Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Corrective Actions Procedure

    The Lead Internal Auditor or the Information Security Manager would be the most probable candidates to document this procedure.

    Please note that while ISO 27001 does not prescribe who needs to develop documents, it requires that person doing work that affects information security performance (like documenting procedures) to have proper competencies (i.e., education, training, or experience).

    This article will provide you a further explanation about corrective actions:

    These materials will also help you regarding documenting policies and procedures:

  • ISO 13485 / MDR

    1. Clinical evaluation - are we qualified to complete this ourselves? I have documented professional experience of >14 years but not a medical degree

    It is not necessary to have a medical degree to make a clinical evaluation report. Clinical evaluation should be understood as a key document that has all the necessary information to understand the medical device and to prove its purpose. It is a comprehensive document, very detailed and extensive. Therefore, it is extremely important that it is written by a competent person who understands the product to who understands a medical product to its very core - both structurally and in terms of its medical purpose. Another important fact is that the person who will do the clinical evaluation must have experience in searching the scientific literature and be able to determine which literature is relevant and why. This is usually proven by a CV, the number of published papers, or some scientific title such as a master's degree or a doctorate.

    2. MDR requires a suitably qualified person to act as the person responsible for regulatory affairs - is there any definition about what suitably qualified means?

    Yes, in article 15 – Person for regulatory compliance, in point 1 are stated the competencies:

    • a diploma, certificate or other evidence of formal qualification, awarded on completion of a university degree or of a course of study recognized as equivalent by the Member State concerned, in law, medicine, pharmacy, engineering or another relevant scientific discipline, and at least one year of - professional experience in regulatory affairs or in quality management systems relating to medical devices;

    • four years of professional experience in regulatory affairs or in quality management systems relating to medical devices

    For further information, see:

    • EU MDR Article 15 https://advisera.com/13485academy/mdr/person-responsible-for-regulatory-compliance/

    • Technical file and clinical evaluation

      Yes, absolutely. Considering the MDR part of the toolkit we have prepared general documents – A technical file that guides you on which information it has to have, then templates for the Post-market surveillance system and clinical evaluation report. However, according to Annex II in the MDR, there is a lot of documentation that is necessary, and which depends on the type of medical device. These are, for example, various stability studies, performance testing, sterilization validation documentation, packaging validation, and the like. Given the diversity of medical products, it was not possible to standardize all of this and make templates. 

      As for healthcare professionals regarding the clinical evaluation, it is recommended that this be done by an independent person who is well acquainted with the product itself and, above all, with its medical purpose. Clinical evaluation should be understood as a key document that has all the necessary information to understand the medical device and to prove its purpose. It is a comprehensive document, very detailed and extensive. Therefore, it is extremely important that it is written by a competent person. If you have one in your company, then it is the best option, but if you do not have one, then it is good to look for a competent person to perform this task.

      For more information, see:

      For more information regarding the technical documentation structure please see the following link:

      • What are the EU MDR technical documentation structure and requirements? https://advisera.com/13485academy/blog/2021/04/06/what-are-the-eu-mdr-technical-documentation-structure-and-requirements/

      • ISO 27001 query

        1. Is it possible to describe a scenario when something has happened to our office and all our coworkers just get a laptop and a 4g hot spot and connect to a VPN in the cloud where our services run. So, this means they can work from home and not be in the office. The communication channel will always be secure and encrypted. And in the risk assessment we consider this to be an acceptable risk. The corona virus situation actually has proven this to be quite an effective strategy since we've been working like that for more than a year and we haven't run into problems of any kind. We miss partying together tho ... Would an ISO27k1 auditor be comfortable with a solution like this one?

        As long as you can evidence that this strategy is achieving your defined objectives (e.g., Recovery Time Objective and Recovery Point Objective), it will be acceptable by the certification auditor.

        For further information, see:

        2. Our servers and services run in the cloud, so even if there is a breach or some other kind of event related to information loss, we can pretty much return everything to working order in a matter of hours. And we've stated that we are ok with 1 day of loss of information, so based on the risk assessment and scope it's OK. But again, I am not sure an auditor would see it this way.

        The same answer for the previous question applies here.

        Please note that the certification auditor will not provide an opinion about your strategies, he will only check if you fulfill the standard’s requirements and if the decisions are backed up by gathered information. For example, he will check which information you used to define the 1-day loss limit to see if the rationale makes sense.

        For further information, see:

        3. We are creating copies of the servers/services and backing up those to different cloud providers, so if an event that only takes out one cloud provider happens, we can still operate with just spinning up the infrastructure on another cloud provider. Would that cover all of our bases ? In an event where the internet is lost, or the major cloud providers are gone ... we might not want to continue operations.

        The decision about which bases to cover will depend on the impact that losing them will have on your business, as well as on how long you can wait for them to be recovered. To have data for an informed decision, you should consider performing a Business Impact Analysis (BIA) considering the business process which relies on such bases (please note that BIA is not required by ISO 27001, and in this case, it would be a good practice to help you make a decision).

        For further information, see:

        4. How thorough we need to be when describing major events/incidents that can lead to the decision to put the disaster recovery into operation ? Do we need to list every event possible or incident ? Like hacker attack, cryptovariation ransomware attack, worm attack, political embargo on services or war, force majeure conditions ? The only change in the disaster recovery plan is whether the office is still usable and standing - if it is we just continue from backups or migrate everything. If the office is not there all coworkers start working from home. I've tried to find the answers to those questions in your blogs and literature online, but I really don't know the mindset of an auditor and what they consider a good solution or a solution that is in line with the risk assessment that we will present to them. Thank you in advance.

        To activate the disaster recovery plan you do not need to take into account which event/incident has occurred, only the time that will be needed to recover operations. If this time is above the defined threshold in the disaster recovery plan, then you need to activate it.

        For further information, see:

      • Dúvida preenchimento documento ISO 27000

        A alteração proposta é aceitável para fins de conformidade com a ISO 27001.

        Este artigo fornecerá mais explicações sobre a classificação das informações:

      • AS9100 - 8.5.1 production and service provision

        In AS9100, throughout the standard, all requirements are applied to the products AND services of the company. So, throughout the operations requirements in clause 8 the intent is that these will apply to both products and services of the company. As you have indicated, you do not exclude design and development as you take part in it, and apart from some minor differences in meaning as to this being a service or not it is actually a bit irrelevant. If you have identified the requirements for this activity, including those needed to meet the needs of your customers, and these are part of your process then if you have a scope of “design and manufacturing” or “design services and manufacturing” the end outcome is really irrelevant.

        Even if this activity is considered a service, I am sure that you have all the applicable “controlled conditions” of your service provision included to meet your needs, remembering that the clause 8.5.1 requirements are deemed “as applicable” to whichever product or service they are applied.  In the end you have a process that meets the needs of you and your customer.

         

        This change for products and services, along with the ability to exclude design and development from the QMS, is explained a bit more in this article: Can companies still exclude design and development from their AS9100 Rev D QMS?, https://advisera.com/9100academy/blog/2017/10/09/can-companies-still-exclude-design-and-development-from-their-as9100-rev-d-qms/

      • Help us understand each other better

        1 - Do I need to complete an internal audit of ALL areas of ISO27001 BEFORE I can schedule/conduct my first external regulatory audit?

        Answer: Before the certification audit, you need to perform an internal audit covering all ISO 27001 requirements (i.e., items from clauses 4 to 10) and applicable controls for all elements included in the Information Security Management System scope. This is a requirement from section 9.2 (Internal audit).

        For further information, see:
        - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
        - How to perform an ISO internal audit [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-perform-an-iso-internal-audit-free-webinar-2/


        These materials will also help you regarding internal audit:
        - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
        - ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

        2 - It is my understanding that as part of continuous monitoring of the systems most companies break down the audit into sections and in a rolling 3 year period cover the entire standard.  If that is the schedule I create, then my first external audit I will only have a portion of the standard covered by internal audit.  Is that acceptable?   Assuming it is, how much of the standard do you think (and I understand this is subjective) we should have completed before the external audit.

        Please let me know if you have any questions. Thank you


        Answer: Please note that breaking down the internal audit into sections is valid only after the certification audit (i.e., for surveillance audits). For the certification audit, you need to have performed an internal audit over all the ISMS scope.

        This article will provide you a further explanation about certification and surveillance audits:
        - Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

      • ASD ISM to ISO 27001 mapping

        Unfortunately, we do not have such mapping, but we suggest you take a look at this site to see if this tool can help fulfill your needs: https://www.agilient.com.au/cybersecurity-mapping-tool/ 

        It provides an alignment analysis including ISM, ISO 27001:2013, NIST, and the ASD Strategies to Mitigate Cyber Security Incidents.

      • Posts on discussion forum

        Usually, the discussion forum is ruled by the terms of service of the forum and so the legal basis for data processing is the contract between the company and the user.

        In case the user demands to delete its data, the data controller (the company) can either decide to anonymize or delete data.

        Here you can find some information about the legal basis:

        If you need to understand how to manage data subjects' rights under GDPR, you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

      • multi location vs BIA and RA performing

        Table duplication although feasible, won’t help you as much.

        You should consider keeping all data in the same table, splitting the lines related to the issues you want to have by location. For example:

        Instead of

        https://i.imgur.com/u409PB5.png

        or

        https://i.imgur.com/DJ7Ta3U.png

        You should adjust this line to

        https://i.imgur.com/FrjgAmm.png 

        and

        https://i.imgur.com/0EOAwgf.png

        *: you apply this example to all resources you need to evaluate (e.g., data, servers, documents, services, etc.)

        This way you will have all information you need in a single view.
Page 164-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +