Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Quality plan for service or colective

    Start by listing the different types of services provided by your company. Then start an unzooming exercise and try to determine what is common and what is different in terms of risk. For example, a transport company may have a basic service of taking an order from A to B, but it can also provide the same service urgently, or also provide the same service with a guarantee of negative temperatures during transport, it can also provide the same type of transport for foodstuffs with food safety requirements.

    So, for each kind of service, think about clients and other interested parties requirements and compliance obligations, and think about risks for each service, from there develop your quality plans. Perhaps some may be common to several kinds of services and others will be specific.

    The following material will provide you with more information:

  • Best practices in utilizing old clinical studies

    In Article 2 Definitions, in point 12 is stated that “‘intended purpose’ means the use for which a device is intended according to the data supplied by the manufacturer on the label, in the instructions for use or in promotional or sales materials or statements and as specified by the manufacturer in the clinical evaluation“. The intended purpose would be best put together by someone who has experience with a given medical device keeping in mind the intended user (medical professional or patient or other users). It is usually a short two- or three-sentence statement focusing on what the device is intended to be used for. With the intended purpose, it is proven that the product has a medical purpose, in line with the definition of a medical device in paragraph 1 of Article 2.

    The intended purpose must in no way refer to specific features of the product or the specifications of the intended product

    For further information, please see the following:

    • EU MDR Article 2 – Definitions https://advisera.com/13485academy/mdr/definitions/

    • When to Do Internal Documentation Review

      It is not mandatory, nor do I recommend a specific season for a deliberate documentation review. I recommend reviewing documents as we go, as one more task during the day-to-day operations of the management system. For example, after a complaint, after corrective action, after determining new process objectives, after determining new quality objectives, after an internal or external audit, after changes in compliance obligations.

       You can find more information about documents, and records below:

    • Question about Operating Procedures for IT Management.

      In the context of ISO 27001, operating Procedures for IT Management refers to documents describing technical and management activities to be performed by IT teams to ensure information security.

      Please note that depending upon results of risk assessment, or applicable legal requirements, it may be needed that IT operating procedures be documented so employees have clear guidance on how to perform their activities and prevent incidents. These documents will cover either execution of operation activities (e.g., backup generation), as well as management activities (e.g., management of changes in IT systems).

      The template “Security Procedures for IT Department” you already bought is the one you need to use to cover this need for ISO 27001.

      These articles will provide you a further explanation about developing documents:
      - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
      - How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/ 

    • Cryptographic tool

      By the information you provided:

      - in the first column you need to use the original text of the template (Name of the System / Type of information) and be more specific about the situation you are describing because you are referring to information (source code and backup), where it is (laptop), and its state (at rest and in transit). The use of this different elements may cause confusion when defining which tools apply.

      For example, will backup and source code stored in any place require HSM or only those stored on corporate servers? As a suggestion, you could use terms like “data at rest in corporate servers” and “data at rest in laptops” to be clearer (since backup and source code shares the same specifications as data at rest, you can exclude them from the list)

      - the remaining columns are ok. Specifically, about the Cryptographic Tool column, you correctly defined by which means the encryption algorithm will be implemented (in your case, by the software OSX Filevault, by Hardware security module, and by TLS protocol). 

    • Questions regarding the template of ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit

      First of all, sorry for this confusion.

      To avoid further confusion, instead of answer your current questions, I rewrote the first answers sent to you considering the correct template.

      1) Which section does “privileges in respect to the abovementioned user profiles” in 3.4. Organization’s privilege management refer to? Is this 3.2 or 3.3?

      Section 3.4 refers to privilege management of profiles defined in section 3.2

      To make the text clearer, you can change the first paragraph of section 3.4 from “Privileges in respect to the abovementioned user profiles for [organization name] (granting or removing access rights) are allocated in the following way:” to “Privileges in respect to the user profiles mentioned in section 3.2 for [organization name] (granting or removing access rights) are allocated in the following way:”

      2) If it’s 3.3 then looks like 3.4 and 3.5 will cover the same thing?

      Please note that sections 3.4 and 3.5 have different purposes. Section 3.4 refers to the management of profiles used by the organization (covered by section 3.2) and section 3.5 refers to the management of profiles related to provided cloud services (covered by section 3.3).

      3) But, section 3.7 mentions “Organizations’ personal defined in 3.4 as responsible for granting administrative access rights to its public cloud services, platforms, and infrastructure…”. Which makes me wonder 3.4. is for 3.3. Is it correct? Or, this should be “Organizations’ personal defined in 3.5 as responsible for granting administrative access rights to its public cloud services, platforms, and infrastructure…”

      Your assumption is correct the reference must be to section 3.5 not to section 3.4. We’ll make this correction ASAP. Thanks for this feedback.

    • Članak 10. MDR-a

      Svaki proizvođač medicinskog proizvoda mora imati implementiran sustav kvalitete, neovisno o tome ima li ili nema zaposlenike. Proizvođač je odgovoran za stavljanje proizvoda na tržište i, prema tome, mora imati implementiran sustav. To što je proizvodnja podugovorena, sa stanovišta tržišta ne igra ulogu. Dakle, kod podugovorene proizvodnje, proizvođač mora imati ugovor o kvaliteti s podizvođačem, mora imati implementiran svoj sustav kvalitete u kojem će biti najvažnije na koji način drži pod kontrolom podizvođača. Ukoliko podizvođač nema sustav kvalitete, proizvođač je dužan pripremiti odgovarajuću dokumentaciju po kojoj će podizvođač provositi proizvodnju. 

      Naravno, sustav kvalitete proizvođača  mora biti implementiran tako da bude spreman za certificiranje. To znači da u fazi razvoja sustav kvalitete ne trba još biti implementiran. 

    • Documents for measurement systems

      Laboratories apply for ISO 17025 accreditation once they have implemented the requirements of ISO 17025 into their management system. Because ISO 17025 is a competency standard, the laboratory must show technical competency for all the methods applied for, i.e. methods on the Scope of accreditation to ISO 17025.That means for each test or calibration method, the laboratory must meet the technical requirements including a suitable method to meet the need of the client, method validation, internal quality control, and proficiency testing. Once initial accreditation is obtained, the laboratory can “extend the scope” by adding addition test methods. Note in some cases the test methods may be in a different discipline and accreditation program, for example a labortory may initially only include chemistry and then later add Microbiological methods. for accredition. This may require you to meet other regulatory requirements and specific requirements from the Accreditation Body for that program.

      Then note that in some cases a laboratory can apply for a “flexible scope of accreditation”. This means that after initial accreditation and the scope of accreditation is published by the accreditation body (i.e. competency was demonstrated),  the laboratory can add additional activities that are considered to be within scope of accreditation without applying for extension of scope. This mechanism is applicable as a example, to a specific methodology / technique that is accredited for certain analytes and then the laboratory can develop the technique to add further analytes using the same methodology. FO example . The degree of flexibility will vary between technical disciplines and conformity assessment activities, so the laboratory must adhere to the policies of the Accreditation body.

      For more information on flexible scopes, guided by ILAC, see ILAC G18:04/2010 Guideline for the Formulation of Scopes of Accreditation for Laboratories (under revision) available from https://ilac.org/publications-and-resources/ilac-guidance-series/. I suggest you then contact your accreditation body for specific requirements.

      For more information on ISO 17025 see What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/ and the Free webinar – What are the steps in the ISO 17025 accreditation process? at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar/

    • Quality Control Documentation

      This is a rather broad topic so I suggest that you can start some of the following readings:

      After you read this, and of course the standard ISO 13485:2016, we are at your disposal for further discussion. In that case, I suggest making an online call to solve all your questions.

    • Needed Policies

      Since these are non-mandatory nor commonly adopted policies for an ISO 27001 ISMS there are no templates available for such policies. In this case, I suggest you schedule a meeting with one of our experts so he can understand your needs and help you to develop such documents.

      From an ISO 27001 point of view, it is important to evaluate which controls you want to implement to better understand how to write such policies and to see if existent templates are sufficient for your need.

      For example, the Wireless Access Policy can be embedded in the Access Control Policy (located in folder 08 Annex A >> A.9 Access control), since the wireless network is an infrastructure element already covered in the Access Control Policy.

      Another example is the Endpoint Security Policy. Elements of endpoint policy, such as configuration and use of software, are already defined in the IT Security Policy (located in folder 08 Annex A >> A.8 Asset Management). The same applies to Anti-virus Policy, also covered in the same IT Security Policy.
Page 137-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +