Search results

Performing Risk management according to ISO 27005

ISO 27005 is a supporting standard to ISO 27001, detailing how to implement risk management for information security (basically covering ISO 27001 clauses 6.1.2 and 6.1.3).

Considering that, general steps for risk assessment and treatment are:

• Definition of a risk assessment and treatment methodology
• Performing of risk assessment (risk identification and risk analysis)
• Performing of risk treatment (risk evaluation and controls selection)
• Elaboration of a risk treatment report
• Elaboration of Statement of Applicability (SoA)
• Elaboration of Risk Treatment Plan and acceptance of residual risks

This article will provide you a further explanation about implementing risk management:

•  ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will provide you a further explanation about implementing risk management:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

If you want to see how a risk management process compliant with ISO 27005 looks like, I suggest you take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

ISO 9001 non-conformities

Non-conformities can be about:

• The product or service
• Process performance
• System conformance
   

Non-conformities derived about the product or service are detected during quality control activities or following a complaint.

Non-conformities derived about process performance are detected during analysis and evaluation of process performance data.

Non-conformities derived about system conformance are detected during internal audits or during management review.

The following material will provide you information about nonconformities:

• ISO 9001 – Understanding dispositions for ISO 9001 nonconforming product - https://advisera.com/9001academy/blog/2014/11/18/understanding-dispositions-iso-9001-nonconforming-product/
• ISO 9001 - ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/ ion/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

ISO 9001 non-conformities

I’m afraid your question is a symptom of a common mistake in quality management systems while treating product or service non-conformities.

When treating product or service non-conformities you must, it is mandatory, to eliminate the non-conformity (correction) and treat its consequences. And the timer is ticking, you should do that as fast as possible to prevent unintended use:

Once eliminated the non-conformity you should evaluate your current practices. That is why I recommend using the SDCA cycle from Shoji Shiba.

You have a standard (S) way of doing things, written or unwritten, it is the way your organization works. You do the work (D) according to the standard and you check (C) the results. And you detect non-conformities. And you treat the non-conformities. After treating the non-conformities, the urgency stops, and you think about your standard way of doing things:

You ask should we improve, or should we keep the current standard? If your organization decides that can live with the current performance there is no need for corrective action, you continue in the SDCA cycle. If, when you ask if the improvement is needed, you realize that it is a systematic failure, there is a trend or a serious situation, you are concluding that the situation calls for improvement. That means, you can no longer trust your current standard, you must jump into the PDCA cycle to develop corrective action, an action to eliminate the cause(s) of the non-conformity.

If your organization considers that the situation is “beyond our control” you are concluding that no corrective action is needed. However, I would prefer writing “No corrective action needed” instead of “beyond our control”. I worked as a quality manager in a manufacturing plant more than 25 years ago and we had problems with power failure, we picked the priority machines and established an emergency supply operation with diesel generators.

Please search for the "Deming funnel tampering" about the problem of tampering with a system, when one tries to improve a system after each non-conformity. 

You can find more information below:

• Free webinar on-demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Question for ISMS ISO 27001

First is important to note that risk does not need to have a dedicated risk owner. A risk owner can be responsible for multiple risks. I’m assuming you wanted to say that risk needs to have a single owner.

Regarding your question, ISO 27001 does not prescribe that risk owners need to be part of the ISMS scope, so this person can be someone from outside the scope, but you need to ensure that this person has approved management responsibility, accountability, and authority for managing the risk.

This article will provide you a further explanation about risk owners:

• Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

This material will also help you regarding risk management:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

ISO 27001 questions

First of all, sorry about this misunderstanding.

Based on the auditor's findings, the certification body can remove or cancel your certificate.

In the situation the auditor identifies nonconformities, the organization will have a defined time to solve them. In case nonconformities are not solved in a defined time the certification will be suspended, and after an additional time has passed without a solution, then the certification will be canceled.

ISO 9001 3 metods

Using a formal communication plan stating what to communicate to whom, by who, with what frequency, and how.

Starting the day with a morning meeting on the shop floor where every person can ask questions.

Create a set of Slack teams to communicate and give feedback.

You can find more information below:

• Communication requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/11/01/communication-requirements-according-to-iso-9001-2015/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Design and development process

Yes, clause 7.3 is applicable for you. It means that you must have documented procedure for the Design and development, and a form where you will fulfill changes that you have made, how you validate those changes and you transfer it to the production.

For more information please see the following links:

• How to manage design and development of medical devices according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/08/24/how-to-manage-design-and-development-of-medical-devices-according-to-iso-134852016/
• Design and development validation and verification according to ISO 13485 https://advisera.com/13485academy/blog/2019/02/14/design-and-development-validation-and-verification-according-to-iso-13485/

On the following link you can see the preview of documents regarding the design and development from our ISO 13485:2016 Documentation toolkit:

• Procedure for design and development https://advisera.com/13485academy/documentation/procedure-for-design-and-development-iso-13485-2016/
• Design and development file https://advisera.com/13485academy/documentation/design-and-development-file-iso-13485-2016/
• Design and development transfer record https://advisera.com/13485academy/documentation/design-and-development-transfer-record-iso-13485-2016/
• Change review record https://advisera.com/13485academy/documentation/change-review-record-iso-13485-2016/

• Resolution timeline for closing NC's and MDR/UDI and EUDAMED

  1. Hello, Could you advise on defining the resolution timeline for closing Critical, Major and Minor NC ? The product is '' image viewer software ''?

  Defining both the criteria for determining critical, major, or minor non-conformity and the resolution time for closing non-conformities is your responsibility, according to your risk analysis. For example, if critical non-conformity means the worst one, then resolution time can be 15 days, for major 30 days, and for minor non-conformity 60 days. It is just a suggestion

  More information regarding this topic, you can find on the following links:

  • What are the consequences of non-compliance with ISO 13485 for manufacturers of medical devices? https://advisera.com/13485academy/blog/2017/11/02/what-are-the-consequences-of-noncompliance-with-iso-13485-for-manufacturers-of-medical-devices/
  • How to write a good ISO 9001 audit nonconformity? https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/

  2. Could you advise if the company preparing for MDR transition from MDD needs to register for UDI/ EUDAMED if they will not be placing the product on the EU market?

  Registration in the EUDAMED database is mandatory for manufacturers, authorized representatives, and importers. Manufacturers mean the business entity who certified their medical device (CE marking) and puts it under their name.  So, if you're not placing the product on the EU market, then you do not need to be registered in the EUDAMED and do not need to issue a UDI number.

• ISO 13485:2016 , regulatory requirements

  According to Article 8 of the MDR, all medical device manufacturers need to be in compliance with standards published in the Official Journal of the European Union. On this list, there are more than 300 different standards for all kinds of medical devices. Each manufacturer must define to which standards it must comply.

  For more information, see: 

  • EU MDR Article 8 –Use of harmonized standards https://advisera.com/13485academy/mdr/use-of-harmonised-standards/

  According to Article 15 of the MDR, manufacturers need to nominate at least one person that will be responsible for the regulatory compliance. Furthermore, in Article 10, point 9, it is necessary that as part of the quality management system, there is a document where the strategy for regulatory compliance will be described. This document will describe how often the review process for all standards/ legislation will be conducted (for example will it be every month, every 3 months, or longer period). And also, if there will be a new revision of the standard/legislation what must be done (GAP analysis, new tests, new reports, is there a necessity for education or some other resources).

  For more information, see:

  • EU MDR Article 10 – General obligations of manufacturers https://advisera.com/13485academy/mdr/general-obligations-of-manufacturers/
  • EU MDR Article 15 – Person responsible for regulatory complaince https://advisera.com/13485academy/mdr/person-responsible-for-regulatory-compliance/

  • Risk assessment

    Please note that for ISO 27001 risk assessment confidentiality and integrity, alongside availability, are related to risks (6.1.2 c 1), and to consequences (6.1.2 d 1), not to assets. So, sensitivity is not related to risk assessment.

    Considering that, when using an asset-based approach for risk assessment, you need to consider the loss of confidentiality, integrity, and availability to identify risks and impacts, not sensitivity.

    Sensitivity is a concept related only to control A.8.2.1 – Information Classification (alongside legal requirements, value, and criticality).

    Only when results of risk assessment, or applicable legal requirements, define control A.8.2.1 as applicable is that you need to classify information regarding sensitivity, due to unauthorized disclosure (i.e., loss of confidentiality) or modification (i.e., loss of integrity).

    In other words, the impact in risk assessment affects sensitivity rating, not the other way around (the greater the impacts due to loss of confidentiality or integrity, the greater should be the sensitivity rating, to ensure proper controls are implemented to protect the information).

    For further information, see:

    • ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    • ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
    • How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
    • Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/