Search results

Classification of medical devices

Yes, you are right. Separately, those elements do not need a medical device file, but, once they are all put together, technical details must be a part of the Medical device file for the X-ray system. It means that at least the following must be covered:

• technical drawings
• materials from which it is made of
• What risks do the elements in question have on the patient, ie on the accuracy of performing the diagnostic procedure
• any other safety issues

• VA-PT testing

  Such threats and loopholes are basically the same commonly used as references for VA-PT testing. For example, according to OWASP top 10 for web applications they are:

  • Broken Access Control
  • Cryptographic Failures
  • Injection
  • Insecure Design
  • Security Misconfiguration
  • Vulnerable and Outdated Components
  • Identification and Authentication Failures
  • Software and Data Integrity Failures
  • Security Logging and Monitoring Failures
  • Server-Side Request Forgery

  The main difference in their use is that such threats are applied against zero-day vulnerabilities, which are vulnerabilities either unknown to the organization (i.e., it does not know they should require mitigation) or known but for which a patch has not been developed yet.

  Until the zero-day vulnerabilities are mitigated, hackers can exploit them to compromise information security. For such situations, the application of control 6.1.4 Contact with special interest groups, for earlier identification of zero-day vulnerabilities, is highly recommended.

  These articles will provide you with a further explanation about OWASP and special interest groups:

  • How to use Open Web Application Security Project (OWASP) for ISO 27001? https://advisera.com/27001academy/blog/2018/04/24/how-to-use-open-web-application-security-project-owasp-for-iso-27001/
  • Special interest groups: A useful resource to support your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms/

  This material will also help you regarding OWAPS:

  • OWASP Top Ten https://owasp.org/www-project-top-ten/

• Business continuity plans in a larger company

  Please note that department-oriented plans (e.g., IT plan, Facilities plan, HR plan, etc.) are the easiest way for mid-size companies like yours.

  From our experience, the optimal structure for large companies is the following:

  • one top-level document called Business Continuity Plan, where you define the crisis management plan, and the general rules by which all continuity activities will abide, ensuring all plans are aligned.
  • separated Incident Response Plans for describing how you would respond to different incidents, covering related activities required by all areas of the organization.
  • recovery plans for describing how to recover each of your processes/departments/projects in case of a disruption, also covering related activities required by all areas of the organization. For IT operations this plan is commonly known as the Disaster Recovery Plan

  For more information, please see:

  • How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
  • Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

  This material will also help you regarding business continuity planning:

  • Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

• Cold Email

  Yes, cold emails are allowed under legitimate interest. If you have an email address of the procurement manager of a company that may be interested in your service, you are allowed to send a cold email because publishing the address on the company website as the referral for procurement affairs.

  Here you can find more information about legal basis:

  • Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

  If you need to understand how to implement EU GDPR you may consider enrolling in our EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

• Preparing SoA

  ISO 27001 only requires that results of risk assessment are taken into account when defining risk treatment and SoA, not that the majority of controls must have risks as justification for applicability (this is not a common situation, so you should be prepared for some questioning from the auditor).

  Provided that in the SoA you refer to the most relevant identified risks it can be accepted for certification purposes.

• Question on SOA

  ISO 27001 doesn't require you to specify objectives in the Statement of Applicability - you can use some other document for this purpose. However, we felt that listing objectives next to each control in SoA is the most practical solution.

  Regarding the objectives, to make it easier, you can specify the objectives for groups of controls, very similar to what is written in Annex A of ISO 27001.

  This article will provide you a further explanation about Statement of Applicability:
  - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ 
  - ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

• Business continuity elements

  Provided the EHS’s ERP is relevant to ensure the continuity of the services and/or processes required for business continuity it can be part of the business continuity efforts.

  These articles will provide you a further explanation about business continuity planning:

  • How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
  • Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

  This material will also help you regarding business continuity planning:

  • Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

• Do we need MDR?

  Considering the definitions of what is a medical device (Article 2 Definitions), to my opinion this is not a medical device. For some device to be medical device, it has to have some of the following purposes: diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease.If I understand correctly your device, helps patients to feel more comfortable in the wheelchair, but it does not contribute to the healing of their health state.  

  If you look at your product from the point of view that your seating and brackets prevent developing pressure ulcers or similar skin changes, then it can be considered that seating and brackets are medical products. In that case, they are a class I medical device according to Rule 1 (Annex 8 Classification rules). In that case, it is necessary to implement the ISO 13485 Quality System and prepare the Technical Documentation in accordance with Annex 2 Technical documentation and Annex 3 Technical documentation for post-market surveillance.

  For more information, see:

  • EU MDR Article 2 - Definitions https://advisera.com/13485academy/mdr/definitions/
  • EU MDR Annex 2 Technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
  • EU MDR Annex 3 - Technical documentation for post-market surveillance https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/
  • EU MDR Annex 8 - Classification rules https://advisera.com/13485academy/mdr/classification-rules/

  • Procedure Manual

    No, normally, a procedure manual is not the same thing as a quality manual.

    A procedure manual, normally, is considered as a compilation of all procedures of an organization. A quality manual, normally, is a document where the quality system of an organization is described together with its quality policy. Both manuals are not mandatory according to ISO 9001:2015.

    Let me remark that I think that in older versions of ISO 8402, the vocabulary standard that became obsolete in 2000, there was a note saying that the sum of all procedures could be the quality manual. However, I never saw that approach followed in practice.

  • ISO 27001 new version and becoming a consultant

    1 - My company is intended to implement iso27001:2013, But I've heard that new version is coming, And I need to know if I start at the beginning of next year does the new version will affect me specially if I use your toolkits. Will it be updated.

    Please note that ISO 27001:2013 was indeed in 2019, but it was confirmed as the current standard, so no changes will be required for those organizations already certified, or in process of certification of this version of the standard (the version of the current standard will still be 2013, not 2019). There is also no need to update our toolkits by this date.

    For more information, please access this link: https://www.iso.org/standard/54534.html

    2 - Next part is personally, after implementing the standard in my company , I would like to do my own business in iso 27 as consultant so Need your advice please.

    To become an ISO 27001 consultant, the first step is for you to decide which path you want to follow considering security management or security assurance (i.e., security audit), and for these areas, you have the following ISO 27001 certifications you can follow:

    • ISO 27001 Lead Implementer – this certification recognizes people who have competency in the ISO 27001 implementation process.
    • ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISM S against ISO 27001 requirements and want to become certification auditors (and with this provides more confidence to an organization for being certified).

    These articles will provide you a further explanation about ISO 27001 personnel certifications:

    • What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
    • What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
    • Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

    For courses related to these certifications, please see:

    • ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
    • ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

    After certification, you should acquire experience in the field, and the most common ways are to work inside your current company implementing information security, or working for an established consultant.

    For more information about how to become a consultant, please read:

    • How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/