Search results

ISO 27001 Process

Please note that included in your toolkit you have access to video tutorials that can guide you through the risk assessment and treatment processes, including the filling of the SoA. These video tutorials include examples with real data.

Since you did not say you already saw the video tutorials, I suggest you start with these and contact us if some doubts remain.

In addition to these video tutorials, I suggest you these materials (the articles are in the suggested reading sequence):

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
• 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

ISO 27001 implementation

First is important to note that although process mapping can help the implementation process, it is not a mandatory requirement for ISO 27001.

Considering that, the general steps for ISO 27001 implementation are:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform a risk assessment and define a risk tent plan (at this point you can make use of processes frameworks like ISO 38500 and ISO 20000 as a reference to help identify risks, but please note that this approach is not mandatory by the standard);
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you a further explanation about ISMS implementation:

• ISO 27 001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Regarding implementation approaches, the most common are:

• Use your own staff to implement the ISMS
• Use a consultant to perform most of the effort to implement the ISMS
• Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.

Each one of them has its advantages and disadvantages. For more information, I suggest you the following materials:

• 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
• Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
• ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

How safe is a certified company with ISO 27001 and ISO 27701?

Unfortunately, we are unaware of such type of statistics (most probably because attacked organizations often keep details about incidents of the media).

What we can infer is that ISO 27001 and ISO 27701 certified organizations are recognized as more secure and resilient to attacks, because insurance companies consider their implementation as good practices and in some cases, it is a criterion to reduce the premium to be paid by companies with one or both certifications.

These links can provide more information:

• Cyber Insurance: Recent Advances, Good Practices, and Challenges https://www.enisa.europa.eu/publications/cyber-insurance-recent-advances-good-practices-and-challenges
• Cyber Security Breaches Survey 2020 https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020

For more about ISO 27001 benefits, please see:

• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
• ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Rework requirements

No, MDR does not have any impact on the repair, as long you have control over the process. 

MDR Labelling

Yes, you are right that for reusable medical devices class I the deadline is to put UDI until 26th May 2027. The UDI carrier shall be placed on the label of the device and on all higher levels of packaging and in case of reusable devices on the device itself (direct marking). The UDI carrier for reusable devices that require disinfection, sterilization, or refurbishing between patient uses shall be permanent and readable after each process performed to make the device ready for subsequent use throughout the intended lifetime of the device.

As a part of the UDI you can put the date of the production (in the part UDI-PI) therefore, thus all elements of traceability can be satisfied.

Complying with retention rules when using pseudonymized personal data

If the information to re-identify the person is completely removed from all system and the person is no more identifiable, the data become anonymous, but if the information to re-identify the person is kept in another system (or if the person is identifiable from other information processed) the data will be pseudonymized.

I make you an example of an identifiable person. Let's imagine that you remove contact details (name, surname, mail, telephone, etc.) because you need to make some statistics on the kind of occupation of your clients.

The person will be identifiable even if you assigned an ID reference and you keep only age, job, location if from the combination of parameters you can identify the person. Let's say it is a small town, where there are only 10 plumbers and only 2 of that age. In such a case, the person is considered identifiable, but if data are aggregated so that you cannot go to the single ID, then it will be anonymous.

So, if the information in system B cannot make you identify the person, it will be anonymous.

Auditing and creating checklist for medical device labeling

The best guidance on which elements for medical devices must be on the labels is in section 23.1, 23.2, and 23.3 of the General safety and performance requirements (Annex 1 of the Medical device regulation 2017/745). So, create the checklist according to that and then audit the responsible person for preparing the labels according to all applicable requirements from section 23 of the General safety and performance requirements.

For more information, see:

• EU MDR Annex 1 - General safety and performance requirements https://advisera.com/13485academy/mdr/general-requirements/

• Most difficult issue and challenge during initial implementation

  The most challenging part is that you have to be sure that you have designed your medical device according to all applicable requirements stated in Annex 1 – General safety and performance requirements. Following the requirements on that list will give you information on whether your product is well designed, manufactured and packaged, and whether you have proven the safety and effectiveness of your product with appropriate tests.

  The next thing concerns the technical documentation. Technical documentation covered in Annex 2 is extensive but durable. Preparing the necessary applicable documentation takes time.

  The third thing that is challenging is preparing the documentation for the quality management system. In Article 10 General obligations of the manufacturer, point 9, is stated which elements must be covered by the quality management system. This quality management system is based on ISO 13485:2016, but there are some more requirements in the MDR that also need to be part of the quality management system.

  On the following link, you can see how we prepared the documentation toolkit for ISO 13485 to be in compliance with MDR requirements:

  • ISO 13485:2016 & MDR Documentation toolkit https://advisera.com/13485academy/iso-13485-eu-mdr-documentation-toolkit/

  For more information, please see:

  • EU MDR Article 10 General obligations of the manufacturer https://advisera.com/13485academy/mdr/general-obligations-of-manufacturers/
  • EU MDR Annex 1 – General safety and performance requirements https://advisera.com/13485academy/mdr/general-requirements/
  • EU MDR Annex 2 – Technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
  The following articles can be helpful:
  • What is EU MDR? https://advisera.com/13485academy/what-is-eu-mdr/
  • How can ISO 13485 help with MDR compliance? https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/

  On the following link, you can even find the webinar where you can find out the steps of the implementation of the MDR:

  • Understanding the new European Medical Device Regulation and how ISO 13485 supports it https://advisera.com/13485academy/webinar/understanding-the-new-eu-mdr-and-how-iso-13485-supports-it-free-webinar-on-demand/