Search results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Food Packaging Testing

    ISO 17025 is applicable for calibration and testing laboratories. If you seek ISO 17025 accreditation as a testing laboratory, the laboratory needs to meet all the mandatory requirements for the Standard. The processes and procedures that would be part of the scope relate to all general quality management and technical requirements.  
    I suggest you become familiar with ISO 17025 and perform a gap assessment (internal audit) of the requirements of ISO 17025 against what you already have in place for your Medical Device Manufacturer QMS.

    For more information on ISO 17025 and the processes and documents, to put in place start here https://advisera.com/iso-17025 and the available resources, including the Checklist of mandatory documents required by ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/checklist-of-mandatory-documents-required-by-iso-17025 Then have a look at what the toolkit can offer to assist with requirements of internal audits https://advisera.co/ISO17025Toolkit

  • ISO 27001 Internal Auditor Course Question

    Please note that the Audit Program and Audit Plan are different documents.

    An Audit program refers to all audits planned for a period of time, while an Audit plan specifies the details of one specific audit; Audit program is mandatory, while Audit plan is not.

    For further information, see our complete guide for internal audit.

  • Certification scope

    Regarding certification, you should consult your customers and regulators' requirements (i.e., contracts, laws, and regulations) to identify if they demand all sites to be certified or only specific sites. Based on these requirements, you can define which entities need to be certified. For example, if your customers' contracts only require Site A to be certified, and regulators do not demand certification, then certifying only Site A would be enough. 

    Regarding setup, documents, actions, and other elements related to the ISMS, those that are similar can be shared between entities (e.g., document and record control, internal audit, management review, etc.), while those with specific requirements may require separate implementation (e.g., disaster recovery plans). 

  • Security Awareness Course Password Question

    Thanks for the clarification - basically you are right, the scenario is not clear enough - we have to change the question to "In the news, you have heard that your favorite social media site has been hacked, and the user password database has been breached. You should:"

  • Change management and Change classification

    I’m assuming that by change management, you are referring to control A.8.32 Change Management.

    Considering that, any change involving information, processes, or facilities stated in the ISMS scope needs to be regulated by Change Management. 

    For example, if R&D information is included in the ISMS scope, then any change that may impact this information (e.g., a change in an information system that processes R&D data) needs to be controlled by Change Management. 

    This article will provide you with further explanation about change management (although the article is about ISO 27001:2013 control for change management, the concepts are the same for the ISO 27001:2022 control).

  • Audit Questions

    As resources for performing internal audit, we recommend these contents:

    Regarding procedural documents, the documents that you already have in the ISO 27001 Documentation Toolkit are completely adequate for the certification if you are a small or mid-sized company. Adding more documents would only create an overhead and would not contribute to your overall security. 

    For example, in the Toolkit you have the Backup Policy - for a smaller or mid-size company there is no need to create additional Backup Procedure, because the content of the Backup Policy is enough for describing backup activities.

    However, if you want we can help you create additional documents - for that purpose the best would be to schedule a call with our expert by clicking here

  • Conformio questions

    Answer: Please note that the Information Security Policy document generated by Conformio is fully compliant with ISO 27001 as it is, so most of the elements you mentioned do not need to be included in the Information Security Policy (some are already included in other low-level policies, or are not needed at all – they would only increase administrative effort unnecessarily). 

    About each specific point:

    • Exception Handling: exceptions are not mentioned in ISO 27001, and a good practice is either not to define them at all, or to define them for certain processes. For example, you could define an exception for granting access in the Access Control Policy.
    • Consequences of Non-Compliance: reference to consequences of non-compliance and violations of security rules are included in the Statement of Acceptance of ISMS Documents
    • Links to Other Policies and Procedures: The Policies, Procedures and other documents which supports the ISMS are identified in the Statement of Applicability Module
    • External Parties: The external parties are identified in the Register of Requirements Module
    • Review Frequency: Of course, the review could be done more often in various cases. However, we found that a large majority of our clients like the documents that are not too lengthy and are simple to read, and this is why we try not to explain such scenarios.
    • Audit and Monitoring: Audit and monitoring rules are defined in the Internal Audit Procedure
    • Document Storage and Versioning: Storage, versioning rules are defined in the Procedure for Document and Record Control. Who are allowed access to the policy is defined in section 1 of the document – Purpose, scope and users.
    • Terminology: Large majority of our clients find the listed terms enough for their purpose; as mentioned before, our clients prefer to have shorter documents and this is why we limited the terms to those that are listed.

    In case you want to develop an Information Security Policy with the elements you want, you can use the blank template provided by Conformio, which can be found by clicking on the Documents link in the left panel on the main screen, and after that, the folder Templates for manual editing. 

  • Definition of a non-conformity

    In the context of medical devices, non-conformities refer to instances where a device does not meet the established requirements or standards. These non-conformities are classified into major and minor categories based on their significance and potential impact on patient safety.

    Major Non-Conformity: A major non-conformity indicates a significant deviation from the established requirements. It poses a high risk to patient safety and may result in serious harm or adverse events. Major non-conformities typically involve critical aspects of the device's design, manufacturing, performance, or documentation. Correcting major non-conformities is of utmost importance to ensure the safety and effectiveness of the medical device.

    Minor Non-Conformity: A minor non-conformity refers to a deviation from the established requirements that has a relatively lower impact on patient safety. While minor non-conformities do not pose an immediate risk to patients, they still need to be addressed to maintain compliance with regulations and standards. Examples of minor non-conformities may include minor labeling issues, documentation errors, or non-critical deviations in manufacturing processes.

    It is crucial for manufacturers to properly assess and classify non-conformities as major or minor to ensure appropriate corrective actions are taken. Major non-conformities require immediate attention and remediation, while minor non-conformities should be addressed in a timely manner to maintain compliance and quality in the manufacturing and distribution of medical devices.

  • Environment and Scope

    1 - As a higher education institution, we operate in a hybrid environment encompassing cloud and on-premise resources, third-party services, as well as both in-house and outsourced application development. Our ISMS scope is currently confined to the IT department. Given this, which assets should we include in our ISMS? 

    Since the current ISMS scope is confined to the IT department, the assets to be considered for the ISMS should be those directly under the control of the IT department (e.g., on-premise resources, in-house application development, data for SaaS, data and applications for IaaS etc.).

    2 - Should it be limited to IT assets such as infrastructure, servers, network systems, applications, data centers, UPS, air conditioning, connectivity, and IT human resources? Or should we extend the scope to include departments like HR and Procurement?

    Each company can decide what ISMS scope best fits their needs. This is usually done based on customer requirements - if the customers require only the IT department to be certified, then this is usually enough.

    3 - When it comes to setting our ISMS objectives, considering the scope is limited to the IT department, should the security objectives also be confined to IT-related security measures?

    Besides the IT-related security objectives, the ISMS objectives should also be considered in terms of added value to the company. For example, to decrease the number of information security incidents by 50% in the next year.

    These articles will provide you with further explanation about defining the ISMS scope and objectives:

    This tool for defining the ISO 27001 ISMS scope can also help you.

  • ISO 9001 in Maintenance Companies

    Implementing ISO 9001 in a company that specializes in maintaining refrigeration systems or installing refrigerators, is certainly possible. ISO 9001 is a quality management system standard that can be applied to various types of organizations, including service providers like maintenance companies.

Page 13-vs-13485 of 1130 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +