Search results

Data Protection Legislation

I am afraid that you will need a Data Protection Officer and a Data Protection Impact Assessment because your organization is going to process on a large scale the health data which belong to a particular category of data under Article 9 GDPR.

Here you can find more information about the DPO and the DPIA process:

• How to hire the right DPO? https://advisera.com/eugdpracademy/blog/2018/08/27/how-to-hire-the-right-dpo/
• 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

Requirement for Post Market Surveillance

According to Article 83 - Post-market surveillance system of the manufacturer - is stated that for each device, manufacturers shall plan, establish, document, implement, maintain and update a post-market surveillance system in a manner that is proportionate to the risk class and appropriate for the type of device. Then, in Article 85 - Post-market surveillance report - Manufacturers of class I devices shall prepare a post-market surveillance report summarising the results and conclusions of the analyses of the post-market surveillance data gathered as a result of the post-market surveillance plan.

Therefore, class I medical devices are not exempt from the post-market surveillance system.

More information on the Post-market surveillance system you can find on the following link:

• What are the post-market surveillance requirements in the MDR? https://advisera.com/13485academy/blog/2021/04/29/what-are-the-post-market-surveillance-requirements-in-the-mdr/

• Integration ISO 13485 & ISO 9001

  No, we do not have integrated ISO 9001 and ISO 13485. It is not necessary to have both standards. ISO 13485 is a quality management standard specially made for medical device manufacturers. Some manufacturers also have ISO 9001, so we left ISO 9001 in References for them. 

  If you want to get ISO 9001 toolkit, you do not maybe need to buy the whole toolkit, only some documents according to which ISO 9001 differs from ISO 13485.

  Here you can find an article regarding similarities and differences between ISO 9001 and ISO1 3485:

  • Similarities and differences between ISO 9001:2015 and ISO 13485:2016 https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/

  • Processore / Controllore

    "Salve, intanto la ringrazio per la risposta e le vorrei chiedere alcune cose in merito alla figura del "processore". Cosa fa a livello di raccolta dati personali il "processore"?Chi si può considerare "processore" all'interno di un'azienda?La posizione da "processore" può essere svolta da una figura esterna?"

    Il processore (responsabile del trattamento) è un soggetto esterno che tratta i dati per conto del controllore (titolare del trattamento), può anche raccogliere dati (ad esempio un fornitore del servizio di lead generation). Solitamente è il fornitore di un servizio (ad esempio il cloud che ospita i dati aziendali è un esempio di processore, oppure l'ufficio paghe che elabora le buste paghe dei dipendenti per conto del datore di lavoro). Non è una figura interna all'azienda.

    Forse sto facendo confuzione con la traduzione legale dall'inglese all'italiano di "Processor".

    Processor dovrebbe essere Responsabile del trattamento. Mentre il Controllore è il Titolare del Trattamento. Giusto?

    Esattamente.

  • Post-market surveillance

    This is a really helpful response to the question

  • Vigilance

    We are currently making update dof our toolkit and some more information will be covered until June 2021. 

  • Corporate Branding policy

    For this purpose, you should consider at least these controls:

    • 18.1.2 Intellectual property rights: this one can be your main guidance on how to protect your corporate logo
    • A.15.1.2 Addressing security within supplier agreements: this one can help you control how your corporate logo should be used by your suppliers.

    These materials will help you regarding security controls:

    • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Controls from section A.18

    First of all, sorry for this confusion. Documents that cover controls from section A.18 can be found here:
    - documents in the toolkit in folder "02 Procedure for identification of requirements” ("Procedure for Identification of Requirements" and "Appendix – List of Legal, Regulatory, Contractual and Other Requirements")
    - control A.18.1.2 is included in the document IT Security Policy (you'll find it in the toolkit in folder 08 Annex A security controls - A.8 Asset management) in the section "3.15. Copyright".

    It is important to note that every control does not need to be documented and to avoid unnecessary administrative work the toolkit includes only all the mandatory + all most common documents.

    In the root folder of the Demonstration Kit, you'll find a document called “List of Documents” that explains which control/clause is covered by which document, and which documents are mandatory.

  • Questions about scope, requirements and controls

    Hi, about Q4.1 I think I didnt explain right. We are assesing for each asset how is its status related to the 114 controls, as some kind of a GAP analysis. So we have 150 assets and 114 controls for each one. A lot of excel sheets.... The "Risk Treatment Table included in your toolkit in folder 05 Risk Assessment and Risk Treatment" that you mention is for the risk assesment and only to include actual threats, I think. Not the status of each asset related to each control, but of course both are connected. My question was about any tool to hadle this huge amount of information (150x114), for what I've seen I dont think Conformio has any option to hadle this specific information but only risk assesment as in the template in the tool kit. Maybe we are overkilling with this exercise. Look like base on your answer that this list of Assets vs All 114 controls, it is not required. Is this correct?

    Thank you very much in advance 

    Your assumption is right. ISO 27001 does not require a list of Assets vs. Annex A controls. As you already perceived, this approach only creates a lot of data that won’t be very useful.

    The standard’s approach for the application of controls is based on the identification of applicable legal requirements and mitigation of relevant risks. This way you keep your information at a minimum, i.e., only the basic information about assets (in the inventory of assets document), the assessed risks (in the risk assessment table), and the treated risks (in the risk assessment table).

    By the way, included in your toolkit you have access to a video tutorial that can help you fill in the risk assessment and risk treatment table.

    This article will provide you a further explanation about risk assessment and risk treatment:

    • ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding assets, risk assessment, and risk treatment:

    • Asset List for ISO 27001 Risk Assessment (MS Word) https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/
    • Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
    • Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home
    • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/