Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Info about SoA document

    A third common justification can be “Management decision”, when the management decide they consider a control to be applicable, and this decision can be based on anything they consider important, including business requirements.

    If your reason is improving a market position, it would be better to write 'Management decision' instead because marketing is not directly related to security.

    For further information, see:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ 

  • Technical documentation of medical device class IIb

    1. which are all the documental requirements I must give the notify body for can submit successfully a medical device class IIb that has a chanche of material? which are the principal points that you could give us as a tip to be more focus in order be correct a CEP, CER, RMP, RMR, BER.?

    All documents required for technical documentation are presented in Annex 2 - Technical documentation and in Annex 3 Technical documentation for post-market surveillance of the MDR 2017/745.Considering the principal points for listed documents, they have to be in total with regulatory requirements. Notify bodies are very strict in auditing these documents, so everything that is requested has to be in documents. How this documentation looks like, you can see in our Documentation toolkit https://advisera.com/13485academy/iso-13485-eu-mdr-documentation-toolkit/

    These are the documents you will find in our toolkit for CER, CEP, RMR, and RMP:

    More information regarding the content of technical documentation you can find on the following article:

    2. What is the biggest tip that you can give me in order to know which laboratory test I must do to medical device?

    Considering the biocompatibility, you have to go to the ISO 10993-1:2020  Biological evaluation of medical devices - Part 1: Evaluation and testing within a risk management process (ISO 10993-1:2018, including corrected version 2018-10), in Table 1 is presented which tests must be performed considering the type of the medical device: are they in the contact with intact skin, mucosae membrane, are they in breach or are they in contact with the blood, and how long are they in use on/in the human body.

    Performance testing is something that are you need to decide considering what characteristic your medical device has (length, strength, volume, electrical testing, and so on).

    3. It´s possible that with scientific articles that talk about specific device I can substitute the laboratory test of medical device? which could be the legal base in order to can justify this?"

    For class IIb, it seems rather hard to justify with scientific literature laboratory testings. Medical devices class IIb are high-risk medical devices and it does not seem possible to make it with justification.

  • Some wondering on the use of the risk management registry

    1 - In the asset list, we found "remote employee" and in the vulnerabilities, we found "working off-premises" and we want to make sure of the correct understanding and the difference of the 2 concepts
    currently we understand :
    - "remote employees" as employees usually working not in the head quarter but in a different site owned by the organization (let say an affiliate elsewhere in Europe) using the organization infrastructure (PC, Tools, network, security...)
    - "working off-premises" as an employee working on a site that does not belong to the organization (let say working at home or on a customer site) but using the organization infrastructure, at least partially (let say the organization's PC but the home or customer's network access)
    is that correct?

    Answer: As "remote employees" you should understand employees working in environments other than their regular workplaces in the organization (it is not a question if he usually works in the headquarters or not, but on where he usually works). In your example for “remote employees”, if the employee’s regular working place is the subsidiary location, he would be only a regular employee. He would be a “remote employee” when working in the headquarters.

    As for "working off-premises" you should understand working in any environment other than those controlled by the organization (e.g., working from home, from a customer site, etc.). For example, in case you have an employee who usually works in the headquarters but for a period is working in an affiliate location, this employee would be a “remote employee” but wouldn’t be “working off-premises”.


    2 - We also found that sometime vulnerabilities, threats evaluation and treatment are exactly the same for several asset (ex "rules for working off-premises not clearly define" will have the same threats, evaluation and treatment for all kind of employee (Top management, middle management, specific expert, remote or other). How to manage this the best way to avoid costly redundancies

    Answer: In cases like this one, you need to group assets according to the most comprehensive set of rules, so you have fewer assets to manage.

    For example, instead of creating a repetitive set of rules for each employee type, you can define a single profile for all employees, or you can define a “basic” profile for all employees, and create an “advanced” profile that will include only specific groups of employees (e.g., top management, developers, financial team, etc.).

    This article will provide you a further explanation about managing assets:

    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • List of key roles of the organization for the realization and implementation of ISO 22301

    ISO 22301 does not prescribe roles for implementing a Business Continuity Management System (BCMS), so organizations are free to define them as they see fit.

    In general, you should consider:
    - a role at the top management level to be accountable for the BCMS scope (e.g., the CEO, or department head) 
    - a role to act as project manager to be responsible for the implementation of the BCMS
    - roles to act as project team members (when a single person acting as project manager is not enough for the task)
    - roles to act as interested parties, to be consulted regarding how to implement the BCMS (e.g., key users, coordinators, etc.)

  • Request for clarification on assessment report

    Since these documents contain very sensitive information about the risks of the vendor, it is unlikely they will share these documents with third parties.

    In general, for an understanding of the security profile of a vendor compliant with ISO 27001, it is reasonable to ask for the Statement of Applicability (this document identifies at least applicable controls, justification for applicability, implementation status, and justification for the exclusion of controls from ISO 27001 Annex A).

    This article will provide you a further explanation about the Statement of Applicability:

  • ISO 27001 / TISAX certification

    For a precise definition for “sensitive work fields and positions” you need to identify which security regulations you need to fulfill because these will define the requirements for the identification of sensitive work fields and positions.

    For example, for EU GDPR, you need to define the Data Protection Office position, and since this regulation is about privacy protection, any process or area which handles Personally Identifiable Information (PII) will need to be considered a sensitive work field.

    Specifically for ISO 27001, sensitive work fields and positions will also be identified as a result of risk assessment.

    For further information, see:

  • Product / Service Requirement Review Record CL 8.2.3.2

    Thank you very much, this has assisted me. 

  • Internal Autitor Requirement

    Each organization has the authority to determine the competency requirements of its internal auditors.
    Normally, organizations consider two topics:

    • Knowledge of the standard, in this case ISO 14001:2015
    • Knowledge of good auditing practices

    An internal auditor does not need to be certified, just need to comply with the organization’s competency requirements. Just being familiar with ISO 14001 is not enough.

    You can find more information below:

  • The best tool for risk management

    Please note that there is no definitive answer to this question.

    The best tool is the one that suits the size and complexity of the company – in general, the smaller the company, the simpler solution you need.

    For smaller companies we recommend you check out Conformio's risk management solution (https://advisera.com/conformio/). You can sign up for the 30-day free trial and see if it can fulfill your needs.

    This article will provide you a further explanation about risk management with Conformio:

  • What ISO directive requires surveillance audit?

    Certification bodies for ISO 27001 Information Security Management Systems standard are required to be certified by an accreditation body against ISO/IEC 27006, and this standard defines surveillance audits as part of the certification process of an organization (section 9.6 Maintaining certification).

    You can have an overview of this standard here: https://www.iso.org/obp/ui/#iso:std:iso-iec:27006:ed-3:v1:en

    This article will provide you a further explanation about accreditation and certification:
Page 127-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +