Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 13485 Effectiveness criteria
1. if these criteria should be quantitative or qualitative?
It is up to you. It is always better to have quantitative criteria because it is easier to follow if those criteria are met. For example, you can state that your criteria for production is 1% of scrap. This is something that you can easily measure.2. and if we have Procedure for Document Control and Procedure for Control of Quality Records - these procedures have to include effectiveness criteria?
Of course. For example, you can state that all records must be properly signed and fulfilled. Or All valid documents must be in place (therefore, during the internal audit you must not find any document that is not valid - a procedure that has been withdrawn).3. Also, for instance we have described Change Management process and effectiveness criteria for this process are: Timely notification and implementation of changes; Data analysis results. Are these ok?
Yes, this is OK criteria for Change management. -
Different between "Supplier" and "Subcontractor"
A subcontractor is a company that provides for you some process that is crucial for your medical device. For example, a subcontractor is a company who produce your medical device for you or performs a sterilization process, warehouse, or made some crucial part for your medical device that is specific only for you.
Suppliers are all other companies that provide you with raw material, packaging material, and so on.
-
Corporate using of Conformio
To answer this question properly it is necessary to evaluate how different the implementation of the applicable controls will be on both sites. In case single documents, like policies and procedures, can be used for both Business Units, then only a single license will be enough. In case the differences in implementation may require that two policies covering the same topic are written (e.g., you need to have two different Access Control Policy), then the use of two licenses are recommended.
-
Accreditation duration
It can realistically take from six to twelve months for the accreditation process to be completed. i.e from application to accreditation.
Once you have applied for accreditation with an accreditation body (AB) and submitted all the required documents they will do a document review. This could take a few months depending on how busy the AB is. Depending on the extent of laboratory “readiness”(if documents are available and requirements met) it can be another month or more to close any gaps. It may then take another month or two before the initial assessment (audit) of your processes and documents. Finally the laboratory may need another month or more to close any non-conformances, before accreditation is achieved.
For more information have a look at the webinar What are the steps in the ISO 17025 accreditation process? at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar/
-
SoA - controls
When only a task is defined as the implementation method of control it means that this control does not require specific documentation, so you do not need to develop your own policy or procedure.
In cases like this, you only need to provide a record showing that the task was performed. For example, for control A.6.1.2 you only need to provide a list of which activities were divided. For control A.6.1.3 you need to provide a list of which authorities need to be contacted.
For further information, see:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
-
ISO 27001 Risk Assessment
1. What would you say counts as existing control and how "secure" does it need to be to lower the risk level? (documented, implemented as a process, etc.?)
“Existing controls” refers to controls that are currently implemented (i.e., documented, implemented as a process, as a technology, etc.), so it is not about “how secure does it need to be”, but “how secure it is” at the moment of the assessment.
For example, for a data loss risk, you can mention that you already have a backup solution implemented (e.g., a software solution).
2. If the already existing controls lower the risk level, which we suppose it does according to your video lessons, then the risk level might be so low that the risk doesn't need to be included in the risk treatment. And if it doesn't need to be included in the risk treatment, then we don't need to implement a control from Annex A to cover this risk?
Have we understood this correctly? It seems a bit wrong to exclude Annex A controls that actually should be applicable.
If you already have a control implemented, identified during risk assessment, you need to identify this information in the SoA, reporting the associated control as implemented.
Considering the previous example, you need to report in the SoA that control A.12.3.1 Information Backup is applicable and its status is implemented.
For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
-
ISO 27001 query
I’m assuming that by DaaS you mean Device as a Service.
Normally, control A.12.4.4 applies only to on-premise servers because these are the servers you fully control. If your risk assessment or requirements ask that both on-premise and cloud servers need to be synchronized, then regardless of the environment or cloud model, to be compliant with control 12.4.4 all servers in the same security domain (i.e., under the influence of the same controls) need to be synchronized to a single reference time source.
-
Toolkit content
Please note that identification of which activities need to be restored first are done through the business impact analysis (this template can be found in folder 08 Annex A Security Controls >> A.17 Business Continuity >> 02_Business_Impact_Analysis_Methodology)
For a summary of which server or service or process has to be restored first, and related dependencies, you can use the Recovery Time Objectives for Activities template, located in folder 08 Annex A Security Controls >> A.17 Business Continuity >> 03 Business Continuity Strategy.
-
Security asset inventory
For a smaller company it is much quicker if the assets are listed during the risk assessment process - first the assets are listed, then relate threats and vulnerabilities to those assets. Essentially, the same effect is achieved as you suggested.
For further information, see:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Query on SOC 2 certification
Considering the 45 templates in the ISO 27001 Documentation Toolkit, roughly 80% of the documents can be used to support a SOC 2 certification.
This article will provide you a further explanation about ISO 27001 and SOC2:
- Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/2021/02/02/iso-27001-vs-soc-2/