Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk assessment in Conformio

    1- Why are confidentiality, availability, and integrity not considered in the Risk assessment? and how Conformio is addressing them.

    ISO 27001 does not require the impact on confidentiality, integrity, and availability to be explicitly evidenced during the assessment (e.g., as separate values).

    According to the Risk Assessment Methodology, confidentiality, integrity, and availability are represented through impact when assessing risks.

    2- Why is there no prioritization for actions in RTP? This should be identified based on the risk levels. we only see a list but it's not based on the risks identified

    First is important to note that ISO 27001 does not prescribe how to prioritize actions in the Risk Treatment Plan, so organizations can adopt the prioritization criteria that best fit their needs.

    In the Risk Treatment Plan in Conformio you prioritize the activities by defining the deadlines for their implementation.

    This article will provide you with further explanation about risk treatment:

    • Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

    • Statement of of conformity

      You asked


      how the laboratory will address the regulatory requirement for reporting statement of conformity in the event of a request to calibrate a measuring instrument used for a regulated purpose as per ISO /IEC 17025:2005 CLAUSE 7.1.3"

      Firstly, it is the requirements of the ISO/IEC 17025:2017, that is the Third edition, need to be met. The requirements for statements of conformity are covered in clauses 7.1.3 and 7.8.6.1. Secondly, understand that the decision rule is a rule that describes how measurement uncertainty is accounted for when stating conformity with a specified requirement. To address the regulatory requirement for reporting a statement of conformity, the calibration laboratory needs to understand the impact to the testing laboratory’s use of the measuring device. That is, the level of risk (such as false pass and false fail) if measurement uncertainty is added to the result or not.  For example,  consider if dealing with an upper tolerance, and the MU is not added, is there a risk of a false pass? Start by determining what the client and regulations require, assess the risk, and then document the decision rule to be applied to calibration results. Finally, remember to reference it in the calibration report.

      For more information on ISO 17025 refer to Advisera ISO 17025 – Where to Start? at https://advisera.com/iso-17025/

    • Filling documents

      1. On the risk management matrix, should we include departments such as finance and administration that are not quite an essential part of the process to make and develop our product?
      Considering the risk management according to ISO 14971:2019 particularly for medical device manufacturers, only risks related to the medical product and which may affect the safety of the product must be covered. This means that finance and administration departments usually are not covered with risk management for medical devices. 

      2. On the 9th document "Design and Developempent" there says we should include record of old versions of the designs of the product, but our question is how much records should we include? Should we include since our first design (which is from 2021) or could we just include the designs from a year ago to now? Or is there a minimum record time that must be met?

      You need to include records from your first design and keep those records for at least 10 years after the last device is sold on the market for all classes except for class III and class IIB implantable which is necessary to keep for 15 years.

    • Should nonconformities undergo a documented risk assessment / analysis?

      ISO 27001 does not prescribe risk assessment to be performed over identified nonconformities, so a company is not obliged to perform it.

      This article will provide you with further explanation about handling non-conformities:

    • Distributor and ISO 13485

      There is no MDR requirement that distributors of medical devices need to be certified according to ISO 13485. But, as stated in Article 14 - General Obligations of Distributors, the following elements must be in place: 

      • storage conditions as stated on the medical device and by the manufacturer
      • have in place a complaint system - how they can receive a complaint and how they will inform the manufacturer of the received complaint
      • must have in place a system for recall - distributor of course will never start a recall, but rather will be a part of the process - they must know how they must behave in a situation when they receive information from the manufacturer that they must withdraw the products from their market.
      • communication with a competent authority
      • have and maintain a shorter version of the medical device file - declaration of conformity, EC certificate, instruction of use, storage conditions, installation, and/or service manual (if applicable)

      For more information, see:

      • EU MDR Article 14 - General obligations of distributors - https://advisera.com/13485academy/mdr/general-obligations-of-distributors/

      • Scope definition

        For companies of your size, our recommendation is to include all the organization in the Information Security Management System (ISMS) scope (i.e., you need to include all the systems you listed in the scope) because the effort to separate what is and what is not part of the scope is not worth it.

        For further information, see:

        This material can also help you:

        • Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

        • Integrated checklist for ISO 9001:2015 and ISO 14001:2015

          First, I can only help you develop a checklist based on the standards, you should not forget that auditing compliance against internal procedures and effectiveness against management systems objectives is very important.

          Start by determining which ISO clauses are related with the quality department. For example:

          • 9001 – 8.6, 8.7, 9.1, 9.2, 10.2, 10.3
          • 14001 – 6.1.2, 8.1, 8.2, 9.1, 9.2, 10.2, 10.3
          • Some organizations may include also clauses 6.2 and 9.3.

          Now, think about what you want to know regarding those clauses. For example:

          • Are quality control activities being performed according to plan?
          • Is nonconforming product segregated, treated and recorded? Are corrective actions developed?
          • Is process monitoring, analysis and evaluation performed according to plan?
          • Is the audit program executed? Are audit results available?
          • What environmental aspects are related with the quality department?
          • Are environmental operational controls in place at the quality department?
          • And what about preparedness and emergency situations in the quality department? Are prevention measures in place? Are response measures in place?
          • Any simulation done? Any emergency happened? What was learned? 

          Please check in this Free webinar - How To Perform an ISO 9001:2015 Internal Audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/an example about how to develop an audit checklist from a document.

        • Consultants considered processors?

          We have a couple of consultants at our company, most of them working full time. Some of them are hired through a consultacy firm and some of them are self employed. The consultants work according to our policies and processes as any other employee. Some of them work from home and some of them work mainly in the office. Would you consider these cosultants (or the consultancy firm) to be a data processor? I would say that they are not but we have different opinions at my company so just seeking advise. 

        • Request for guidance

          To be compliant with the 2022 revision of ISO 27001, you need to make a new Statement of Applicability with 93 controls.

          From your question, it is not clear if your Information Security Management System (ISMS) is certified or not. In case you are searching for certification, you can certify your ISMS against ISO 27001:2013 until October 31, 2023, and there is no need to change your SoA. For certifying after October 31, 2023, you need to be compliant with ISO 27001:2022, and for that, you will need to update your SoA to the 93 control version. 

          For further information, see:

          This material can also help you:

Page 19-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +