Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 14001 Clause 4.2

    Each organization decides who are their interested parties. According to my experience, interested parties include more than just suppliers. For example, customers, neighbors, local authority, and government. For these groups, it makes more sense to think about their needs and expectations. For example, neighbors want peace and quiet, local authorities want jobs, and compliance with compliance obligations, customers want things like competitive price, delivery times met, a product with the agreed quality, guarantee of supply, (quality control system, respect for the environment, environmental certification).

    You can also include suppliers, in that case perhaps their needs and expectations are around things like orders, quantity minimums, timely payment, new products/services.

    Although about ISO 9001, perhaps the technique that I use and present in this free webinar on-demand - Context of the organization, interested parties, and scope - - may be useful for you.

    The following material will provide you more information:

  • Secure System Engineering Principles

    For ISO 27001, secure engineering principles are the high-level rules defined to apply security in software development (e.g., Assure information protection in processing, transit, and storage). This standard defines the control A.14.2.5 Secure system engineering principles to be implemented if you have relevant risks or legal requirements to justify its implementation.

    Regarding the required documentation level, ISO 27001 does not prescribe any documentation level, so organizations are free to use the document level that best suits their needs. For example, you can define security principles as statements in a policy (e.g., security must be considered in business, data, application, and technological layers, security must balance protection and accessibility needs, etc. ), or you can provide them as detailed engineering procedures on how they must be implemented.

    To see an example of a document that covers this control in a policy, I suggest you take a look at the free demo of this template: https://advisera.com/27001academy/documentation/secure-development-policy/

    These articles will provide you a further explanation about secure engineering principles:

  • ISMS Risk Survey

    The most common way to perform ISO 27001 risk assessment is through the asset-threat-vulnerability approach, which can also be applicable to other business processes, because it is based on assets (elements with value to the organizations), and this concept can be applied to other processes in the organization. For example, you can use an asset called management report to identity risks for your ISMS and other processes that uses such asset (e.g., financial management report).

    To see a list of threats and vulnerabilities you can use not only for ISMS risk assessment, but also for other business processes, see:
    - Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

    To see how to perform a risk assessment compliant with ISO 27001, see:
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    The template for Risk assessment has examples of assets, threats and vulnerabilities you can use.

    To see how documents to perform a risk assessment compliant with ISO 27001 looks like, please see: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    This material will also help you regarding ISO 27001 risk assessment:
    - https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process.

  • Critical non-conformities

    Nonconformance is not necessarily a bad thing because each non-conformance is an opportunity for improvement. ISO 13485 in sections 8.3 Control of non-conforming products and 8.5.2 Corrective action include clear and in-depth guidance on how to respond to any nonconformity discovered through your processes, connected with customer complaints, or conducted audits (both external and internal). 

    The potential impact of non-conformity on your organization depends on the size and type of the nonconformance. When critical issues are discovered in the production process this may lead to the product of an unsafe medical device. Un-safe medical devices present both risks for the patient/end-user, but also for your company because your company’s rating can be compromised. 

    If Top management needs to be involved in solving critical non-conformities by ensuring certain resources (financial, infrastructure, or human), they must be aware of the consequences that may have not solving non-conformities.

    So, prepare a full explanation of what the consequences are if you do not resolve the nonconformity and provide that evidence Top management. If Top management has no ear for this, you can always contact the Board of Directors, the owner, or some other entity that is above your boss.

  • MDR classification

    Rule 9 is considering active therapeutic devices s intended to administer or exchange energy, while lung ventilators are monitoring devices. According to the MDR, active monitoring devices of vital physiological processes are covered in Rule 10.

  • È necessario il DPO?

    Dipende dal tipo di dati che tratti. Se il tuo software tratta le particolari categorie di dati (i cosiddetti dati sensibili, come quelli sulla salute, l’orientamento sessuale, le opinioni politiche, ecc.) potresti aver bisogno di un DPO, altrimenti non rientri nelle ipotesi indicate nell’Art. 37 GDPR.

    Qui puoi approfondire la figura del DPO:

    Se vuoi approfondire l’applicazione del GDPR puoi iscriverti al nostro corso online gratuito EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//,

    Per conoscere i requisiti per il DPO, puoi iscriverti al nostro corso online gratuito EU GDPR Data Protection Officer Course https://advisera.com/training/eu-gdpr-data-protection-officer-course/

     

  • Information security policy

    ISO 27001 mentions the following policies: 

    - Information Security Policy
    - Mobile device policy
    - Access control policy
    - Policy on the use of cryptographic controls
    - Clear desk and clear screen policy
    - Secure development policy
    - Information security policy for supplier relationships

    According to ISO 27001, only the Information Security Policy must be approved by the top management (clause 5.2) - all the other mentioned policies are operational policies that are almost never approved by the top management.

    You might try to change the names of operational policies to "procedures", however then you risk having problems at the certification audit. The name of the Information Security Policy should not be changed to procedure because the auditor would certainly raise a nonconformity for that.

  • Corrective Action Form

    The reference to be used in the column “Reference to the Corrective Action Form” is the number of the Corrective Action form. There is no need to list “actions points” because this information will be recorded in the Corrective Action form.

    This article will provide you a further explanation about records management:

    These materials will also help you with records management:

  • ISO 9001 Questions

    1/Example of determining the requirements for products and services, meaning what features the product or service will have in the organization;

    Answer:

    I do not know if I understand the question correctly. Product or service requirements are included in its specifications. They are a design output (see ISO 9001:2015 clause 8.3.5 d))

    2/Example of scope of QMS and its evidences in any organization;

    Answer:

    I invite you to check this free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - – where I develop the topic.

    For example, a hotel may have several services and several kinds of clients:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/e73ac81c-3589-46f4-b28c-b4b3f7ad2e40

    While implementing a quality management system, top management decided that its scope would be only the hospitality service for groups. The scope statement should be written in a document. Normally, organizations keep a system’s manual, not mandatory, and include the scope statement there.

    3/ Example of process design/service in any organization

    Answer:

    In this picture

    https://www.screencast.com/users/ccruz5284/folders/Default/media/bf805e07-98ae-450e-a1ef-b13dfe7f039b

    you find a generic example of a design process.

    4/ Example of establishment and documenting the criteria for supplier’s selection in any organization;
    5/Example of establishment and documenting the criteria Production and service provision in any organization 

    Answer:

    Unfortunately, I cannot present here those examples because we sell that kind of template in our ISO 9001:2015 Documentation Toolkit. Please check the free previews available.

    About supplier’s selection criteria – think about what an organization needs from its suppliers: no defects, no delivery delays, price level, innovation, service.

    About establishing the criteria for product and service provision – please check this free webinar on-demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/  - and see how the risk-based approach can be used to develop a process control plan.

     

  • New requirements for technical files

    You have a template for technical documentation in the folder Technical file. The name of the document is the Technical file template.  
Page 182-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +