Search results

Question about training

1 - I wanted to know for the Security Awareness Training, if we have our own training, can this be used and we just have to log when the training was completed? Who should participate in the training as all employees take this training.

You can have your own training, but you need more than a log when the training was completed. You need to identify the training content and results achieved (e.g., who has participated, by means of attendance lists, who was approved, by means of exams results or certificates, etc.). In your toolkit, you have a Training and Awareness plan, located in folder 9 Training and awareness, that will help log all information you need to be compliant with ISO 27001 related requirements.

Regarding whom needs to participate, you need to identify which security competencies need to be fulfilled, so you can identify who needs them. These are the people who need to attend the activities.

For example, if you need to fulfill a gap related to clean desk and clean screen, may all employees in the scope will need this one. On the other hand, if you need to fulfill a gap in network security, maybe only IT personnel need to attend the activity.

For further information, see:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

2 - It's from a site KnowBe4. I wanted to know for this part can our employees use this site or they have to use your site for ISO? Do we have to show who has had training?

ISO 27001 does not prescribe how to perform awareness and training, so organizations can use their own training/awareness material, use a training provider, or adopt a mix of these approaches.

Regarding training providers, you can use anyone you see fits your needs.

Regarding records to be kept, the same records you keep when you perform training by yourself need to be kept.

Classification

To my understanding of this equipment, equipment that generates oxygen for medical applications is not a medical device. A medical device is the oxygen tank if that oxygen has a medical device purpose and not as medicine.  

Checklist for medical device labeling including advertising and claims

The best way to prepare the audit checklist is to go through the Annex 1 General safety and performance requirements of the Medical device regulation MDR 2017/745. There in Chapter 3 – Requirements regarding the information supplied with the device you have all requirements that need to be covered in labels and instructions of use

For more information, see:

• EU MDR Annex 1 – General safety and performance requirements https://advisera.com/13485academy/mdr/general-requirements/

• Missing documents

   Please note that controls A.12.4.1 (Event logging) and A.12.4.3 (Administrator and operator logs) are covered in template “Security Procedures for IT Department”, located in folder 08_Annex_A_Security_Controls >> A.12_Operations_Security

  Regarding controls A.12.4.2 (Protection of log information) and A.12.4.4 (Clock synchronization), please note the ISO 27001 does not require every applicable control to be documented, and in such cases, a short explanation about its implementation included in the Statement of Applicability will be enough (you can find documented information about these controls in the SoA template located in folder 06 Applicability of Controls).

  This article will provide you a further explanation about controls documentation:

  • How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

• Is ISO 9001 mandatory for company distributing medical devices?

  No, ISO 9001 is not mandatory for the companies distributing medical devices. However, in the ISO 13485: 2016 standard in section 0.1 Introduction - General it is stated that the ISO 13485:2016 standard can be used by an organization involved in one or more stages of the lifecycle of a medical device including design and development, production, storage and distribution and so on.

• Implementation questions

  1. Do I need to perform mechanical tests on the liner? If so, which organization can do this?

  You are the ones who determine the tests that need to be performed on your product. If this test is crucial to show that your product meets the specifications, then a test is needed.

  As for the laboratories where the test needs to be conducted, MDR requires it to be some accredited institution.

  However, we are not authorized to refer you to the appropriate institutions because we do not know your product and its specifications.

  2. How long do I need to do clinical trials on the liner? How many months and how many patients need to wear the liner as part of the clinical trials?

  Clinical trials for medical devices must be prepared in accordance with the standard ISO 14155:2020 Clinical investigation of medical devices for human subjects — Good clinical practice. How long the research will take depends on many factors, which are listed in this standard.

  However, please be aware that clinical trials are necessary for those medical devices that are completely new and that there is no other source for clinical data. So, usually, it is for completely new types of medical devices, with new technologies or materials.

  For all other medical devices, it is possible to perform the clinical evaluation with the available clinical and scientific data for the literature (Article 61 in the MDR 2017/745). If I understand what silicone prosthetic liner is, it is not a new device, therefore you can find a lot of clinical data on the internet. When you use literature data for your medical device, you need to find an equivalent device with which you will compare your medical device. Equivalence must be demonstrated at the clinical, technological, and biological levels.

  For more information, see:

  • EU MDR Article 61 – Clinical evaluation https://advisera.com/13485academy/mdr/clinical-evaluation/

  • EU MDR Annex 14 Clinical evaluation and post-market-clinical-follow-up https://advisera.com/13485academy/mdr/clinical-evaluation-and-post-market-clinical-follow-up/

  On the following links you can find how we have prepared in the ISO 13485&MDR Documentation toolkit documents and reports for clinical evaluation:

  • Procedure for Clinical Evaluation https://advisera.com/13485academy/documentation/procedure-for-clinical-evaluation/
  • Clinical Evaluation Plan https://advisera.com/13485academy/documentation/clinical-evaluation-plan/
  • Clinical Evaluation Report https://advisera.com/13485academy/documentation/clinical-evaluation-report/
  • Literature Research Protocol https://advisera.com/13485academy/documentation/literature-research-protocol/

  • Transfer of pesonal data under GDPR

    Yes, it would be a data controller even before entering into a contract, because the third-party service provider will be free to decide the purposes and means of the processing of personal data belonging to the potential customer.

    Here you can find more information on the role of processor and controller:

    • EU GDPR controller vs. processor – What are the differences?: https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
    • Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

    If you want to learn how to process data under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course/

  • GDPR Checkpoints in ISO 27001 Audit Checklist

    Controls from ISO 27001 Annex A that can help verification of GDPR compliance are:

    • Controls from section A.8 (Asset Management), especially control A.8.2.1 (Classification of information)
    • Controls from section A.14 (System acquisitions, development, and maintenance)
    • Controls from section control A.15.1 (Information security in supplier relationships)
    • A.16.1 (Management of information security incidents and improvements)
    • A.18.1.1 (Identification of applicable legislation and contractual requirements)
    • A.18.1.4 (Privacy and protection of personally identifiable information)  

    This article will provide you a further explanation about ISO 27001 and GDPR:

    • Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

  • Statement of Applicability

    Please note that this control refers not only to laws but also to agreements (e.g., contracts) and regulations, so you need to also verify these elements. For example, you may have a contract with a customer or a supplier defining requirements for cryptography, or some regulation applicable to your industry may define requirements for cryptography.

    In case there are no agreements or regulations applicable to your organization, then you can record these controls as an exclusion in your SoA.

    This article will provide you a further explanation about SoA:

    • The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    These materials will also help you regarding SoA:

    • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • ISO Certified Auditor

    Depending upon the training provider, there are two options:

    1. attend an ISO 22301: 2019 transition course, if you are already a certified ISO 22301: 2012 lead auditor, where you will learn about the changes in the standard and how to perform audit considering these changes
    2. attend an ISO 22301: 2019 lead auditor course, where you will perform all the steps to requalify yourself as a lead auditor (i.e., attend the course, execute course activities, and take the final exam).

    Please note that, due to the number of changes in the new ISO 22301:2019, this qualification is not very important if you want to work as a consultant, but this is very important if you want to work as an auditor. 

    These articles will provide you a further explanation about ISO 22301:2019:

    • Infographic: ISO 22301:2012 vs. ISO 22301:2019 revision – What has changed? https://advisera.com/27001academy/blog/2019/12/02/iso-22301-2019-vs-iso-22301-2012-key-changes-infographic/
    • Mandatory documents required by ISO 22301 revision 2019 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
    • Do we need to make the transition from ISO 22301:2012 to the 2019 revision? https://advisera.com/27001academy/blog/2019/11/05/iso-22301-transition-from-2012-to-2019-revision-is-it-needed/