Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Technical file and clinical evaluation

    Yes, absolutely. Considering the MDR part of the toolkit we have prepared general documents – A technical file that guides you on which information it has to have, then templates for the Post-market surveillance system and clinical evaluation report. However, according to Annex II in the MDR, there is a lot of documentation that is necessary, and which depends on the type of medical device. These are, for example, various stability studies, performance testing, sterilization validation documentation, packaging validation, and the like. Given the diversity of medical products, it was not possible to standardize all of this and make templates. 

    As for healthcare professionals regarding the clinical evaluation, it is recommended that this be done by an independent person who is well acquainted with the product itself and, above all, with its medical purpose. Clinical evaluation should be understood as a key document that has all the necessary information to understand the medical device and to prove its purpose. It is a comprehensive document, very detailed and extensive. Therefore, it is extremely important that it is written by a competent person. If you have one in your company, then it is the best option, but if you do not have one, then it is good to look for a competent person to perform this task.

    For more information, see:

    For more information regarding the technical documentation structure please see the following link:

    • What are the EU MDR technical documentation structure and requirements? https://advisera.com/13485academy/blog/2021/04/06/what-are-the-eu-mdr-technical-documentation-structure-and-requirements/

    • ISO 27001 query

      1. Is it possible to describe a scenario when something has happened to our office and all our coworkers just get a laptop and a 4g hot spot and connect to a VPN in the cloud where our services run. So, this means they can work from home and not be in the office. The communication channel will always be secure and encrypted. And in the risk assessment we consider this to be an acceptable risk. The corona virus situation actually has proven this to be quite an effective strategy since we've been working like that for more than a year and we haven't run into problems of any kind. We miss partying together tho ... Would an ISO27k1 auditor be comfortable with a solution like this one?

      As long as you can evidence that this strategy is achieving your defined objectives (e.g., Recovery Time Objective and Recovery Point Objective), it will be acceptable by the certification auditor.

      For further information, see:

      2. Our servers and services run in the cloud, so even if there is a breach or some other kind of event related to information loss, we can pretty much return everything to working order in a matter of hours. And we've stated that we are ok with 1 day of loss of information, so based on the risk assessment and scope it's OK. But again, I am not sure an auditor would see it this way.

      The same answer for the previous question applies here.

      Please note that the certification auditor will not provide an opinion about your strategies, he will only check if you fulfill the standard’s requirements and if the decisions are backed up by gathered information. For example, he will check which information you used to define the 1-day loss limit to see if the rationale makes sense.

      For further information, see:

      3. We are creating copies of the servers/services and backing up those to different cloud providers, so if an event that only takes out one cloud provider happens, we can still operate with just spinning up the infrastructure on another cloud provider. Would that cover all of our bases ? In an event where the internet is lost, or the major cloud providers are gone ... we might not want to continue operations.

      The decision about which bases to cover will depend on the impact that losing them will have on your business, as well as on how long you can wait for them to be recovered. To have data for an informed decision, you should consider performing a Business Impact Analysis (BIA) considering the business process which relies on such bases (please note that BIA is not required by ISO 27001, and in this case, it would be a good practice to help you make a decision).

      For further information, see:

      4. How thorough we need to be when describing major events/incidents that can lead to the decision to put the disaster recovery into operation ? Do we need to list every event possible or incident ? Like hacker attack, cryptovariation ransomware attack, worm attack, political embargo on services or war, force majeure conditions ? The only change in the disaster recovery plan is whether the office is still usable and standing - if it is we just continue from backups or migrate everything. If the office is not there all coworkers start working from home. I've tried to find the answers to those questions in your blogs and literature online, but I really don't know the mindset of an auditor and what they consider a good solution or a solution that is in line with the risk assessment that we will present to them. Thank you in advance.

      To activate the disaster recovery plan you do not need to take into account which event/incident has occurred, only the time that will be needed to recover operations. If this time is above the defined threshold in the disaster recovery plan, then you need to activate it.

      For further information, see:

    • Dúvida preenchimento documento ISO 27000

      A alteração proposta é aceitável para fins de conformidade com a ISO 27001.

      Este artigo fornecerá mais explicações sobre a classificação das informações:

    • AS9100 - 8.5.1 production and service provision

      In AS9100, throughout the standard, all requirements are applied to the products AND services of the company. So, throughout the operations requirements in clause 8 the intent is that these will apply to both products and services of the company. As you have indicated, you do not exclude design and development as you take part in it, and apart from some minor differences in meaning as to this being a service or not it is actually a bit irrelevant. If you have identified the requirements for this activity, including those needed to meet the needs of your customers, and these are part of your process then if you have a scope of “design and manufacturing” or “design services and manufacturing” the end outcome is really irrelevant.

      Even if this activity is considered a service, I am sure that you have all the applicable “controlled conditions” of your service provision included to meet your needs, remembering that the clause 8.5.1 requirements are deemed “as applicable” to whichever product or service they are applied.  In the end you have a process that meets the needs of you and your customer.

       

      This change for products and services, along with the ability to exclude design and development from the QMS, is explained a bit more in this article: Can companies still exclude design and development from their AS9100 Rev D QMS?, https://advisera.com/9100academy/blog/2017/10/09/can-companies-still-exclude-design-and-development-from-their-as9100-rev-d-qms/

    • Help us understand each other better

      1 - Do I need to complete an internal audit of ALL areas of ISO27001 BEFORE I can schedule/conduct my first external regulatory audit?

      Answer: Before the certification audit, you need to perform an internal audit covering all ISO 27001 requirements (i.e., items from clauses 4 to 10) and applicable controls for all elements included in the Information Security Management System scope. This is a requirement from section 9.2 (Internal audit).

      For further information, see:
      - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
      - How to perform an ISO internal audit [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-perform-an-iso-internal-audit-free-webinar-2/


      These materials will also help you regarding internal audit:
      - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
      - ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

      2 - It is my understanding that as part of continuous monitoring of the systems most companies break down the audit into sections and in a rolling 3 year period cover the entire standard.  If that is the schedule I create, then my first external audit I will only have a portion of the standard covered by internal audit.  Is that acceptable?   Assuming it is, how much of the standard do you think (and I understand this is subjective) we should have completed before the external audit.

      Please let me know if you have any questions. Thank you


      Answer: Please note that breaking down the internal audit into sections is valid only after the certification audit (i.e., for surveillance audits). For the certification audit, you need to have performed an internal audit over all the ISMS scope.

      This article will provide you a further explanation about certification and surveillance audits:
      - Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

    • ASD ISM to ISO 27001 mapping

      Unfortunately, we do not have such mapping, but we suggest you take a look at this site to see if this tool can help fulfill your needs: https://www.agilient.com.au/cybersecurity-mapping-tool/ 

      It provides an alignment analysis including ISM, ISO 27001:2013, NIST, and the ASD Strategies to Mitigate Cyber Security Incidents.

    • Posts on discussion forum

      Usually, the discussion forum is ruled by the terms of service of the forum and so the legal basis for data processing is the contract between the company and the user.

      In case the user demands to delete its data, the data controller (the company) can either decide to anonymize or delete data.

      Here you can find some information about the legal basis:

      If you need to understand how to manage data subjects' rights under GDPR, you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

    • multi location vs BIA and RA performing

      Table duplication although feasible, won’t help you as much.

      You should consider keeping all data in the same table, splitting the lines related to the issues you want to have by location. For example:

      Instead of

      https://i.imgur.com/u409PB5.png

      or

      https://i.imgur.com/DJ7Ta3U.png

      You should adjust this line to

      https://i.imgur.com/FrjgAmm.png 

      and

      https://i.imgur.com/0EOAwgf.png

      *: you apply this example to all resources you need to evaluate (e.g., data, servers, documents, services, etc.)

      This way you will have all information you need in a single view.

    • Language requirements on medical device class 1 products

      1. What language requirements are there on the following in countries within EU? Labels of main product Labels of product boxes Labels of outer boxes Manuals/IFU

      According to Article 10 _ General obligations of manufacturers, Manufacturers shall ensure that the device is accompanied by the information set out in Section 23 of General Safety and performance requirements in an official Union language(s) determined by the Member State in which the device is made available to the user or patient. The particulars on the label shall be indelible, easily legible, and clearly comprehensible to the intended user or patient.  

      So, this means that if you put your medical device only on one market, then it is enough to have it in only one official language of the EU.

      For more information, see:

      2. Do you have a list on specific language requirements PER country on the above?

      No. We do not have a list of specific language requirements per country.

       

    • Help with ISMS Scope Definition

      1 - The Document of the scope

      The company has around 120 employees, has 2 sites, and 3 different activities: IT Solution integration, Training, and Cloud service provider. 

      One site contains the IT Solution integration and training Divisions with the HR & Commercial Departments, the other site contains the Cloud Division.

      The company wants to certify only the Cloud Activity, but I want to check if we should include in the Scope the HR and Commercial departments to respond to the A.7 requirements and the security of customers personnel information & customers Contracts.

      Answer: Please note that an ISMS scope is defined in terms of location, information, or processes to be protected, so taking into account your intention to certify the Cloud Activity, and that it is located in a separated site, the best options for defining your scope would be by location (Cloud division site) or processes (processes related to cloud service provision).

      Considering that, you do not need to include in the ISMS scope the HR and Commercial departments. In the mentioned situation these departments are dependencies to your ISMS scope, and as dependencies, they only need to be identified during the risk assessment and risk treatment process, so proper controls are selected to protect the information in the ISMS scope they have access to.

      For further information, see:
      - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

      2 - The Business Continuity 

      Should we also prepare all the documents related to A.17 requirements even if the company doesn't plan to include the BCMS and business continuity certification in this scope ?

      Thanks in advance for your support.

      Best regards

      Answer: In case there are no relevant risks or legal requirements justifying the implementation of controls of section A.17, you do not need to implement related documents.

      You only need to implement documents related to section A.17 in case you have relevant risks or legal requirements demanding the implementation of these documents. In our experience, we did not see any company that has excluded these controls.

      For further information, see:
      - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Page 165-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +