Search results

BIA or RA

Actually, there is no definitive order to perform Risk Assessment (RA) and Business Impact Analysis (BIA), and the choice for one or another will depend on your expectations:

• By doing BIA first you will have a prioritized list of processes and services that can impact the most of your business in case of disruptive incidents, then you can go to assess the most relevant risks for the most critical processes and services.
• By doing risk assessment first you will have a prioritized list of risks your organization is most exposed to, i.e., the most potential disruptive incidents, then you can go to assess the impact on business regarding the processes and services affected by those risks.

Particularly, we prefer to do a risk assessment first, because this way you will have a better impression of which incidents can happen (which risks you’re exposed to), and therefore be better prepared for doing the business impact analysis (which focuses on consequences of those incidents).

For rating critical services considering the results of a risk assessment, you can consider the value of the risks, or the number of risks, associated with a specific service. For example, you can have a service with two high risks associated with it and other with ten medium risks associated with it. Considering your context, in terms of risks maybe the second service is more critical.

These articles will provide you a further explanation about risk assessment and BIA:

• Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

These materials will also help you regarding risk assessment and BIA:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

ISO 9001 Strategic risk assessment

In this free webinar on-demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/ - I show some examples of determining risks and then acting on them. ISO 9001:2015 mentions risk about:

• Context interacting with interested parties (clause 6.1)
• Products and services (clause 5.1.2 b))
• Processes (clause 4.4.1) 

Your organization is a set of interrelated processes. Each process is a set of activities that transform inputs into desired outputs.

ISO 9000:2015 defines risk as to the effect of uncertainty. Because there is uncertainty, sometimes we don’t have the expected:

• Inputs
• Activities
• Outputs 

What is a non-conformity? We don’t design processes to deliver non-conformities. So, when a non-conformity happens, we have the manifestation of risk. Non-conformities are potential risks that have materialized. Same for complaints.

Seen in this way, the risk-based approach is a very effective methodology for developing a plan to control a process and its results. The control will materialize, for example, in operations of control, verification, improvements in the process, in work instructions, in improvements in monitoring, in increasing the competence of the participants.

You can find more information below about risks.

• How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
• How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
• For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
• Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (I use a lot of examples based on the risk-based approach)
   

Declaration of Conformity according to MDR

thank you so much.

Questions about the implementation

1. When the ISO needs to be finished / audited? (e.g. when company is founded, when first device is sold or…? – E.g. Section 7: Product Realization is with planning etc. is running right now while the company is not yet founded.

ISO 13485 must be implemented and certified before manufacturing starts and before you put a medical device on the market. You have to prepare your quality management system like you can start the production right now. Of course, you can have some pilots production conducted, due to perform validations of certain processes, like cleaning and sterilization.

2. Is English as language enough or is the country language additionally necessary?

Given that notifying bodies reviewing the quality system according to ISO 13485 are internationally recognized, that they have offices in different countries, English is sufficient.

3. Is the IVD guideline 98/79/EG (IVDD) and/or German “In-vitro-Diagnostika-Verordnung (IVDR)“ additionally necessary and incorporated in your toolkit? If not, can you recommend a toolkit for this? Background: In simple terms, the product is a special microscope with which a view of a tissue sample can be created and viewed. The interpretation of this image is done by a pathologist (unlike, for example, a blood pressure monitor, where the device interprets something). Staining of the tissue sample is done outside the device using standard procedures/products from appropriate manufacturers (e.g. H&E staining).

Our ISO 13485:2016 documentation toolkit is prepared for all small manufacturers of medical devices. Since In vitro diagnostic products are also medical devices, our ISO 13485:2016 toolkit is applicable for in vitro diagnostic product manufacturers.

ISO 13485 implementation

With the usage of the Advisera toolkit, you can definitely save a lot of money. Templates are arranged so that they meet all the requirements of ISO 13485 in a logical sequence. Your task is to write down in the documentation the name of a particular job in your company is and possibly to add some specifics. 

On average, we can say that for the company with 10 employees it will take 3-4 months, for the company with up to 50 employees, some 8-12 months.

As for the preparation of technical documentation for a Class IIa medical device, it all depends on whether your product is completely finished (or is still in the development phase), and whether you have done all the necessary tests.

I would like to point out here that if you take the documentation toolkit from Advisera, you are not just getting templates. YOu are also receiving e-mail support, review of the documents, and live on-on-on online consultations.;

For more information please see the following:

• Six key benefits of ISO 13485 implementation https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/
• Checklist of ISO 13485 implementation and certification steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
• How can ISO 13485 help with MDR compliance? https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/
• What are the EU MDR technical documentation structure and requirements? https://advisera.com/13485academy/blog/2021/04/06/what-are-the-eu-mdr-technical-documentation-structure-and-requirements/

• Inventory of assets & risk methodology

  1. How detailed and far does the inventory of assets need to be? (do we need to list each laptop and cell phone for example)

  ISO 27001 does not prescribe any level of detail for the inventory of assets, so you can adopt the levels you understand that will better fulfill your needs.

  This is generally a balance between the administrative effort and the need for information to ensure proper security. For example, you do not need to record organizations laptops as individual assets (you can add a single asset called "laptop"), but if they have specific purposes with different risk levels you can use specific assets like "laptop", "development laptop", and "finance laptop". The same concept applies to cellphones of your organization and other assets. 

  For further information, see this article:

  • How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  These materials will also help you regarding:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  2. When a risk assessment is performed does the risk owner have to do a risk assessment on all the assets every year or the assets that are deemed to be threats or vulnerable.

  The update of risk assessment needs to be performed over all assets included in the ISMS scope, at planned intervals (e.g., quarterly, semiannually, annually, etc.) or when significant changes occur (e.g., deployment of new technology, new business, etc.). This is so because changes in the context of the organization may result in assets previously not relevant to become relevant and vice versa, which can affect treated risks and the risk treatment plan.

  For further information, see:

  • ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  These materials can also help you:

  • The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  3. Why is the inventory of assets not listed under the reference document as well as 3.1.2 in the Risk assessment and risk treatment Methodology document?

  Please note that for performing risk assessment and risk treatment you do not need an inventory of assets. The only information you need is assets' names and assets' owners, which can be maintained in the Risk Assessment and Risk Treatment tables, making an inventory of assets unnecessary.

  Additionally, the inventory of assets for ISO 27001 is a control (A.8.1.1), and before performing risk assessment and risk treatment it does not make sense to apply a control (at this point there is no identified need for it).

  This article will provide you a further explanation of controls selection:

  • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

• CISO and document management

  1. Is it okay if a Chief Information Security Officer (CISO) also releases documents (instead of the CEO)?

  Answer: I’m assuming that by “releases” you mean “approves”.

  Considering that, besides the Information Security Policy, which needs to be approved by top management (usually the CEO when the scope is all organization, or the top role in the ISMS scope when the scope does not cover all organization), ISO 27001 does not prescribe who needs to approve documents, so other documents can be approved by the CISO.

  If by release you mean making documents available and communicating them to relevant personnel, these activities are usually performed by roles like the CISO, or the quality manager (top management usually only approves documents).

  For further information, see:
  - Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
  - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

  This material will also help you regarding document management:
  - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  
  2. Can we omit the chapter "Managing records kept on the basis of this document" for the document "00_Procedure_for_Document_and_Record_Control"?

  Thank you in advance!

  Answer: In theory, you can, but since it is highly unlikely an organization does not require any document of external origin for the purposes of its ISMS, you would need to register how to handle incoming mail (which is the record suggested for this section in this procedure) in some other place, what would only increase your effort to maintain documentation.

  Examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself), and documents and records from customers, suppliers, and partners (e.g., contracts, service agreements, product/service specification, operation manuals, etc.)

  For further information, see:
  - Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

• PECR and GDPR

  The Privacy and Electronic Communication Regulations (PECR) is the UK implementation of the e-Privacy Directive and covers the use of cookies and similar technologies for storing information, and accessing information stored, on a user's equipment such as a computer or mobile device.

  If you are located in the UK and you apply for the PECR you probably will need to refer to the UK GDPR too. For the regulations (EU GDPR, UK GDPR, and PECR), the legal ground for marketing purposes is always consenting under the GDPR. The legitimate interest may cover the so-called soft-spam which is information provided on products purchased without a call-to-action or general introduction of the company and services/products offered without a call-to-action in B2B context.

  Here you can find more information on how to perform marketing activities under the GDPR:

  • How does GDPR impact marketing activities? https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/
  • Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/
  If you need to understand how to comply with GDPR you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Xl sheet

  All Type A and Type B standard uncertainties must be combined to calculate combined standard uncertainty and then an expanded uncertainty. The specific mathematical, statistical aspects are not part of the scope of the ISO 17025 Academy toolkit. I suggest you look to sector guidelines and the references in the ISO 17025 Toolkit. The Evaluation of Measurement Uncertainty Procedure and associated checklists at https://advisera.com/17025academy/iso-17025-documentation-toolkit/  guides you on what is required to meet ISO 17025 requirements.

• Stage 1 and stage 2 in internal audit

  Specific questions will depend on each audited control, but generally speaking, the questions are related to:
  - how actions are performed. E.g., how do you perform backup procedures?
  - information knowledge. E.g., what can you tell me about the information security policy?

  Additionally, verifications can be made by observing behavior, like asking someone to do something to keep him/her away from his/her workstation and see if the person locks his/her computer when he/she leaves, or by asking for evidence demonstration, like requiring to see the reported incidents from last week.

  The important thing is that audit questions are open questions, i.e., they cannot be answered simply by a Yes or No, the answer needs to be developed by the auditee.

  In the ISO 27001 Internal Auditor Online Course you bought you can find more details in Module 10 - The main audit “Interviewing techniques” 

  These articles will provide you a further explanation about auditor questions:

  - Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
  - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/