Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Does ISO 45001 cover electrical and fire or just medical?

    The ISO 45001 provides requirements for companies to implement a management system to prevent injury and ill health in their employees; this does not certify the products and services that are provided by the company against any OH&S requirements. So, if you are purchasing a piece of equipment from an ISO 45001 certified company, this has nothing to do with the safety of that equipment.

    However, the ISO organization has over 23000 standards, and many of these are used to provide requirements to certify equipment. It may be possible that you are purchasing a piece of equipment that is ISO certified for electrical and fired building codes to an ISO standard, however, you would need to compare the requirements of this standard against your NRTL certification requirements to ensure they are equivalent.

    You can learn a bit more on what the requirements of ISO 45001 for an Occupational Health & Safety management system are in the whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

  • ISO 9001 Certification Documentation

    Plese find below the answers to your questions:

    @Guest user

    Can I appear as General Manager even if I am not in the Chamber of Commerce registration? If you need an engagement letter for certification purposes?

     I would not include you in the organizational chart yet, since you are not officially in the company. You can include your position as a planned change in your QMS, and when you enter the company in 2022 your role must be included as well as your tasks and competence needed. 

    @Guest user

    The administration is a service that we buy partly from a professional and partly from the accountant which of the cited? do we have to put names or is it enough the role that can then be played by different people?

    You will need to include these services as outsourced services and you should specify that in the scope. Therefore, these services will need to be evaluated according to the criteria for the evaluation of suppliers. In addition, you won´t need to put their names and roles since they are outsourced suppliers and their companies are the ones that should do that.

    @Guest user

    Can we omit the organization chart or make a simplified one?

    You can make a simplified one, as long as you can show how your organization is structured as well as their respective roles and responsabilities are described.

    @Guest user

    RGQ in our case of coinciding with AD?

    It does not need to be the same person, there are not such requirements in ISO 9001:2015.

    @Guest user

    Are all the chapters and sub-chapters of the manual mandatory? If someone does not belong to us or we have nothing to say, do we put n / a? For example, we do not have offices but we work either digitally from home (especially in the last year and a half) or on-site by the customer.

    Firstly you need to know that the Manual is no longer a mandatory document. Having said this, you can adapt to your own organization and delete those parts that don´t apply to your company. 

    @Guest user

    Can we use Teams and Office 365 as a repository?

    You can, as long as you can control your documents and records and keep the confidenciality of the documentation. 

     

    For more information about ISO 9001 certification, you can see the following materials: 

    - QMS change management in 7 steps: https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/

    - How to document roles and responsibilities according to ISO 9001: https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/

    - How to evaluate supplier performance according to ISO 9001:2015: https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/

    - Tips to make document controles more useful in your QMS: https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/

    - Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

    - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

     

  • Generating reports as security manager

    I’m considering your question based on the information about the purchase of a documentation toolkit.

    Considering that, you should create a spreadsheet file (e.g., Excel) containing the information you want to evaluate available in the incident log template (e.g., incident ID, date, affected asset, etc.)

    From this database of incidents metadata, you can generate the date for your report.

    The incident log template can be found in folder 08_Annex_A_Security_Controls >> A.16_Information_Security_Incident_Management

    Alternatively, you can take a look at our Conformio solution, to see if its Report Module features can fulfill your needs. You can access Conformio (online tool for ISO 27001) at this link: https://advisera.com/conformio/

  • Implementation questions

    1 - We are a small startup and have very little internal bureaucracy, let alone a document template pre-designed for that purpose, so in that sense we can be very flexible as to how we want the ISO 27001 documents to look like. I thought I'd keep everything in electronic format and rely on the word processor's features for things such as authorship, version control, signature and approval of documents, etc. That means that many of the elements present in the templates from the toolkit (the change history table, table of contents, page numbers, etc.) are redundant since they are already available as document metadata outside of the page. I understand these fields would be useful if we were to ever keep a printed copy of the document, but I don't think that is going to be the case. So my question is, should we nevertheless adhere to the format provided in the templates as a best practice or is any format adequate as long as it is consistent with the specifications from the "Procedure for Document and Record Control" document?

    Answer: You can implement the document control in any way you see fit, as long as the basic principles defined in the "Procedure for Document and Record Control" are followed.

    For further information, see:
    - Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

    2 - Similarly, the use of job titles seems excessive for a company our size, where a single employee is usually the only one responsible for writing the document, approving it and monitoring compliance. We do not have upper management levels nor board of directors. In that sense, to what extent should we rely on the use of role names such as Information Security Manager, as opposed to a more generic IT Manager? Should these job descriptions be reflected somewhere else, such as in the employment contract?

    Answer: You can designate information security responsibilities to existing roles in your organization, so there is no need to create new ones. Please note that ISO 27001 does not prescribe roles to be adopted by organizations, so they are free to define responsibilities as they see fit.

    For further information, see:
    - How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

    3 - While working on some of the documents I noticed that the assessment of things such as requirements and stakeholders can be rather subjective. Is there any possibility of a certification body raising concerns owing to a disagreement on how this assessment was performed? In other words, how can we judge whether these documents contain enough and accurate information for the certification to be successful?

    Answer: As long as your requirements and stakeholders are aligned with the elements identified for your organizational context, there won’t be a reason for questioning your assessment, unless there is an obvious point you missed (e.g., an organization not taking into account a mandatory law related to its industry, or service providers not taking into account contracts signed with their customers).

    To help you with that, in the toolkit you will find the Procedure for Identification of Requirements, located in folder 02 Identification of requirements, which systematize and document the criteria you need to consider in the identification of requirements.

    For further information, see:
    - How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

    4 - The documentation toolkit is sold with the premise of it containing all the information we need to become certified, but it refers to the standard itself at various explanatory notes throughout. E.g.: Requirements relevant for ISMS implementation are those established by the standard itself (all statements that contain the word “shall” are requirements). Would you advise purchasing the standard as complementary information to the toolkit?

    Answer: The toolkit was designed to cover all the requirements of the standard and to be used with little to no knowledge of the standard, so you only need to buy the standard if you want to have direct contact with its content (before that, we suggest you watch our free to enroll ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/)  

    These articles will provide you a further explanation about ISO 27001:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

  • Question about ISO 22301 Project

    Please note that these references in the Project Checklist are to articles available on the site, not to templates. That’s the reason they are not included in the zipped folder.

    They are available for free so users can get knowledge about topics related to the templates referred to in the checklist.

  • Does ISO 13485 cover code required electrical and fire approval such as UL?

    There is no direct requirement for these codes in ISO 13485: 2016. What is more important, however, is that there is a requirement that the medical device must be safe. Given all possible types of medical devices, different codes will be applicable to each. So if the UL code confirms the safety of your product, then it is very much needed

  • Corrective Actions Procedure

    The Lead Internal Auditor or the Information Security Manager would be the most probable candidates to document this procedure.

    Please note that while ISO 27001 does not prescribe who needs to develop documents, it requires that person doing work that affects information security performance (like documenting procedures) to have proper competencies (i.e., education, training, or experience).

    This article will provide you a further explanation about corrective actions:

    These materials will also help you regarding documenting policies and procedures:

  • ISO 13485 / MDR

    1. Clinical evaluation - are we qualified to complete this ourselves? I have documented professional experience of >14 years but not a medical degree

    It is not necessary to have a medical degree to make a clinical evaluation report. Clinical evaluation should be understood as a key document that has all the necessary information to understand the medical device and to prove its purpose. It is a comprehensive document, very detailed and extensive. Therefore, it is extremely important that it is written by a competent person who understands the product to who understands a medical product to its very core - both structurally and in terms of its medical purpose. Another important fact is that the person who will do the clinical evaluation must have experience in searching the scientific literature and be able to determine which literature is relevant and why. This is usually proven by a CV, the number of published papers, or some scientific title such as a master's degree or a doctorate.

    2. MDR requires a suitably qualified person to act as the person responsible for regulatory affairs - is there any definition about what suitably qualified means?

    Yes, in article 15 – Person for regulatory compliance, in point 1 are stated the competencies:

    • a diploma, certificate or other evidence of formal qualification, awarded on completion of a university degree or of a course of study recognized as equivalent by the Member State concerned, in law, medicine, pharmacy, engineering or another relevant scientific discipline, and at least one year of - professional experience in regulatory affairs or in quality management systems relating to medical devices;

    • four years of professional experience in regulatory affairs or in quality management systems relating to medical devices

    For further information, see:

    • EU MDR Article 15 https://advisera.com/13485academy/mdr/person-responsible-for-regulatory-compliance/

    • Technical file and clinical evaluation

      Yes, absolutely. Considering the MDR part of the toolkit we have prepared general documents – A technical file that guides you on which information it has to have, then templates for the Post-market surveillance system and clinical evaluation report. However, according to Annex II in the MDR, there is a lot of documentation that is necessary, and which depends on the type of medical device. These are, for example, various stability studies, performance testing, sterilization validation documentation, packaging validation, and the like. Given the diversity of medical products, it was not possible to standardize all of this and make templates. 

      As for healthcare professionals regarding the clinical evaluation, it is recommended that this be done by an independent person who is well acquainted with the product itself and, above all, with its medical purpose. Clinical evaluation should be understood as a key document that has all the necessary information to understand the medical device and to prove its purpose. It is a comprehensive document, very detailed and extensive. Therefore, it is extremely important that it is written by a competent person. If you have one in your company, then it is the best option, but if you do not have one, then it is good to look for a competent person to perform this task.

      For more information, see:

      For more information regarding the technical documentation structure please see the following link:

      • What are the EU MDR technical documentation structure and requirements? https://advisera.com/13485academy/blog/2021/04/06/what-are-the-eu-mdr-technical-documentation-structure-and-requirements/

      • ISO 27001 query

        1. Is it possible to describe a scenario when something has happened to our office and all our coworkers just get a laptop and a 4g hot spot and connect to a VPN in the cloud where our services run. So, this means they can work from home and not be in the office. The communication channel will always be secure and encrypted. And in the risk assessment we consider this to be an acceptable risk. The corona virus situation actually has proven this to be quite an effective strategy since we've been working like that for more than a year and we haven't run into problems of any kind. We miss partying together tho ... Would an ISO27k1 auditor be comfortable with a solution like this one?

        As long as you can evidence that this strategy is achieving your defined objectives (e.g., Recovery Time Objective and Recovery Point Objective), it will be acceptable by the certification auditor.

        For further information, see:

        2. Our servers and services run in the cloud, so even if there is a breach or some other kind of event related to information loss, we can pretty much return everything to working order in a matter of hours. And we've stated that we are ok with 1 day of loss of information, so based on the risk assessment and scope it's OK. But again, I am not sure an auditor would see it this way.

        The same answer for the previous question applies here.

        Please note that the certification auditor will not provide an opinion about your strategies, he will only check if you fulfill the standard’s requirements and if the decisions are backed up by gathered information. For example, he will check which information you used to define the 1-day loss limit to see if the rationale makes sense.

        For further information, see:

        3. We are creating copies of the servers/services and backing up those to different cloud providers, so if an event that only takes out one cloud provider happens, we can still operate with just spinning up the infrastructure on another cloud provider. Would that cover all of our bases ? In an event where the internet is lost, or the major cloud providers are gone ... we might not want to continue operations.

        The decision about which bases to cover will depend on the impact that losing them will have on your business, as well as on how long you can wait for them to be recovered. To have data for an informed decision, you should consider performing a Business Impact Analysis (BIA) considering the business process which relies on such bases (please note that BIA is not required by ISO 27001, and in this case, it would be a good practice to help you make a decision).

        For further information, see:

        4. How thorough we need to be when describing major events/incidents that can lead to the decision to put the disaster recovery into operation ? Do we need to list every event possible or incident ? Like hacker attack, cryptovariation ransomware attack, worm attack, political embargo on services or war, force majeure conditions ? The only change in the disaster recovery plan is whether the office is still usable and standing - if it is we just continue from backups or migrate everything. If the office is not there all coworkers start working from home. I've tried to find the answers to those questions in your blogs and literature online, but I really don't know the mindset of an auditor and what they consider a good solution or a solution that is in line with the risk assessment that we will present to them. Thank you in advance.

        To activate the disaster recovery plan you do not need to take into account which event/incident has occurred, only the time that will be needed to recover operations. If this time is above the defined threshold in the disaster recovery plan, then you need to activate it.

        For further information, see:
Page 164-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +