Search results

ISO 27001 certification

For certification against ISO 27701, please note that ISO 27701 was developed as an extension of ISO 27001 and ISO 27002.

Considering that, the most common approaches for implementation are implementing on your own, or implementing on your own with expert support. Each alternatives have their pros and cons, and I suggest you to take a look at this white paper to identify which alternative is best for you:
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

When considering DIY approach, using a specialized platform can help you a lot, and for that I suggest you take a look at our Conformio platform at this link: https://advisera.com/conformio/

If you decide to use a consultant, this article will help you: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/

Asset to Vulnerability Error

Please note that the Person Responsible for treating a Nonconformity is defined on a case-by-case basis in the Nonconformity register, because for each nonconformity you may have different persons with interest/skill/ authority to solve it. In the Nonconformity register you will be able to add a person responsible for a particular nonconformity.

In the Procedure for Nonconformities and Corrective Actions, you only define in a generic way that a person needs to be in charge of the nonconformity, so the specific person is defined in each nonconformity.

For further information, see:
- Case study: How to solve nonconformities using online ISO 27001 compliance software https://advisera.com/conformio/blog/2020/08/12/case-study-how-to-solve-nonconformities-using-online-iso-27001-compliance-software/
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/

Is maintenance required to have a critical parts list?

According to IATF 16949:2016 standard, article 8.5.1.5; critical spare parts should be kept and followed up with a minimum stock level.

When equipment failure and part replacement is required, if the item to be replaced is a hard-to-find and critical item, spare parts should be in stock of the organization.

BIA - The time after which the resource is needed

Your understanding is correct.

When considering all three scenarios at the same time, then you need to adopt the shortest one to ensure all scenarios can be handled in case of disruption.

Register of Requirements

1 - Quick question, why is there no ability to have people review the register of requirements like there are for the other documents?

Please note that the register of requirements is not in fact a document, but a list of entries referring to laws, regulations, contracts, and other legal requirements, where each entry can have its own frequency of review (because their deadlines and changes are not defined by the organization) and responsible person, so the application of the review and approval flow used for other documents does not make sense for this register.

2 - Also, same issue with permissions again. Only one person can work on this doc at a time.

At this moment Conformio does not allow collaborative editing of documents, so to maintain document integrity, only one user can be the document owner. During the document review, the customer can use the discussion tab to involve other users during the edition step. As a workaround to this, you can create a shared account and document who is allowed to use it and for which purpose.

Document handling in Conformio

Thank you for your question and feedback. We are currently working on updating this section of the document in order for this to be possible. Our support team will follow up via email once this document is updated so that you can finalize it.

Document references

Controls A.12.4.1 Event logging, and A.12.4.3 Administrator and operator logs are covered by template Security Procedures for IT Department (section 3.7 System monitoring), located in folder 08 Annex A Security Controls >> A.12 Operations Security.

Control A.12.4.2 Protection of log information is a technical control, which means its implementation is performed directly in the systems, not in the documentation.

For further information, see:

• Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/

Regarding controls from section A.12.6 Technical vulnerability management, control A.12.6.2 Restrictions on software installation is covered by template IT Security Policy, located in folder 08 Annex A Security Controls >> A.8 Asset Management

Control A.12.6.1 Management of technical vulnerabilities is more of a technical control, which means its implementation is performed directly in the systems, not in the documentation.

For further information, see:

• How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

Regarding control from section A.12.7 Information systems audit considerations, and control A.18.2.3 Technical compliance review, they are implemented by means of the Internal Audit Procedure, located in folder 10 Internal Audit, during the audit planning phase.

For further information, see:

• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

Info about SoA document

A third common justification can be “Management decision”, when the management decide they consider a control to be applicable, and this decision can be based on anything they consider important, including business requirements.

If your reason is improving a market position, it would be better to write 'Management decision' instead because marketing is not directly related to security.

For further information, see:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ 

Technical documentation of medical device class IIb

1. which are all the documental requirements I must give the notify body for can submit successfully a medical device class IIb that has a chanche of material? which are the principal points that you could give us as a tip to be more focus in order be correct a CEP, CER, RMP, RMR, BER.?

All documents required for technical documentation are presented in Annex 2 - Technical documentation and in Annex 3 Technical documentation for post-market surveillance of the MDR 2017/745.Considering the principal points for listed documents, they have to be in total with regulatory requirements. Notify bodies are very strict in auditing these documents, so everything that is requested has to be in documents. How this documentation looks like, you can see in our Documentation toolkit https://advisera.com/13485academy/iso-13485-eu-mdr-documentation-toolkit/

These are the documents you will find in our toolkit for CER, CEP, RMR, and RMP:

• Clinical Evaluation Plan https://advisera.com/13485academy/documentation/clinical-evaluation-plan/
• Clinical Evaluation Report https://advisera.com/13485academy/documentation/clinical-evaluation-report/
• Risk Management Plan https://advisera.com/13485academy/documentation/risk-management-plan-iso-134852016/
• Risk Management Review https://advisera.com/13485academy/documentation/risk-management-review/
• EU MDR Annex 2 - Technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
• EU MDR Annex 3 - Technical documentation for post-market surveillance https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/

More information regarding the content of technical documentation you can find on the following article:

• What are the EU MDR technical documentation structure and requirements? https://advisera.com/13485academy/blog/2021/04/06/what-are-the-eu-mdr-technical-documentation-structure-and-requirements/

2. What is the biggest tip that you can give me in order to know which laboratory test I must do to medical device?

Considering the biocompatibility, you have to go to the ISO 10993-1:2020  Biological evaluation of medical devices - Part 1: Evaluation and testing within a risk management process (ISO 10993-1:2018, including corrected version 2018-10), in Table 1 is presented which tests must be performed considering the type of the medical device: are they in the contact with intact skin, mucosae membrane, are they in breach or are they in contact with the blood, and how long are they in use on/in the human body.

Performance testing is something that are you need to decide considering what characteristic your medical device has (length, strength, volume, electrical testing, and so on).

3. It´s possible that with scientific articles that talk about specific device I can substitute the laboratory test of medical device? which could be the legal base in order to can justify this?"

For class IIb, it seems rather hard to justify with scientific literature laboratory testings. Medical devices class IIb are high-risk medical devices and it does not seem possible to make it with justification.