Search results

Medical devices vs. AI and software driven medical devices

For medical devices that are software and AI, the following requirements are not applicable:

6.4 Work environment and contamination control
7.5.5 Particular requirements for sterile medical devices
7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems
7.5.9.2 Particular requirements for implantable medical devices
It means that you do not need to prepare documentation from these requirements. In your Quality manual, it is necessary to state which requirements are not applicable and why. For example, for requirement 7.5.5 justification can be: This requirement is not applicable because our product is not sterile, and does not need to be sterile to perform its intended use.  

The following requirements need to be seen whether they are applicable or not:

7.5.3 Installation activities
7.5.4 Service activities

Data obtained from partners

"I would like to know more about what it looks like when a partner company obtains personal data for its own company.I am initially assuming that the partner will then be responsible for data protection?

It depends on the role of the partner in the data processing.

If both parties are equals in determining the purposes and means of data processing (both companies offer a part of the service to customers, i.e. the device and the software) they are considered joint controllers under Article 26 GDPR.

If the partner provides a service on the behalf of the other company (i.e. a marketing agency using data of the Client’s customers) it will be considered a data processor under Article 28 GDPR.

The difference is that while joint controllers define in their legal agreement the shares of liabilities (referred to the service/good offered) and each one has its own responsibility towards data subject (though data subject may exercise its rights in respect of and against each one controller), the data processor must follow the instruction received by the data controller who will always be liable for processor infringements of GDPR.

And or how exactly does this have to be contractually clarified or formulated?I would be very happy to receive feedback.

Again, the structure depends on the kind of relationship, even if the transfer of data in third countries is involved. In our Toolkit, you can find the template that helps you to draft the joint controllers’ agreement and the controller-processor agreement from the perspective you are a controller either a processor. You can also purchase templates individually.

• Controller to Controller Data Processing Agreement https://advisera.com/eugdpracademy/documentation/controller-to-controller-data-processing-agreement/
• Supplier Data Processing Agreement https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/
• EU GDPR Premium Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/

Here you can find more information about the controller and processor obligation:

• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
• The obligations of controllers towards Data Protection Authorities according to GDPR https://advisera.com/eugdpracademy/blog/2017/12/11/the-obligations-of-controllers-towards-data-protection-authorities-according-to-gdpr/

If you need to understand how controllers need to comply with GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Becoming an ISO 45001 Lead Auditor

The process of becoming a lead auditor involves taking the ISO 45001 lead auditor training program, and then putting this knowledge in place with a certification body. You can read more about this process in the article below. When it comes to being a “good” lead auditor, this comes from using and refining your audit skills, and being open to continuing to learn and improve as you audit. As with many skills in life, you don’t become good at auditing unless you use the auditing skill and get better over time.

You can read more on becoming a lead auditor in the article: How to become an ISO 45001 lead auditor, https://advisera.com/45001academy/blog/2019/12/11/iso-45001-lead-auditor-how-to-get-certified/

Stage 1 audit

Stage 1 is usually called „Documentation audit“ because auditors what will check are all documentation requirements from the standard fulfilled. SO, you need to prepare all documents from the requirements that are applicable for your company and within the scope. If some of the major documents are missing, it is not possible to access the next step, the initial audit or so-called Stage 2 audit.

For more information regarding the certification process, please see the following articles:

• First-, Second- & Third-Party Audits for medical device manufacturers & suppliers https://advisera.com/13485academy/knowledgebase/first-second-third-party-audits-for-medical-device-manufacturers-suppliers/
• Checklist of ISO 13485 implementation and certification steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
• How to get ISO 13485 certified? https://advisera.com/13485academy/iso-13485-certification/

• Certification qualification

  According to section 1. Scope of the ISO 13485:2016 is stated that this standard is applicable to all entities involved in the life-cycle of the medical device. It means that this standard is applicable for: manufacturer, design and development, storage, distribution, installation, service, or any other company that provides associated activities like technical support.

  For more information about ISO 13485, please see the following articles:

  • What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
  • Six key benefits of ISO 13485 implementation https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/

  • Can I save my customers information and email them about the event they purchased a ticket for?

    Yes, you can. You don’t need consent to remind a service that your customer purchased (however, you should mention follow-up and reminders in your privacy notice and also the sharing of data with third parties like your CRM).Article 6 GDPR on the legal basis of data processing allows the controller to process personal data to fulfill contract obligation and reminding your customers that the online event they purchased is coming, it is part of the customer care relationship. So, definitely, you can.

    If you need to know more about data subjects rights, consent, and compliance to GDR here you can find more information:

    • Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
    • Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
    • Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/

    If you need to understand how to data subject rights need to be managed under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • Risk Management Alignment Among ISO31000, ISO27001, ISO22301 & ISO9001

    First is important to note that ISO 9001, ISO 22301, and ISO 27001 do not prescribe any methodology for risk assessment and risk treatment, so you can adopt the methodology that better fits your context. As for ISO 31000, it defines a general framework for risk management that can be applied to organizations of any industry and size, based on this core process: risk identification, risk analysis, risk evaluation, and risk treatment.

    Considering that, you should adopt the “global definition, local implementation” approach, i.e., which aspects need to be used in all situations, and which ones are used in specific situations.

    For example, for risk identification, depending on how you need to look at the risk (e.g., in terms of information security, business continuity, quality, or organization) one approach can be better than another (the most common approaches are asset-based, process-based and scenario-based). This is a step you should consider in local terms for execution (i.e., which approach to use) but ensuring the participation of personnel with competence in all perspectives, ensure a holistic view, and avoid reassessment.

    On the other hand, for risk analysis and risk evaluation, you need to have a global definition, because without that you will be unable to compare risks from different perspectives. This can be achieved by using the same risk formula and scale in all approaches (e.g., risk equals to impact times likelihood, and scale very low to very high, or 1 to 5), and normalizing the meaning of the scales considering all your perspectives. For example, what an impact value of 1 means to information security, business continuity, quality, and to the organization?

    If you have the same formula and the same scale used for all identified risks, regardless of how you identified them, you will be able to compare them (and this will save you the time and effort in overlapping assessments).

    As for risk treatment, you should define general treatment options (e.g., risk acceptance, risk mitigation, risk avoidance, and risk transfer), so you can have a holistic view of applied treatments, and define specific sets of potential implementation solutions since what is applicable for information security may not be applicable to quality.

    By following this approach, you can ensure all risks can be related, improving risk management effectiveness, decrease the effort and need for reassessments, improving risk management efficiency, and keep the independent goals of each risk assessment/management.

    These articles will provide you a further explanation about risk management:
    - ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
    - ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
    - How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/

    This material will also help you regarding risk management:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • HIPAA vs. ISO 27001 - What are the differences?

    Please note that either SOC2 and HIPAA focus on controls to be implemented, while ISO 27001 provides a framework for information security management, meaning that it also covers the controls improvement and adjustment according to changes in a business context, based on a risk management approach.

    Considering that including in an audit of SOC2 and HIPPA references to clauses 4-10 of ISO 27001 only makes sense if the organization, besides the required controls, also has a management system.

    My point of view is that “HIPAA plus ISO” trend will increase, and since legal requirements for information security will also increase, the adoption of a full information security management system will require future audits to include clauses 4-10 of ISO 27001, if not because HIPAA requirements, but because organizations will realize that a full management system will help them better manage multiple legal requirements for information security

    This article will provide you a further explanation about benefits of ISO 27001:
    - Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
    - HIPAA compliance vs ISO 27001 https://advisera.com/27001academy/blog/21/01/27/hipaa-compliance-vs-iso-27001/

    These materials will also help you regarding ISO 27001:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • How to fill out BYOD policy?

    Please note that in these templates you will find some text between brackets (e.g., [job title], [name of document], etc.). To customize the templates according to your organization's needs you only need to change these texts by your information. For example, in the phrase “[job title] defines the list of devices approved for BYOD” you can write “Head of IT defines the list of devices approved for BYOD”, or any other role that will be in charge of this definition.

    Also, note that in the templates you will find many commentaries with tips on how to fill in the documents and material you can read for more information.

    These articles will provide you a further explanation about BYOD policy and for training and awareness:

    • How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
    • How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

    These materials will also help you regarding BYOD policy and for training and awareness:

    • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

  • Policies presentation

    Please note that there is no single answer to this question because you have different publics with different interests:

    • top management needs to make decisions over issues that many times are not so clear for them, and they do not need deep knowledge about technicalities of security issues (they will be more concerned about how it impacts the business). In these cases, your presentation should be focused on decisions they need to make on each policy
    • technical personnel with operational responsibilities for security needs deep knowledge over technologies, methodologies, and process, so your presentation should be focused on the procedures and rules they need to follow
    • overall personnel needs a basic understanding of security, to properly identify, report, and react to risky situations. In these cases, your presentation should be focused on examples and how to proceed according to the policies

    
    These articles will provide you a further explanation about awareness in the organization:

    • What are the benefits of security awareness training for organizations? https://advisera.com/27001academy/blog/2019/03/27/what-are-the-benefits-of-security-awareness-training-for-organizations/
    • How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
    • Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/

    
    These materials will also help you regarding the awareness in the organization:

    • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.