Search results

Appendix for Design and Development

It was our opinion that transparency is better this way. Appendix corresponds to the sequence required by requirement 7.3 Design and development. If you put all Appendix together, start from Appendix 1 to Appendix 8, then you will have documented the whole process for the Desing and development.

You can find more information about Desing and development on the following link:

• How to manage design and development of medical devices according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/08/24/how-to-manage-design-and-development-of-medical-devices-according-to-iso-134852016/

• Confirmation for Erasure of Data

  Yes, it is correct.

• Guideline on oxygen tank calibration

  This depends on which market you are in.

  On the US market, all necessary information you can find in the document

  7356-002E Compressed Medical Gases – FDA. This is the Compliance program guidance manual issued March 15, 2015, talking about Compressed medical gases (CMG or medical gases) include gaseous and liquid (cryogenic) forms stored in high-pressure cylinders that are administered as a gas. Another important document is Current Good Manufacturing Practice for Medical Gases – FDA, issued June 2017. On the EU market, the main source of information is European Industrial Gases Association, https://eiga.eu/

  The most important element of the tanks is pressure regulators. Technical aspects are covered in the following standards:

  • ISO 10524-1:2018 Pressure regulators for use with medical gases — Part 1: Pressure regulators and pressure regulators with flow-metering devices
  • ISO 10524-2:2018 Pressure regulators for use with medical gases — Part 2: Manifold and line pressure regulators
  • ISO 10524-3:2019 Pressure regulators for use with medical gases — Part 3: Pressure regulators integrated with cylinder valves (VIPRs)
  • ISO 10524-4:2008 Pressure regulators for use with medical gases — Part 4: Low-pressure regulators

  • ISO for forensic sciences labs

    Forensic chemical testing, including toxicology (for example ethanol in blood or a toxic substances in urine), would be accredited to the ISO 17025 standard for testing laboratories; under a Forensic accreditation program. Note that countries may also have specific requirements for Legal forensics testing, besides ISO 17025.

    ISO 15189 Medical laboratories - Requirements for quality and competence is the international standard for medical laboratories. i.e. if the testing is a human medical pathology test, for example blood chemistry or microbiology, then ISO 17025 is typically not applicable. It is worth noting that ISO 15189 was developed based on ISO 9001 and ISO 17025. The requirements are similar, in the context of the type of testing and medical diagnostic risk. I suggest you look at the requirements of the accreditation programme provided by your accreditation body.

    For more information to meet ISO 17025 requirements, see the complimentary white paper (PDF) Clause-by-clause explanation of ISO 17025:2017 available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ and the ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

  • ISO 27001: DevOps toolchains

    Please note that legal operational responsibility may be only one of the requirements that you need to fulfill. To make your change management process legally secure you need to identify all legal requirements (e.g., laws, regulations, and contracts) that you must fulfill. For example, you may have a legal requirement demanding the use of a specific change approach, or technology.

    In this case, the recommendation is to hire a local legal expert advisor to help you identify the requirements you need to fulfill.

    An online search can help at the beginning of your work (for an overview), but local expert advice is highly recommended.

    This article can provide a start: https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
    
    But please note that the list in this article is not fully up-to-date because it depends on voluntary contributions from our readers – therefore, it is likely that not all regulations for each country are listed (some even may have been withdrawn).

    This article will provide you a further explanation about the identification of requirements:

    • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

  • BCP/DRP

    Considering specifically the threat of hackers and cybersecurity, the first thing you should consider is performing a business impact analysis (BIA), to identify how business services and processes would be impacted by disruptions caused by such threats.

    After identifying how business services and processes would be affected, then you can start planning your BCP/DRP, considering the most impacted services and processes. According to ISO 22301, a Business Continuity Plan must contain:

    • Purpose, scope, and users
    • Reference documents
    • Assumptions
    • Roles and responsibilities
    • Key contacts
    • Plan activation and deactivation
    • Communication plan
    • Incident response
    • Physical sites and transportation
    • Order of recovery for activities
    • Recovery plans for activities
    • Disaster recovery plan
    • Required resources
    • Restoring and resuming activities from temporary measures

    To see how a BCP compliant with ISO 22301 looks like, please access the free demo at this link: https://advisera.com/27001academy/documentation/business-continuity-plan/

    This article will provide you a further explanation about BCP content:
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

    This material will also help you regarding BCP content:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - How to use ISO 22301 to continue operations during the pandemic [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-iso-22301-to-continue-operations-during-the-pandemic-free-webinar-on-demand/

  • FCS security governance critical success factor

    ISO 27001 requires risk assessment only to identify risks, risk owners, and determine the levels of risk. Other information can be added in case an organization identifies them as relevant.

    Some of the elements you mentioned (asset category, CWE, vulnerability) are related to an asset-based risk assessment, which is acceptable by the standard.

    To see how a risk assessment table, based on the asset-based approach, looks like, please access the free demo of our Risk Assessment Table at this link: https://advisera.com/27001academy/documentation/risk-assessment-table/

    This article will provide you a further explanation about risk assessment:
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you regarding risk assessment:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • ISO 27001 Certification

    The first step is for you to decide which path you want to follow considering security management or security assurance (i.e., security audit), and for these areas, you have the following ISO 27001 certifications you can follow:

    • ISO 27001 Lead Implementer – this certification recognizes people who have competency in the ISO 27001 implementation process.
    • ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISM S against ISO 27001 requirements and want to become certification auditors (and with this provides more confidence to an organization for being certified).

    These articles will provide you a further explanation about ISO 27001 personnel certifications:

    • What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
    • What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
    • Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

    For courses related to these certifications, please see:

    • ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
    • ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

  • ISO 14001 EMS Internal Audit

    No, an EMS manual is not a mandatory document. Please check this article - List of mandatory documents required by ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-mandatory-documents-required-by-iso-140012015/

  • Possible GDPR breach

    The company should adopt organizational measures to prevent the unauthorized circulation of the email (is there an access control policy? Is staff trained?) It is not only about technical security measures but only adopting processes and procedures that prevent staff from disclosing sensitive information to a third party. So, in that way, the organization can be considered liable for a data breach.