Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • How to use the ISO 13485:2016 Internal Audit Toolkit

    You can always customize any document and use it for just one department. In the audit plan, you will then state that the audit criterion is only one requirement that applies specifically to that department. For example, if you only want to audit the sterilization department, then you will specify requirement 7.5.5 Particular requirements for sterile medical devices and 7.5.7 Particular requirements for validation of the process for sterilization and sterile barrier systems as the audit criteria. If you want to audit only Installation Processes, then your auditing criteria will be requirement 7.5.3 Installation activities. 

    If you look at the audit checklist, you can apply the same principle here, so that you fulfill the audit results only in those requirements in which you performed the audit.

    How these documents look like in our ISO 13485:2016 Documentation toolkit you can see on the following link:

    The following articles can be useful:

    • Five main steps in the ISO 13485:2016 internal audit https://advisera.com/13485academy/knowledgebase/five-main-steps-in-the-iso-134852016-internal-audit/
    • How to create a checklist for an ISO 13485 internal audit for your QMS https://advisera.com/13485academy/knowledgebase/how-to-create-a-checklist-for-an-iso-13485-internal-audit-for-your-qms/

    • Holding Personal Information

      GDPR lets the controller determine the period for data retention. In some cases, like for financial declarations, domestic laws impose a fixed term like 10 years while for health declaration periods can be even longer up to 20 years because of the potential implication in legal actions.

      Our Toolkit contains a data retention policy template that may help controllers to determine the period of data retention for each processing activity.

      If you need to understand how to process personal data under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

    • Digital consent registration

      Our GDPR Documentation Toolkit provides text of the consent and for the Cookie policy that must be implemented in the technical systems. GDPR requires that consent can be expressed also by an action which must be recorded in order to ensure accountability.

      The register of processing activity (folder Mapping of Processing activities), for example, require to list for each processing activity (like website, or newsletter) the data processed, the purposes of processing and the record, so if the consent is given in electronic form, and registered technically in the newsletter service provider it should be registered, adding also if a transfer of data to third countries happens.

      Then, the IT Security Policy, at paragraph 3.13 list all rules for email and other messaging system, requiring “Users may only send messages containing true information. It is forbidden to send materials with disturbing, unpleasant, sexually explicit, rude, slanderous or any other unacceptable or illegal content.  Users must not send spam messages to persons with whom no business relationship has been established or to persons who did not require such information”. In the Access Control Policy there is the list of persons/roles who can access to a system/network or physical area and specific rules for mailing list management can be implemented.

      If you want to know more about data subjects’ rights, consent and compliance to GDR here you can find more information:

      If you need to understand how to data subject rights need to be managed under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

    • ISO 9001 in civil engineering

      Thankyou So much for the reply Sir, it's really helpful 👌

    • ISO templates - HR Policy

      Please note that ISO 27001 does not require an HR Policy, neither this is a commonly adopted document for ISO 27001 ISMS implementations. Commonly adopted controls related to Human Resources (controls from section A.7 of ISO 27001 Annex A) are covered by these templates:

      • Confidentiality Statement, located in folder 08 Annex A Security Controls >> A.7 Human Resource Security
      • Statement of Acceptance of ISMS Documents, located in folder 08 Annex A Security Controls >> A.7 Human Resource Security
      • Supplier Security Policy, located in folder 08 Annex A Security Controls >> A.15 Supplier Relationships
      • Security Clauses for Suppliers and Partners, located in folder 08 Annex A Security Controls >> A.15 Supplier Relationships
      • Incident Management Procedure, located in folder 08 Annex A Security Controls >> A.16 Information Security Incident Management

      Regarding awareness, the template you need is the Training and Awareness Plan, located in folder 08 Annex A Security Controls >> 09 Training and Awareness

      For further information, see:

      This material will also help you regarding awareness and training:

    • ISO 27001 Risk Assessment

      First is important to note that you need to include in the risk assessment every risk you understand as relevant, even if there are controls already implemented to treat them.

      If you already have controls implemented, you should consider their effects on the risk value, so that your risk assessment table reflects the current situation of your environment. The existing controls should be included in the "Existing Controls" column.

      By the way, included in the toolkit you bought you have access to a video tutorial that can help you fill the risk assessment and risk treatment tables.

      These articles will provide you a further explanation about risk assessment:

      These materials will also help you regarding risk assessment:

    • Reconciling Incident SLA vs RTO

      First is important to note that higher disruption levels do not necessarily lead to higher Recovery Time Objectives (RTOs), or to lower incident response times/SLAs. These times are mostly defined by business continuity strategies, processes interdependencies, and available resources. For example, an organization may decide:

      • to have the same RTO and incident response time/SLA, regardless of the disruption level (this basically means to have an alternative site mirroring the main site in real time at a distance that cannot be affected by the same disruption).
      • to increase RTO to keep the incident response time/SLA, provided the RTO does not become greater than the Maximum Acceptable Outage (MAO). The difference between RTO and MAO is that, once MAO is defined, when MAO threshold is breached, recovering the business is not worthy anymore, while the RTO can be changed for any value from 0 to any value smaller than MAO.
      • to decrease the incident response time/SLA to keep RTO, but you need to note that how much you can decrease the incident response time/SLA will depend on the complexity of processes interdependencies (i.e., some recovery activities can only be performed in sequence, not in parallel, so the sequence with the shortest time will define the minimum incident response time/SLA).

      Considering that, you need to find a balance between needed activities, available resources, and business objectives and strategies to define proper values for RTO and incident response time/SLA.

      These articles will provide you a further explanation about business continuity concepts:

      This material will also help you regarding business continuity concepts:

    • Medical devices vs. AI and software driven medical devices

      For medical devices that are software and AI, the following requirements are not applicable:

      6.4 Work environment and contamination control
      7.5.5 Particular requirements for sterile medical devices
      7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems
      7.5.9.2 Particular requirements for implantable medical devices
      It means that you do not need to prepare documentation from these requirements. In your Quality manual, it is necessary to state which requirements are not applicable and why. For example, for requirement 7.5.5 justification can be: This requirement is not applicable because our product is not sterile, and does not need to be sterile to perform its intended use.  

      The following requirements need to be seen whether they are applicable or not:

      7.5.3 Installation activities
      7.5.4 Service activities

    • Data obtained from partners

      "I would like to know more about what it looks like when a partner company obtains personal data for its own company.I am initially assuming that the partner will then be responsible for data protection?

      It depends on the role of the partner in the data processing.

      If both parties are equals in determining the purposes and means of data processing (both companies offer a part of the service to customers, i.e. the device and the software) they are considered joint controllers under Article 26 GDPR.

      If the partner provides a service on the behalf of the other company (i.e. a marketing agency using data of the Client’s customers) it will be considered a data processor under Article 28 GDPR.

      The difference is that while joint controllers define in their legal agreement the shares of liabilities (referred to the service/good offered) and each one has its own responsibility towards data subject (though data subject may exercise its rights in respect of and against each one controller), the data processor must follow the instruction received by the data controller who will always be liable for processor infringements of GDPR.

      And or how exactly does this have to be contractually clarified or formulated?I would be very happy to receive feedback.

      Again, the structure depends on the kind of relationship, even if the transfer of data in third countries is involved. In our Toolkit, you can find the template that helps you to draft the joint controllers’ agreement and the controller-processor agreement from the perspective you are a controller either a processor. You can also purchase templates individually.

      Here you can find more information about the controller and processor obligation:

      If you need to understand how controllers need to comply with GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

    • Becoming an ISO 45001 Lead Auditor

      The process of becoming a lead auditor involves taking the ISO 45001 lead auditor training program, and then putting this knowledge in place with a certification body. You can read more about this process in the article below. When it comes to being a “good” lead auditor, this comes from using and refining your audit skills, and being open to continuing to learn and improve as you audit. As with many skills in life, you don’t become good at auditing unless you use the auditing skill and get better over time.

       

      You can read more on becoming a lead auditor in the article: How to become an ISO 45001 lead auditor, https://advisera.com/45001academy/blog/2019/12/11/iso-45001-lead-auditor-how-to-get-certified/
Page 215-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +