Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ROSI - interpreting calculated value

    First is important to note that the interpretation will depend on how the formula considers the incident costs and security control costs.

    For example, in the formula:

    ROSI = cost of a realized incident - the cost of needed security controls

    the results can be interpreted as you said (i.e., a positive result means that the implementation of security controls is worthy, and a negative result means the implementation is not worthy).

    In case the formula is:

    ROSI = cost of needed security controls - the cost of a realized incident

    The results interpretation would be inverse.

    These articles will provide you a further explanation about ROSI:

    This material can also help you:

  • All documents required by QMS for ISO13485

    This is not the list of internal documents. This is just a form where each manufacturer needs to put all their internal documents: https://advisera.com/9001academy/documentation/list-internal-documents/

    The list of internal documents are all documents that you will prepare for your Quality management system (documented procedures). Records are documents that arise as a result of some work, testing, reports, and similar.

    For more information, please see the following article:

    If you need a list of all documents that is necessary to prove the compliance with ISO 13485:2016, please see following article:

    List of all documents that are part of our documentation toolkit, you can find on this link, under the headline Toolkit documents:

    • ISO 13485:2016 Documentation Toolkit https://advisera.com/13485academy/iso-13485-documentation-toolkit/

    • Matrix for Requirements against Process/Department

      For internal audit you can definitively use our Internal audit checklist from our ISO 13485:2016 Documentation toolkit. The Internal Audit Checklist is the list of questions required to ensure the management system is implemented and maintained. The listing includes more than 100 questions to ensure each requirement of the ISO 13485 standard is implemented and maintained within the Quality Management System and includes the ability for the company to add additional questions to suit individual needs. Of course within these 100 questions are questions regarding production, warehouse, quality control, and so on. Therefore, you can find questions applicable to your medical devices.

      Here is the link for the Internal audit checklist: https://advisera.com/13485academy/documentation/internal-audit-checklist-iso-13485-2016/

      For more information about conducting the internal audit, please see the following links:

      On following link you can see which documents and records our ISO 13485:2016 Internal audit toolkit has: https://advisera.com/13485academy/iso-13485-internal-audit-toolkit/

    • Reviewing and approving suitability and adequacy documents as an office administrator

      You can answer that during review and before approval you ask opinion of participants in the documented activities about its suitability and adequacy. You can answer that you make sure that while documents are being developed participants are invited to give their contribution. You can also answer that after approval in the first month you monitor suitability and adequacy by following its implementation.

      You can find more information about ISO 9001:2015 below:

    • Isolation of Sensitive Systems

      This question can be answered from two points of view: auditor and pen tester.

      From the auditor's point of view, you need to check the evidence that shows isolation is implemented (e.g., network topology, pentest report, etc.)

      From a pen tester's point of view, to check isolation you need to try to access the systems from outside their defined perimeter of work (i.e., environment).

      For example, if a system stated environment is the companies premises, you should try to access it from outside the companies premises, like:

      • from a side street, trying to find out a hide wireless connection
      • from the company's website, trying to explore a site vulnerability

      In case the system stated environment is a single room int the companies premises, or it is disconnected from the main company's network, you should try to access by:

      • trying to find out a hide wireless connection
      • trying to explore an intranet vulnerability
      • trying to physically access a network device connected to the system
      • trying to get physical access to the room

      This article will provide you a further explanation about exploring vulnerabilities:

    • ISO 9001 Documentation requirements

      There may be more than one interpretation to your question. Let us assume that documentation requirements is another way of saying which are mandatory according to ISO 9001:2015 requirements?

      Please check this article about mandatory documentation - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ Based on that approach I say that the only one is 2-Audit reports (see in the article Results of internal audits (clause 9.2)). 

      It is not mandatory to have a Quality Manual or quality procedures for example.

      You can find more information about ISO 9001:2015 below:

    • ISO 27001 certification for subsidiary companies

      1 - Is it possible to certify the two together or is it necessary to seek certification for each one individually?

      It is possible to have a single certification for your organization and its subsidiary, but please note that implementing a certification in multiple geographic locations is a complex, and more expensive, task and you should go for it only if it is really necessary for business strategies and objectives. Instead, you should consider the prioritization of locations and implementing the certification one location at a time.  

      2 - Similarly would we need a separate ISMS for each?

      ISO 27001 does not prescribe how to manage information security in multiple organizations, so you can manage them using a single platform. But is important to note that you need to ensure that the specifics in the implementation of each organization are clearly identified and separated.

      For example, you may have the same control (e.g., access control) implemented in different ways in several organizations, and your platform needs to help you track this condition, so activities like internal audit and management review can work on the real situation of each organization.
Page 252-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +