Search results

Help for maintaining a risk register

1 - I've seen the instructions on how to setup the risk register which seems easy but do you have any instructions on how to work with the risk register the upcoming years and cycles after certification.
(our mutual customer has implemented and certified ISO27001 in your tool)

It looks like you need to go through the process all over again to reach the register.

Answer: First of all, thanks for the feedback.

Once you have performed the first risk assessment and treatment, you can access the Risk Register Module, and by clicking the “Edit Risk Register” button you can perform one or both of the following actions:

Update the current information of approved risks (i.e., update the risk value and/or risk owner).
Create a new risk (i.e., define risk, the risk value and risk owner), by clicking the “Add new risk button”.
Once you have updated approved risks and/or created new risks, by clicking the next button in the left-side part of your screen, you can proceed to the review of changes, and after that for the reviewed risks, the definition of risk treatment and approval of the risks and treatments.

As you can see, in case of only reviewing risks, the effort is smaller, because you will be only updating the risk value and/or risk owner in the assessment phase (all other steps need to be performed).

2 - all risks seem to get the risk values zero after a plan.

Answer: Regarding residual risks being zero, this is probably because you have decided to apply several different controls to treat each risk, and this approach really results in a great decrease in risk, because some controls work over consequence while others work on the probability of a risk occurring.

3 - I'm looking to see the progress of making the risk smaller, 

Answer: To work in the way you described, we suggest you, when adding new risks, or reviewing treatment of already approved risks, to implement only one control each time and see its effect on the risk, and after that add new controls and see their combined effect. 

4 - filter and work with all risks in prioritization order which the auditors demand.

Answer: Regarding risk prioritization and filtering, please note that an auditor should not demand a specific prioritization. Risk treatment prioritization is an organizational decision, based on its context and risk appetite. Regarding that, what the auditor can do is require you to explain which criteria you used to prioritize them and evaluate if these criteria make sense to your ISMS.

The auditor can at most suggest a prioritization (the organization can evaluate the suggestion and follow it or not according to its need).

5 - Can you guide me to any information, manual or video on how to work with the register after implementation? (Or are you supposed to extract it and work in excel or alike)

Answer: You can schedule an online meeting with one of our experts so he can guide you on performing a risk review by accessing this link: https://advisera.com/consultations/.

ISO 13485 as Importer

Thank you very much, Kristina. 

So the main purpose of risk analysis no matter its device and procedure, is for compliance to regulations and safety. 

Best regards, 

ISO 9001 - Quality Objectives and Processes

First, you identified 14 processes.

Please check ISO 9001:2015 clause 4.4.1 c) – your organization must have a least one indicator/objective per process to monitor its performance. But those indicators/objectives are not necessarily quality objectives, high level objectives aligned and deployed from the quality policy.

Process performance indicators are one thing, quality objectives are another thing. Some process indicators can also be quality objectives.

Second, regarding “Can I interpret that as our organization can choose which of the 14 processes, we want to establish quality objectives for?” Yes, you can choose, but should not be a free choose, should be a function of strategy and quality policy.

Please check the third slide after the agenda of this Free webinar on demand.

ISO 27001 version mention

This 2017 version refers to the British version of ISO 27001 (the BS EN ISO/IEC 27001:2017), which does not include any change that impacts the requirements defined by ISO 27001:2013.

This article will provide you with further information:

• European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/

Business Continuity Procedure

Please note that ISO 27001 control A.17.1.2 Implementing information security continuity does not require a "Business Continuity Procedure", only “…processes, procedures, and controls to ensure the required level of continuity for information security…”.

Considering that, a less complex document like the Disaster Recovery Plan is sufficient to be compliant with this control.

In the 2022 version the standard, the control A.17.1.2 is now A.5.30 ICT readiness for business continuity. For further information, see:

• List of mandatory documents according to the ISO 27001 2022 revision https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-revision

Regarding the "List of Required Docs for ISO 27001 / 2013”, it is not clear to which document you are referring to. Could you please send us the link to it, so we can check it?

Risk assessment in Conformio

1- Why are confidentiality, availability, and integrity not considered in the Risk assessment? and how Conformio is addressing them.

ISO 27001 does not require the impact on confidentiality, integrity, and availability to be explicitly evidenced during the assessment (e.g., as separate values).

According to the Risk Assessment Methodology, confidentiality, integrity, and availability are represented through impact when assessing risks.

2- Why is there no prioritization for actions in RTP? This should be identified based on the risk levels. we only see a list but it's not based on the risks identified

First is important to note that ISO 27001 does not prescribe how to prioritize actions in the Risk Treatment Plan, so organizations can adopt the prioritization criteria that best fit their needs.

In the Risk Treatment Plan in Conformio you prioritize the activities by defining the deadlines for their implementation.

This article will provide you with further explanation about risk treatment:

• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

• Statement of of conformity

  You asked

  
  how the laboratory will address the regulatory requirement for reporting statement of conformity in the event of a request to calibrate a measuring instrument used for a regulated purpose as per ISO /IEC 17025:2005 CLAUSE 7.1.3"

  Firstly, it is the requirements of the ISO/IEC 17025:2017, that is the Third edition, need to be met. The requirements for statements of conformity are covered in clauses 7.1.3 and 7.8.6.1. Secondly, understand that the decision rule is a rule that describes how measurement uncertainty is accounted for when stating conformity with a specified requirement. To address the regulatory requirement for reporting a statement of conformity, the calibration laboratory needs to understand the impact to the testing laboratory’s use of the measuring device. That is, the level of risk (such as false pass and false fail) if measurement uncertainty is added to the result or not.  For example,  consider if dealing with an upper tolerance, and the MU is not added, is there a risk of a false pass? Start by determining what the client and regulations require, assess the risk, and then document the decision rule to be applied to calibration results. Finally, remember to reference it in the calibration report.

  For more information on ISO 17025 refer to Advisera ISO 17025 – Where to Start? at https://advisera.com/iso-17025/

• Filling documents

  1. On the risk management matrix, should we include departments such as finance and administration that are not quite an essential part of the process to make and develop our product?

  Considering the risk management according to ISO 14971:2019 particularly for medical device manufacturers, only risks related to the medical product and which may affect the safety of the product must be covered. This means that finance and administration departments usually are not covered with risk management for medical devices. 

  2. On the 9th document "Design and Developempent" there says we should include record of old versions of the designs of the product, but our question is how much records should we include? Should we include since our first design (which is from 2021) or could we just include the designs from a year ago to now? Or is there a minimum record time that must be met?

  You need to include records from your first design and keep those records for at least 10 years after the last device is sold on the market for all classes except for class III and class IIB implantable which is necessary to keep for 15 years.

• Should nonconformities undergo a documented risk assessment / analysis?

  ISO 27001 does not prescribe risk assessment to be performed over identified nonconformities, so a company is not obliged to perform it.

  This article will provide you with further explanation about handling non-conformities:

  • Complete guide to corrective action vs. preventive action https://advisera.com/articles/complete-guide-to-corrective-action-vs-preventive-action/