Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Question for ISMS ISO 27001

    First is important to note that risk does not need to have a dedicated risk owner. A risk owner can be responsible for multiple risks. I’m assuming you wanted to say that risk needs to have a single owner.

    Regarding your question, ISO 27001 does not prescribe that risk owners need to be part of the ISMS scope, so this person can be someone from outside the scope, but you need to ensure that this person has approved management responsibility, accountability, and authority for managing the risk.

    This article will provide you a further explanation about risk owners:

    This material will also help you regarding risk management:

  • ISO 27001 questions

    First of all, sorry about this misunderstanding.

    Based on the auditor's findings, the certification body can remove or cancel your certificate.

    In the situation the auditor identifies nonconformities, the organization will have a defined time to solve them. In case nonconformities are not solved in a defined time the certification will be suspended, and after an additional time has passed without a solution, then the certification will be canceled.

  • ISO 9001 3 metods

    Using a formal communication plan stating what to communicate to whom, by who, with what frequency, and how.

    Starting the day with a morning meeting on the shop floor where every person can ask questions.

    Create a set of Slack teams to communicate and give feedback.

    You can find more information below:

  • Design and development process

    Yes, clause 7.3 is applicable for you. It means that you must have documented procedure for the Design and development, and a form where you will fulfill changes that you have made, how you validate those changes and you transfer it to the production.

    For more information please see the following links:

    On the following link you can see the preview of documents regarding the design and development from our ISO 13485:2016 Documentation toolkit:

    • Procedure for design and development https://advisera.com/13485academy/documentation/procedure-for-design-and-development-iso-13485-2016/
    • Design and development file https://advisera.com/13485academy/documentation/design-and-development-file-iso-13485-2016/
    • Design and development transfer record https://advisera.com/13485academy/documentation/design-and-development-transfer-record-iso-13485-2016/
    • Change review record https://advisera.com/13485academy/documentation/change-review-record-iso-13485-2016/

    • Resolution timeline for closing NC's and MDR/UDI and EUDAMED

      1. Hello, Could you advise on defining the resolution timeline for closing Critical, Major and Minor NC ? The product is '' image viewer software ''?

      Defining both the criteria for determining critical, major, or minor non-conformity and the resolution time for closing non-conformities is your responsibility, according to your risk analysis. For example, if critical non-conformity means the worst one, then resolution time can be 15 days, for major 30 days, and for minor non-conformity 60 days. It is just a suggestion

      More information regarding this topic, you can find on the following links:

      2. Could you advise if the company preparing for MDR transition from MDD needs to register for UDI/ EUDAMED if they will not be placing the product on the EU market?

      Registration in the EUDAMED database is mandatory for manufacturers, authorized representatives, and importers. Manufacturers mean the business entity who certified their medical device (CE marking) and puts it under their name.  So, if you're not placing the product on the EU market, then you do not need to be registered in the EUDAMED and do not need to issue a UDI number.

    • ISO 13485:2016 , regulatory requirements

      According to Article 8 of the MDR, all medical device manufacturers need to be in compliance with standards published in the Official Journal of the European Union. On this list, there are more than 300 different standards for all kinds of medical devices. Each manufacturer must define to which standards it must comply.

      For more information, see: 

      According to Article 15 of the MDR, manufacturers need to nominate at least one person that will be responsible for the regulatory compliance. Furthermore, in Article 10, point 9, it is necessary that as part of the quality management system, there is a document where the strategy for regulatory compliance will be described. This document will describe how often the review process for all standards/ legislation will be conducted (for example will it be every month, every 3 months, or longer period). And also, if there will be a new revision of the standard/legislation what must be done (GAP analysis, new tests, new reports, is there a necessity for education or some other resources).

      For more information, see:

      • EU MDR Article 10 – General obligations of manufacturers https://advisera.com/13485academy/mdr/general-obligations-of-manufacturers/
      • EU MDR Article 15 – Person responsible for regulatory complaince https://advisera.com/13485academy/mdr/person-responsible-for-regulatory-compliance/

      • Risk assessment

        Please note that for ISO 27001 risk assessment confidentiality and integrity, alongside availability, are related to risks (6.1.2 c 1), and to consequences (6.1.2 d 1), not to assets. So, sensitivity is not related to risk assessment.

        Considering that, when using an asset-based approach for risk assessment, you need to consider the loss of confidentiality, integrity, and availability to identify risks and impacts, not sensitivity.

        Sensitivity is a concept related only to control A.8.2.1 – Information Classification (alongside legal requirements, value, and criticality).

        Only when results of risk assessment, or applicable legal requirements, define control A.8.2.1 as applicable is that you need to classify information regarding sensitivity, due to unauthorized disclosure (i.e., loss of confidentiality) or modification (i.e., loss of integrity).

        In other words, the impact in risk assessment affects sensitivity rating, not the other way around (the greater the impacts due to loss of confidentiality or integrity, the greater should be the sensitivity rating, to ensure proper controls are implemented to protect the information).

        For further information, see:

      • Auditing integrated ISO 27001, ISO 20000 and ISO 9001

        An integrated management system can be audited/certified against only one of its component standards, so you do not need to implement all standards first and then go for auditing/certification.

        Please note that some certification bodies can perform integrated audits (you can ask for this information from your chosen certification body), so you also need to consider that when defining your implementation strategy.

        This article will provide you a further explanation about certification audit:

        These materials will also help you regarding certification audit:

      • Requirements for SAMD

        Classification of software is covered in the MDR by Rule 11.

        "Software intended to provide information which is used to make decisions with diagnosis or therapeutic purposes is classified as class IIa, except if such decisions have an impact that may cause:

        • death or an irreversible deterioration of a person’s state of health, in which case it is in class III; or
        • a serious deterioration of a person’s state of health or surgical intervention, in which case it is classified as class IIb.

        Software intended to monitor physiological processes is classified as class IIa, except if it is intended for monitoring of vital physiological parameters, where the nature of variations of those parameters is such that it could result in immediate danger to the patient, in which case it is classified as class IIb.

        All other software is classified as class I“

        In my opinion, it is class IIb – because if the software is wrong, and the dental doctor receives the wrong picture, there can be conducted a wrong surgical intervention.

        For software, the following requirements from the ISO 13485:2016 standard are definitely not applicable:

        • 7.5.5 Particular requirements for sterile medical devices
        • 7.5.7 Particular requirements for validation of a process for sterilization and sterile barrier systems
        • 7.5.9.2 Particular requirements for implantable medical devices

        Following requirements have to be taken into consideration:

        • 7.5.3 Installation activities
        • 7.5.4 Service activities

        All requirements that are not applicable must be stated in the Quality manual with justification why those are not applicable.

      • Annex A section 5.1

        Controls A.5.1.1 and A.5.1.2 are covered by ca 20 policies and procedures you can find in folder "08 Annex A" - it does not make sense to have a specific document focused only on these two controls.

        Additionally, is important to understand that ISO 27001 does not require every applicable control to be a separate document. In some cases, you only need to make a brief description of how it is implemented, and you can do that in our SoA template, in the column "Implementation Method".

        This article will provide you a further explanation about the Statement of Applicability:
        - How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
Page 187-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +