Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Content of ISO 27001 & EU GDPR Toolkit

    I’m assuming the information you provided is from the List of documents file from the ISO 27001 toolkit (ISO 27000 is not a certifiable standard).

    Considering that, the Incident Management Procedure document is mandatory only if control A.16.1.5 Response to information security incidents deemed as is applicable.

    Considering the ISO 27001 & EU GDPR Toolkit, the document you should look for is the Data Breach Response and Notification Procedure, which covers the same requirements of the Incident Management Procedure, and also GDPR Articles 4(12), 33, 34. This is document 14.A.16, item 85, in the List of documents file from ISO 27001 & EU GDPR Toolkit.

  • Clean room criteria for ISO 13485

    Thank you for the question. There is a lot of things that need to be taken into consideration when wanting to get an ISO 13485:2016 certificate. For the documentation, you can use our Documentation toolkit which has all necessary and required documentation from the standard. Prices and what is contained in the toolkit at the following link: https://advisera.com/13485academy/iso-13485-documentation-toolkit/

    More information on the ISO1 3485, you can find on the following links:

    • How to get ISO 13485 certified? https://advisera.com/13485academy/iso-13485-certification/
    • Checklist of ISO 13485 implementation steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
    • Six key benefits of ISO 13485 implementation https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/

    • Question about notify body

      If you want to have proper certificate, that will be recognized worldwide, it has to be a certification body.

      For more information on this topic, please see following article:

      • How to choose an ISO certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/</

      • CONTROLS A.18.2.1 AND A.18.2.2

        For control 18.2.1 Independent review of information security, please note that this control is usually done in the form of an internal audit or certification audit.

        In companies very small like yours, the common approach for the internal auditor is hiring an external party for the task, because the organization wouldn’t have enough work to justify contracting a full-time auditor, and a part-time internal auditor would have difficulty keeping his independence over all organization processes for performing his task.

        About certification audits, they are conducted by accredited organizations (the certification bodies) to evidence that an organization is compliant with all requirements of the ISO 27001 standard.

        For further information, see:

        Regarding control 18.2.2 Compliance with security policies and standards, it does not require independence of the reviewed area. In fact, it is quite the opposite (the management is the focus of this control - they have to do the review). So, your current implementation for critical analysis is acceptable to fulfill the control.

        This article will provide you a further explanation about management review:

      • What sections of ISO 13485 cover computer systems?

        If you think computer systems that you use for example for: production, for calibration, for service, for warehouse management and similar processes, than managing computer services are under the requirement 4.1.6 which is about the validation of software used in the quality management systems. Such validation must be done prior to initial use, and than after each updated. However, which actions will be taken, how often, which parts of the software will be validated depends on the risks that software have on the quality management system and on the quality of the product. 


        There must be a procedure for software validation together with records that proves that validation has been conducted. 
         

         

      • EU GDPR questions

        1. If a company is based in non-European country wants to transfer European data to non-European country, what are GDPR requirements?

        You need to follow the instruction of Chapter V GDPR, which requires verifying if the country of destination benefits from an adequate decision. If so, you can proceed with the transfer. Otherwise, you should verify if you can implement appropriate safeguards like Standard Contractual Clauses or Binding Corporate Rules, or follow in one of the exceptions under Article 49 GDPR.

        2. Does a company need to create binding corporate rules if it has only one branch

        Binding Corporate Rules (BCR) are the long and complicated mechanisms that need to be approved by Authorities. Usually, large groups of companies have BCR, most organizations rely on Standard Contractual Clauses (SCC).

        3. Is there any available approved binding corporate rules approved by authorities to be followed

        Yes, you can find on the internet some BCR approved, but they are customized on the data processing of the company, their asset, and safeguards implemented. There is no standard BCR to customize.

        4. Who should create the data transfer impact assessment the controller or the processor

        The data controller is liable for transfer impact assessment, however, if the export of data is from a data processor to a data sub-processor, the data processor may assess the impact of transfer in order to certify its own compliance with the data controller.

        5. Is there any available Transfer impact assessment template for processor

        No, currently we have the template for the Cross Border Personal Data Transfer Procedure which can be tailored on transfers as controller or processor.

        For more information, see:

        6. Where can I find the updated version of the controller-processor  SCCs.

        You can find it on the website of the EU Commission: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

        Here you can find more information about data transfer:

        If you want to learn how to implement GDPR compliance in your organization, you may consider enrolling in our EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

      • Toolkit content

        The toolkit is suitable for any (small to medium) testing or calibration laboratory. It does not specifically deal with any sector or document requirements to meet standards such as ISO 8655. The technical knowhow is the laboratoy’s responsibility as calibration laboratories have additional specific measurement programme requirements to meet, as in your case, for volume.

        Advisera’s ISO 17025 toolkit guides you through the implementation of ISO 17025. The  ISO 17025 document template: Evaluation of Measurement Uncertainty Procedure and related Measurement Uncertainty Checklist and Measurement Uncertainty Record are available as part of the ISO 17025 toolkit to assist you. Especially for calibration laboratories, additional expertise in evaluating measurement uncertainty for your test will be necessary. You will need to produce an uncertainity budget for each volume you are accredited for. For that I suggest you reach out to the Accreditation body and find out what guidelines and technical requirements they have for your programme.

        See the Q&A and links provided at https://community.advisera.com/topic/calculating-uncertainty/, for a similar topic.

      • Help with management review

        To see how a management review minute compliant with ISO 27001 looks like, please take a look at the demo this template: https://advisera.com/27001academy/documentation/management-review-minutes/

        As for tips about the management review, we can list:

        • ensure that you have information for all inputs required by the standard
        • study this information so you can be able to explain results and deviations
        • ensure decisions made are properly recorded v(e.g., what need to be done, by whom, and related deadlines)

        This article will provide you a further explanation about management review:

      • 17025 vs 13485

        You asked

        Would it be best practice to integrate the ISO17025 requirements in the ISO13485 QMS or make a separate ISO17025 QMS for the labs?

        In my experience it all depends on the management structure of the laboratory. If you have different people responsible for the different standards implementation and maintenance, then keep them separate, at least to start with and then integrate to a practical extent later. Otherwise if you try and do this upfront, it could slow down the adoption of ISO 17025.

        It is however, unnecessary to reinvent the wheel, so use the current process and strategies already implemented in 13485 for common ISO 17025 activities, wherever possible. Examples a document control and dealing with complaints and nonconforming work.

        I suggest you do a gap assessment of what is in place for ISO 13485.  List the current processes and documentation in place for ISO 13485 which are applicable to ISO 17025, and then list the additional required by or needing customisation for ISO 17025. The project plan is a handy tool to use. This way you can track your progress.

        For more information, the following may be of interest:

        The whitepapers

        Free implementation resources at https://advisera.com/17025academy/free-downloads/ including 

        • Project Plan for ISO/IEC 17025 implementation
        • Project Checklist for ISO 17025 implementation
Page 120-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +