Search results

Finding SOC 2 auditor

We are not aware of specific boards or professional associations of SOC 2 auditors, so your best approach would be looking for them on professional social networks like LinkedIn, Security groups on Google Groups, or the American Institute of Certified Public Accountants (AICPA), which certifies accountants to audit for SOC 2.

This article will provide you a further explanation about SOC2:

• Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/2021/02/02/iso-27001-vs-soc-2/

Toolkit content

I’m assuming you are referring to the content of the documentation toolkit.

Considering that, please note that the Risk Assessment Table included in the ISO 27001 toolkit contains separated tabs listing examples of assets, threats and vulnerabilities to be used to fill in the Risk Assessment Table (in the cells of each specific column you can chose an item from a list). The only difference from Conformio platform is that Conformio automatically suggests threats and vulnerabilities, while such functionality does not exist in the Excel sheet from the toolkit.

For further information, see:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

In case you are referring to Conformio, please note that the content of the paper “Diagram of ISO 27001 Risk Assessment and Treatment Process” is a visual presentation of how risk assessment and treatment is performed through the Conformion Risk Register module. You have the same resources available in the Risk Register. It’s only not shown in a graphical format.  

For each risk entry you perform the exact same steps:
- when you chose an asset a set of related vulnerabilities is presented
- for each chosen vulnerability, a set of threats is presented
- when impact and likelihood are defined, for those risks calculated as unacceptable, there will be presented suggested controls to treat them.

When you access the Risk Register, there is a video presenting how to perform risk assessment and treatment in Conformio.

Implementing verification and validation of method in microbiology lab

In order to implement ISO 17025 in a microbiology laboratory all mandatory requirements must be met. In addition for each method that you wish to be accredited for, the labaortory must perform verification of all standardized methods and full validation for in-house methods.

Have a look at a similar topic Properly implementing section 7.2 and 7.6 for a microbiological lab at https://community.advisera.com/topic/properly-implementing-section-7-2-and-7-6-for-a-microbiological-lab/ and look at the provided links to the Toolkit documents.

For more detail on what is required for ISO 17025, read the whitepaper Clause-by-clause explanation of ISO 17025:2017 available for download from https://advisera.com/17025academy/free-downloads/ and preview the ISO 17025 Academy toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ 

Diferent references for manufacturer and distributor

The best way is to use the code that is on the product because that code will be one day in the EUDAMED database. This will make it easier for you to monitor if something is happening with the product on the market, eg if there will have to be a product recall. 

Leader Auditor 27001

Since the possibility for tricky situations is endless, the best way to find out how to handle them is to participate in lead auditor forums, or specific related groups in social networks, and place your questions (it is unfeasible to bring all situations in training).

As for your example, the best approach is to state that it was not possible to evidence the proper management of intellectual property rights of software *** (you should NEVER state that software is illegal, remember that your findings are based on the evidence you have or have not found).

Regarding abandoning an audit, this should be your last resort, only in cases in which the auditor perceives that proceeding with the audit will lead to risks of physically harming or risk of life. In such cases, he needs first to communicate with his manager, explain the situation and decide how to proceed. When there is no time for such communication, the auditor must contact his manager as soon as possible.  

ISO 27001 package question

1 - Is a "Inventar der Werte" obligatory? As I understand this it's just a list of all values that appear in the risk analysis. Why is an ID needed?

Please note that ISO 27001 does not prescribe the inventory of assets, but it needs to be written if you mark the control A.8.1.1 as applicable in the Statement of Applicability.

Regarding the need for an ID, this is so because assets need to be identified in a unique manner to make them manageable.

For further information, see:- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

2 - Could you tell me the correct order of internal audit, management review and implementation of measurements? I understood it like this that first all measures have to be implemented, then there is an internal audit by someone of us or a consultant, then we need to do the management review and implement the recommendations from the internal audit and then we can ask for an external audit - is that correct?

Please note that for the implementation and audit of the ISO 27001 Information Security Management System, you need to follow the implementation steps as defined in the toolkit (basically following the documents in the exact order displayed in the toolkit folders).

One question about ISO 27001

The main documents in the toolkit that define how communication needs to be done are:

• the Information Security Policy, located in folder 4 General Policies
• the Training and Awareness plan, located in folder 9 Training and Awareness
• the Incident Management Procedure, located in folder 8 Annex A Security Controls >> A.16 Information Security Incident Management
• the Disaster Recovery Plan, located in folder 8 Annex A Security Controls >> A.17 Business Continuity

Consulting clients who must be GDPR compliant.

You can advise your customers on how to implement a GDPR-compliance project within their respective organizations. We have a lot of resources that you can use, including a full GDPR Toolkit (link below) and some free GDPR courses (you can also purchase an Advisera certification proving that you passed a GDPR exam). Appointing a DPO is only required in some specific cases, or when you feel you need to have better control over how personal data is processed within your organization, or if you process large quantities of special categories of personal data.

Some helpful links:

• EU GDPR DOCUMENTATION TOOLKIT: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
• FREE EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/
• FREE EU GDPR DPO Course: https://advisera.com/training/eu-gdpr-data-protection-officer-course/
• The role of the DPO in light of the General Data Protection Regulation: https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/

How to handle Software/Firmware to be MDR compliant?

Yes, you are right that Biocompatibility does not apply to the software. But other documents are applicable with some adjustments.

First what you need is to go to Annex I; - General safety and performance requirements and to see which of those requirements are applicable for you. 

Then, I suggest going to the following MDCG guidance that are specific for software as a medical device:

• Is your software a medical device? https://ec.europa.eu/health/system/files/2021-03/md_mdcg_2021_mdsw_en_0.pdf
• MDCG 2020-09 Guidance on Clinical Evaluation (MDR) / Performance Evaluation (IVDR) of Medical Device Software https://ec.europa.eu/health/system/files/2020-09/md_mdcg_2020_1_guidance_clinic_eva_md_software_en_0.pdf
• MDCG 2019-16, Rev 01 - Guidance on Cybersecurity for medical devices https://ec.europa.eu/health/system/files/2022-01/md_cybersecurity_en.pdf
• MDCG 2019-11 - Guidance on Qualification and Classification of Software in Regulation (EU) 2017/745 – MDR and Regulation (EU) 2017/746 – IVDR - https://ec.europa.eu/health/system/files/2020-09/md_mdcg_2019_11_guidance_qualification_classification_software_en_0.pdf

Also, be aware that medical device software must be in compliance with the following standard: IEC 62304:2006 - MEDICAL DEVICE SOFTWARE — SOFTWARE LIFE CYCLE PROCESSES

Information on Certificates such as CoC / CoA or 3.1 certifications