Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 13485:2016 regulatory expectations around distributors

    ISO 13485:2016 is applicable to the distributors as well, according to section 1 of the standard. So it is expected that distributors will have implemented the ISO 13485:2016. Their quality management system will cover their distribution scope: how they receive medical devices, which documents they must check when receiving it from the manufacturer, how to store it, how to deliver it to the customer/client. Distributors must have in place a customer complaint process, have a proper place where returned products will be placed, and must have in place the process of communicating with the competent authority when needed.

    Distributors must have in place QA agreements with manufacturers where mutual responsibilities will be stated.

    For more information on the distributor's obligations, please see:

    • EU MDR 2017/745 Article 14 - General obligations of distributor https://advisera.com/13485academy/mdr/general-obligations-of-distributors/

    • Risk Consultation

      ISO 27001 is pretty flexible when it comes to documenting your security objectives - you can write them in your Information Security Policy, in the Statement of Applicability, or in some separate document. 

      When using our ISO 27001 Documentation Toolkit, you can document the general ISMS objectives in the Information Security Policy, and specific objectives for controls (or groups of controls) in the Statement of Applicability. 

      Including the information security objectives within the risk treatment plan, or in the asset list would not be efficient, because a single information security objective can be linked to many actions in the plan or assets in the assets list, which would make them very difficult to understand and maintain.

      This article will also help you:

      In this free online training you'll find detailed guidance on setting the objectives:

    • Conformio and ISMS

      First is important to note that unless you have specific requirements demanding the implementation of ISO 27017 and ISO 27018 (e.g., laws, regulations, or contracts), ISO 27001 is fully capable to provide required information security for cloud environments.

      Considering that, to implement an ISMS compliant with ISO 27001, ISO 27017, and ISO 27018, the best approach would be to use the ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit, and do not use Conformio. Currently, Conformio does not cover ISO 27017 and ISO 27018 requirements.

      In case you decide to use the toolkit you’d need to buy it, and since you are our existing customer, we can offer you a discount.

      These articles will provide you a further explanation about ISO 27017 and ISO 27018:
      - ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
      - ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

    • Risk treatment plan

      Hello, I want to make an inquiry. If the Risk Treatment Plan is considered an "Action Plan", can the information security objectives be included in the plan?

      ISO 27001 is pretty flexible when it comes to documenting your security objectives - you can write them in your Information Security Policy, in the Statement of Applicability, or in some separate document.

      When using our ISO 27001 Documentation Toolkit, you can document the general ISMS objectives in the Information Security Policy, and specific objectives for controls (or groups of controls) in the Statement of Applicability.

      Including the information security objectives within the risk treatment plan, which can be considered an “Action plan”, or in the asset list would not be efficient, because a single information security objective can be linked to many actions in the plan or assets in the assets list, what would make them very difficult to understand and maintain.

      This article will also help you: 

      In this free online training, you'll find detailed guidance on setting the objectives: 

    • Implementation duration

      We estimate that for companies up to 10 employees it is necessary up to 3 months to implement the quality management system according to the ISO 13485:2016.

    • Como devo prosseguir com um relatório?

      De sua pergunta e do artigo encaminhado para mim (https://advisera.com/27001academy/pt-br/blog/2015/05/20/certificacao-iso-27001-o-que-fazer-apos-receber-o-relatorio-de-auditoria/), presumo que você esteja se referindo a um relatório de auditoria de certificação.

      Considerando isso, em resumo, ações decorrentes do relatório de auditoria são:

      • envio de plano de ação para o auditor de certificação para tratativa de não conformidades menores (quando identificadas), e implementação do plano dentro das datas definidas
      • tratativa pela organização e envio de evidências para o auditor de certificação da tratativa de não conformidades maiores (quando identificadas)
      • análise crítica das oportunidades de melhoria pela alta administração e definição de ações a serem tomadas e prazos quando julgado pertinente.

      O relatório de auditoria de certificação será usado como referência de consultada para quaisquer dúvidas em relação as ações a serem tomadas.

    • Data transfers to third countries under BCR umbrella

      Article 94 GDPR states that “References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC shall be construed as references to the European Data Protection Board established by this Regulation.”There is continuity between Directive 95/46/EC and the GDPR. The adoption of BCR is a long process involving different stages of exam and approval from Data Protection Authorities and the Working Party (under the Directive 95/46/EC) which became the European Data Protection Board (under GDPR). So, BCRs adopted are still valid.However, you need to check in the BCR which is the Leading Authority, because in July 2020 the European Data Protection Board stated that the BCR having the UK Data Protection Authority (ICOs, or Information Commissioner’s Office) as the Leading Authority needs to be amended because of Brexit.

      Here you can find the statement: https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-fifth-plenary-session-information-note-binding_en

      If you need to know more about how to transfer data in third countries under the EU GPDR here you can find more information:

      You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

    • ISO 17025 accrediting

      As long as you are able to meet ,sustain and maintain the requirements of ISO 17025 , accreditation can be achieved. But as you have mentioned having no equipments of own and using the rented ones, it would be very challenging to ensure that related requirements of ISO 17025 as rightly mentioned by Tracy evans. It will help greatly if other party which is renting the equipments have accreditation so that most of requirements gets covered at their end and other related ones at your end.

      I am afraid that a broad answer only can given to your question.

    • Internal auditor qualification

      ISO 27001 requires that people are competent to perform activities related to the Information Security Management System (ISMS), and for internal audit, this would mean knowledge or experience on ISO 27001 and the audit process.

      Considering that, for an internal audit to be an ISO 27001 internal auditor would be sufficient.

      These materials will provide you a further explanation about internal auditor qualification:

    • Conformio documentation access

      First is important to note that unless you have specific requirements demanding the use of ISO 27017 and ISO 27018 (e.g., laws, regulations, or contracts), controls available in ISO 27001 are sufficient to cover cloud security.

      Considering that, please note that the application of ISO 27017 and ISO 27018 controls follow the same principles as for ISO 27001: controls are selected according to the results of risk assessment, applicable legal requirements, or as a top management decision.

      As a result, to be compliant with ISO 27001 when using ISO 27017 and ISO 27018:

      • you need to implement controls identified as needed to treat relevant risks and defined by legal requirements
      • you can skip controls for which you do not have legal requirements or not have relevant risks demanding their implementation
      • you can implement the ones top management considers as a good practice.

      This article will provide you a further explanation about controls selection:

      These materials will also help you regarding controls selection:
Page 177-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +