap studies frequently, and especially before a time of strategic planning or whenever a department or endeavor is performing poorly.

The ISO 27001 risk assessment and ISO 27001 gap analysis are the major topics of the ISO 27001 implementation and review procedure. Most of the information required for an organization to adhere to the ISO 27001 standard is provided through these procedures.

That said, because the procedures for ISO 27001 gap analysis and risk assessment are similar, companies can become confused between the two – which jeopardizes your ISO 27001 compliance.

An ISO 27001 risk assessment helps you to determine which cybersecurity controls are necessary at your business. That risk assessment, however, does not reveal if the firm actually has implemented specific cybersecurity measures. The ISO 27001 gap analysis does that.

Businesses frequently use consulting firms to complete the ISO 27001 gap analysis. An ISO 27001 gap analysis specialist can evaluate your current information security processes, procedures, and documentation during this process.

The specialist will then evaluate those items, considering the criteria of the ISO 27001 standard. The specialist will report on non-conformities and opportunities to improve the organization’s current information security practices, to resolve gaps in compliance and reduce the risk of data breaches.

Which Metrics Should You Use to Measure the Efficacy of an ISMS?

Assuring that processes are efficient makes sense in information security management – but how can you tell if your information security program is successful and moving in the right direction?

Organizations that follow the ISO 27001 standard must guarantee that their ISMS is continually improved. The standard’s Chapter 9 focuses primarily on measures to monitor performance. It states that you must specify the processes and controls you plan to measure, the frequency of reviews, and the targets.

Performance metrics show whether you are meeting your information security objectives and can serve as early warning systems, alerting you to new risks. Examples include: how much spam your spam filter catches, how many viruses you detect, how many attacks your intrusion detection system or firewall can detect, uptime/downtime, and other quantitative measurements.

Additional measures include the percentage of security tasks completed in the allotted time, the number of staff members who have acknowledged the latest security policy update, or the average amount of time taken to correct policy or compliance requirements violations.

When you compare metrics from month to month, you will see if your controls are adequate or if new risks are emerging. If targets are not being met, review your risk assessment, gap analysis, and operating procedures. Top management should review metrics regularly and ensure resources are properly allocated to address concerns.

Streamline ISO 27001 Compliance with ZenGRC

Complying with regulatory and security frameworks is labor intensive, especially if you are tracking requirements on an old-fashioned spreadsheet. To expedite the process and ease your ISO worries, you can streamline and automate your ISO 27001 compliance and certification tasks.

ZenGRC is a compliance and audit management solution. It provides prescriptive guidance with a pre-loaded library of regulatory and information security frameworks. Automated workflows ensure nothing falls through the cracks and always leave a clear audit trail.

Insightful reporting and dashboards help you spot concerns and easily share progress with stakeholders. ZenGRC is a single source of truth with advanced functionality to help you perform all your compliance activities with ease.
Schedule a demo to see how you can always be audit-ready with ZenGRC.

Learn about the best practices for vulnerability management in regards to ISO 27001. 

What is vulnerability management?

Vulnerability management is the practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities. Vulnerability management is integral to information security and information systems — and despite the similarity in terms, it is not the same as vulnerability scanning.

Vulnerability scanning consists of using a computer program to identify vulnerabilities in networks, computer infrastructure or applications. Scanning is an important component of vulnerability management, but it is only one part of vulnerability management, which also includes vulnerability assessments, risk assessments, penetration testing, and remediation.

A vulnerability management process should be part of your organization’s effort to control information security risks. It will allow you to obtain a continuous overview of vulnerabilities in your IT environment as well as the risks associated with them.

There are five steps to an effective vulnerability management process, including:

• Preparation
• Vulnerability scan
• Define remediating actions
• Implement remediating actions
• Rescan

ISO and vulnerability management 

Established in 1946, the International Organization for Standards (ISO) develops and publishes internationally agreed upon standards for information security. 
ISO standards are developed by experts, and are defined as “a formula that describes the best way of doing something.” From making a product, to delivering a service or supplying materials, ISO standards cover a huge range of activities.

An organization is ISO-compliant when it has chosen one or more ISO standards and followed the best practices within them. ISO certification, however, requires internal audits from third-party assessors using ISO’s Committee on Conformity Assessment (CASCO) criteria.

The ISO/IEC 27001:2013 standard focuses on creating an information security management system (ISMS) that protects confidentiality, integrity, and availability of information as part of the risk management process.

Under ISO 27001:2013, a vulnerability is defined as “a weakness of an asset or control that could potentially be exploited by one or more threats.” A threat is defined as any “potential cause of an unwanted incident, which may result in harm to a system or organization.”

Essentially, a vulnerability arises when a threat finds a weakness it can exploit. 
Weaknesses are flaws that occur during design, implementation, configuration, or operation of an asset or control. They are created either intentionally or by accident. While some weaknesses may be easy to identify and remediate, others may require more time, effort, and resources to correct.

ISO 27001 creates a set of rules giving managers discrete steps to follow to organize their information system and assure ongoing security compliance to avoid security incidents.

Through control A.12.6.1, ISO 27001 can help your organization better prepare and mitigate weaknesses in your information security systems via Technical Vulnerability Management.

The ISO 27001 approach for managing vulnerabilities includes three pinnacles in control A.12.6.1:

Timely identification of vulnerabilities

The main objective of a vulnerability management process is to detect and remediate vulnerabilities in a timely fashion. Unfortunately, many organizations don’t perform vulnerability scans frequently enough. Performing scans on a quarterly or annual basis only provides a snapshot of your operating systems only at that point in time.

The sooner you discover a vulnerability, the sooner you can remediate it. Conducting regular vulnerability scans will help your organization to identify any vulnerabilities to your software or information security systems. 

Assessment of your organization’s exposure to a vulnerability

Assigning severity levels to vulnerabilities once they have been identified will help you decide which vulnerabilities require immediate action. A risk assessment will assign severity to any vulnerabilities identified during a vulnerability assessment.

Once you have completed a risk assessment, you will need to decide whether to remediate vulnerabilities, or accept the risks. 

Proper measures considering the associated risks 

After you have identified the most critical vulnerabilities, create a risk treatment plan by considering the risk level associated with each vulnerability. Think about the actions you need to take and allocate resources to remediate your most critical vulnerabilities appropriately. 

ISO 27002 best practices for security control A.12.6.1

ISO 27002:2013 contains guidelines for organizational information security standards and your information security policy. This includes the selection, implementation and management of controls taking into consideration the organization’s information security risk environment.

ISO 27002 includes the following best practices for security control A.12.6.1:

Inventory of assets 

Effective vulnerability management depends on your knowledge of your information assets, including software manufacturer, software version, where the software is installed, and who is responsible for each piece of software. 
Asset management is a crucial component of an effective vulnerability management process, and should be delegated to the asset owner. 

Establish roles and responsibilities 

It is critical to define who will do what to assure suitable tracking of assets, because vulnerability management requires many different activities (monitoring, risk assessment, correction, and so forth).

When building a vulnerability management process, the following roles should be identified within your organization: 

• Security officer. This person is the owner of the vulnerability management process, and designs the process and assures it is implemented as designed. 
• Vulnerability engineer. This person is responsible for configuring the vulnerability scanner and scheduling the various vulnerability scans. 
• Asset owner. This person is responsible for the IT asset that is scanned by the vulnerability management process, and decides whether identified vulnerabilities are mitigated or their risks are accepted. 
• IT system engineer. This person is typically responsible for implementing remediation actions defined as a result of detected vulnerabilities. 

Timeline for reaction

Define a timeline to react to notifications of potentially relevant technical vulnerabilities, and deal with vulnerabilities through defined procedures. 

Audit log

Maintain an audit log for the process carried out and for maintaining traceability. 

Aligning the system with incident management

Align your vulnerability management process with incident management activities, so that you can communicate data on vulnerabilities to the incident response function and provide technical solutions to be carried out in the event of an incident. 

Continual improvement through corrective action and preventive action (CAPA) 

Assure that controls continue to work as required and new and emerging threats and vulnerabilities are identified and remediated.

Ideally, your vulnerability management program should contribute to your organization’s business continuity — that is, the plan you have to deal with difficult situations so your organization can continue to function with as little disruption as possible.

Identifying, prioritizing, and treating vulnerabilities as quickly as possible will assure that your organization avoids potential risks that could be catastrophic to your business continuity management. 

Vulnerability management and GRC

An effective vulnerability management process isn’t the solution to all of your cybersecurity problems, but it is one of the main methods to prevent cyber threats and exploitation of information security vulnerabilities.

Regular vulnerability assessments, vulnerability scanning, penetration testing, and risk assessments should all be routine parts of your organization’s vulnerability management process, because the risk environment changes over time.

Likewise, new security controls should be implemented as needed to address new risks or misconfigurations that could threaten your organization. 
Fortunately, there are tools to help. 

ZenGRC and vulnerability management

ZenGRC is a governance, risk, and compliance (GRC) tool that can help to support your routine vulnerability assessments, penetration testing, vulnerability scans, and risk assessments.

Collecting documentation, streamlining workflows, and eliminating the need for constant follow-up while tracing outstanding risks, ZenGRC will let your organization focus on the fundamental issues of vulnerability management and compliance while eliminating the tedious tasks that make the process feel like a burden.

Not only will this let you feel more effective at your job; it will also make your organization more efficient at the ongoing task of governance and continuous monitoring.

Using ZenGRC’s gap analysis tool can help you fill in the holes, allowing you to create an agile compliance program.

Finally, ZenGRC provides a single source of truth, giving you one-click access to the documents you need to become compliant.

Find out how ZenGRC can help your organization create an efficient vulnerability management process and contact us today to schedule a demo.

What precisely is a quality management system (QMS), and what does it do?

QMS is a management system meant to formalize documents, processes, protocols, tasks, and responsibilities for achieving quality control objectives. The primary goals are positive customer results and compliance with regulatory requirements. The hope is that employees learn to improve the quality of their work continuously.

Let’s dive into the benefits of implementing a total quality management system to create better business processes and a high-quality customer experience.

Why is a quality management system important?

The idea of a total quality management system dates back to Japan in 1954. Its purpose is to streamline tasks, reduce error, and eliminate risk. QMS creates quality control for various areas of an organization.

Usually, the components of QMS help meet regulatory standards and regulations, improve the customer experience, and help improve employee training. These are just some of the benefits of quality management systems.

What types of organizations should have a QMS?

Industries that commonly use QMS in their day-to-day operations include commercial airlines, software development, automobile manufacturers, educational institutions, government agencies, and pharmaceutical firms, to name only a few. In fact, any company that might benefit from customer service and quality improvement would do well to implement a QMS.

For example, universities are expected to comply with ISO 9000, the international standard for quality management systems. So a QMS in higher education can help improve the quality of education that teachers deliver to students, the quality of training that the university delivers to employees, and the level of regulatory compliance the university must achieve for education regulators.

Pharmaceutical companies, meanwhile, must adhere to high-quality standards from the U.S. Food & Drug Administration and other regulators around the world. Quality management systems and their larger, accompanying philosophy, Total Quality Management (TQM) can help such firms keep their focus on standards of cleanliness, internal control, production, security, and financial reporting.

What are the principles of TQM?

There are eight principles of TQM as spelled out by ISO 9001, a standard that serves as the broadest, international version of a QMS framework.

1. Customer Focus

To survive, businesses need customers. Therefore, improving customer satisfaction leads to a successful business and profitability.

2. Leadership

Employees work collaboratively towards common goals, but they require leadership to be successful. The difference is that leaders work to improve productivity and positivity to benefit the greater whole.

3. The People

You can’t expect to improve your organization’s productivity and profit without committing to your employees. Their enthusiasm and dedication are necessary for the success of TQM.

4. The Processes

A significant component of TQM is process. Processes are a “series of steps that take inputs from suppliers and transform them into outputs (internal or external) that are delivered to customers (internal or external).”

5. Systematic Management

The International Organization for Standardization (ISO) describes this principle as: “Identifying, understanding and managing interrelated processes as a system that contributes to the organization’s effectiveness and efficiency in achieving its objectives.”

6. Continual Improvement

All of these changes require continual improvement over time. Optimization will require metrics to be tracked over time, to measure which processes and protocols are working and which aren’t, so that you can adjust.

7. Factual Approach to Decision Making

Use data gathering and analytics to make better decisions based on current information. Making informed decisions leads to a better understanding of customers and your market.

8. Mutually Beneficial Supplier Relations

No matter what industry you’re in or size of your business, you most likely work with suppliers or vendors. This dictates that relationships between your company and any suppliers must be mutually beneficial to add value to both parties.

Which products are best suited for quality management?

With so many moving parts, it’s essential to invest in a total quality management system. ZenGRC is one GRC solution that meets such needs. It can handle numerous frameworks that can be tweaked to your specific needs to improve your business model.

ZenGRC simplifies risk management and compliance with complete views of control environments, easy access to information necessary for risk evaluation, and continual compliance monitoring to address critical tasks at any time.

Our user-friendly dashboards show you how to improve procedures and processes that will overall enhance customer service quality. ZenGRC migrates tasks based on regulations and your business perimeters, and our system helps track workflows, collect documentation, and more.

What industries can benefit from ZenGRC’s compliance management products?

Almost all industries that integrate TQM principles can reap the benefits of a quality management system. Implementing a total quality management system improves quality standards and positively impacts customer and vendor relationships. We have more resources on how to implement a QMS for your organization.

To learn more about how ZenGRC can support your risk evaluation efforts, contact us now for your free consultation and demo.

The International Organization for Standardization (ISO) drafts business management standards that any organization can use to identify and mitigate risk. The medical device industry is one such example.

The importance of risk management for medical devices cannot be stressed enough; a pacemaker or ventilator, for example, does not have the luxury of failure. 

For medical device manufacturers worried about risk, the relevant international standard is ISO 14971, Risk Management for Medical Devices. The ISO 14971 standard was first adopted in 1998 with several revisions since then, and the current standard has been in effect since 2019. 

The Primary Medical Device Directives of ISO 14971 

• Life cycle. All medical devices have a device life cycle. It consists of six primary phases: concept, planning, design, validation, launch, and “post-market” or post-production (that is, how the device is used in an actual patient). 
• Risk management. This is the organization’s overall program to address the risks of using medical devices. That program has several parts: identifying a risk, evaluating its potential threat, implementing controls to reduce the risk, and using a quality management system to assure that risk stays at appropriate levels. 
• Risk assessment. Risk assessment is the process of identifying and quantifying the risk associated with each component of a device. The risk could be operational (the device fails at a critical time and harms patient care), or regulatory (the device malfunctions in a way that violates government regulatory requirements, which exposes the company to legal liability), or potentially both.
• Risk evaluation. Evaluating the risk to determine what specific factors found in the risk analysis contribute to the overall safety of the device. 
• Risk control. These are actions comprising your risk management policy, taken to mitigate identified risks and decrease the likelihood of failure or incident. For example, if a device might be vulnerable to cyberattacks, the control might be security measures such as limited connectivity time. If the device can collect personal health data, where a privacy breach could result in significant legal liability, the control might be to disable that data collection.
• Risk acceptance. A medical device will never be completely free of risk, so organizations must determine what level of risk they are comfortable accepting. 
• Residual risk. This is the amount of risk that remains after all controls have been implemented. For example, you might decide to collect only certain types of health data but not others; or implement one cybersecurity password but not multi-factor authentication. 

ISO 14971 Risk Management for Medical Devices 

While the above points about ISO 14971 are a good primer for medical device companies, proper application of risk management is crucial, given the importance and high-risk potential involved with medical devices.

Here’s how you can implement the standard for medical device risk management.

Establish your risk management framework. This includes defining your risk management process, establishing roles and responsibilities, laying out your plan, and establishing a central repository where your plan and all its components will live.

Define the intended use and scope for your medical device. How is the medical device supposed to work, and supposed to be used by others? 

Identify your hazards. This includes all the potential sources for harm that may be associated with the product life cycle of your medical device, whether through its intended use or foreseeable misuse. It also includes estimating the risk of each of those hazardous situations.

Score the risks associated with those hazards. This involves determining the probability of harm occurring, the potential outcomes, and ultimately deciding whether that potential harm is an acceptable risk, or should be mitigated. Remember to include the risks of failing to meet compliance standards from the Food and Drug Administration, as well as the risk negative reports submitted to the FDA Medical Device Reporting tool. 

Develop and implement risk control measures. While “acceptable” risks only require monitoring for those potential threats, risks that pose an unacceptably high threat need a plan to mitigate them. 

Monitoring and post-production activities. This includes the post-production information to study the effectiveness of the controls and to assess any overall residual risk that remains.  

Worrying About Compliance Is Not the Zen Way 

ZenGRC’s enterprise risk management system provides state of the art, real-time insight into the risks associated with your medical device. 

While executing your risk management activities, you need a single place to store your risk management reports, data on associated risks,  acceptability criteria, and more. 

For more information on how ZenGRC empowers financial institutions, request a demo.

Not only does ZenGRC provide the location for your risk management plan, but it also allows organizations to track responses from notified bodies so you always know where you stand in your overall risk management requirements.