Search results

ISO 14001 cost and benefits

About advantages, please check these articles - 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/ and - ISO 14001: The benefits for customers - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/

About costs, it is difficult to answer because ISO 14001:2015 imposes nothing that the legislation does not impose. Thus, the costs incurred to comply with the legislation are not imposed by ISO 14001: 2015. Other costs are implementation and maintenance costs for the management system. For example, I’m currently working with a manufacturing company where costs of waste disposal are going to be reduced because of introducing waste segregation and recycling and by avoiding landfill.

You can find more information about ISO 14001 below:

• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Necessary facility requirements to build medical devices

This really depends on the type of medical device that you produce. Facility requirements are not the same for example, for the software or sterile gauze products. 

If you have a sterile medical device then it is necessary to monitor the cleanliness of the production premises. Usually, medical devices that need to be sterilized are produced in a cleanroom. Requirements necessary for the cleanroom are stated in the ISO 14644 family of standards. 

Depending on the type of sterilization, each method has its own facility requirements.

Storage place is also important if there is a strict requirement for the storage temperature and humidity. 

For more information, please see the following article:

• Managing medical device infrastructure requirements according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/06/28/managing-medical-device-infrastructure-requirements-according-to-iso-13485/

• Can ISO 9001 lead auditor audit ISO 13485?

  Although basic things are the same between these two standards (like internal audit process, corrective actions, managing documents and records, managing non-conformances), there are certain specifications of the ISO 13485:2016 (mostly from points 6, 7, and 8 depending on the type of the medical device and type of production). If you are an auditor, then you know that auditors should dominate the audit criteria used. I suggest that you study the standard ISO 13485:2016, to specially check the Annex B of the standard where the correspondence between ISO 13485:2016 and ISO 9001:2015 is explained.

  For more information on what ISO 13485 is, please see the article on the following link:

  • What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/

  For more information about Similarities and differences between ISO 9001:2015 and ISO 13485:2016, please see the article on the following link: https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/

• GDPR Processor (Software Sturtup)

  It is such a general question that the answer can be: it depends on your activity. If your software startup processes data determining means and purposes of processing it will be considered as a controller, while if your company will process data on behalf of someone else it will be considered as a processor.As a processor you will have to comply with the obligations listed in Article 28 GDPR and be liable for compliance with GDPR requirements.

  Here you can find more information:

  • Article 28 GDPR: https://advisera.com/eugdpracademy/gdpr/processor/
  • EU GDPR controller vs. processor – What are the differences?https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
  • 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
  • First steps to take to reach GDPR compliance https://advisera.com/eugdpracademy/blog/2018/10/08/first-steps-to-take-to-reach-gdpr-compliance/
  • A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
  • Key roles defined in EU GDPR https://advisera.com/eugdpracademy/knowledgebase/key-roles-defined-in-eu-gdpr/ 

  You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Other ISOs used by the medical devices

  Aside from the ISO 13485:2016, all medical devices need to be in compliance with the applicable harmonized standard. The list of harmonized standards is published by the Official Jurnal of the European Union. According to Article 8 of MDR 2017/745 – use of harmonized standard, medical devices must be in compliance with relevant harmonized standards, or the relevant parts of those standards, the references of which have been published in the Official Journal of the European Union.

  The following harmonized standards are applicable for all manufacturers of the medical devices:

  • EN 1041:2008 Information supplied by the manufacturer of medical devices
  • EN ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes
  • EN ISO 14971:2012; medical devices - Medical devices — Application of risk management to medical devices
  • EN ISO 15223-1:2016 Medical devices — Symbols to be used with medical device labels, labeling and information to be supplied — Part 1: General requirements (ISO 15223-1:2016, Corrected version 2017-03)
  For more data, please see the following links:
  • EU MDR Article 8 – Use of harmonized standards https://advisera.com/13485academy/mdr/use-of-harmonised-standards/
  • What are EU harmonized standards? https://advisera.com/13485academy/blog/2020/06/12/what-are-eu-harmonized-standards/
  • Link to the harmonized standards published by EU https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2020:090I:TOC

  • Information security in project management

    The application of information security in project management will depend on the results of risk assessment and on applicable legal requirements (e.g., laws, regulations, and contracts). For example, the results of risk assessment can show that you have relevant risks for information security in all your projects, or only to specific types

    Regarding legal requirements, you may not have any law or regulation you must comply with requiring information security for projects, but at the same time, you have a contract with a client requiring information security applied to all projects you have with him.

    This article will provide you a further explanation about security in projects: 

    • How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/

  • ISO 27001 and ISO 27031

    ISO 27001 and ISO 27031

    We received this question:

    How do you see the practical interlock between 27001 and 27031?

    Answer: ISO 27031 is a supporting standard which provides specific guidance and recommendations for the implementation of controls from section A.17.1 of ISO 27001 Annex A (Information security continuity).
     
    Considering that, you can use ISO 27031 to make it easier to implement controls from this section, and achieve a more robust solution.   

    This article will provide you a further explanation about ISO 27031:
    - Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/

     

     

  • Explanation of Annexure 18 of ISO 2017:2013

    Very detailed explanation. Thank you

  • Enterprise Data Centre

    Understanding the physical and logical requirements is always important, regardless of the asset size or complexity, because this will allow you to identify the solutions that will properly support your need, without letting any gaps (if requirements are underestimated), or consuming unnecessary resources (if requirements are overestimated).

    Considering that, without knowing your context and risks it is not possible to define practical solutions. What can be done is mention common practices (which should be evaluated considering your context and risks):

    • physical segregation from other environments
    • logical segregation of servers, networks and services
    • redundancy of single points of failure (e.g., power cable, communication links, etc.)

    For further information see:

    • The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/
    • ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/
    • Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/

  • SOC Reports

    1 - I would like to ask you if you have some resources for learning about SOC reports.

    I am sorry but our content is developed for ISO 27001. Anyway, this information (from the official site of the American Institute of CPAs) about SOC and ISO 27001 can be interesting for you (see the Excel “Trust Services Map to ISO 27001"): https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/soc2additionalsubjectmatter.html

    In Excel, there are some points in common between ISO 27001 and SOC, so for these points, you can use our toolkit “ISO 27001 Documentation Toolkit”: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    2 - Is it worth if a company works on ISO27001 controls and the SOC reports at the same time? Does ISO27001 cover the SOCs?

    SOC 1 deals with controls at a service organization’s Internal controls over financial reporting systems, while SOC II has several common points with ISO 27001:2013: risk management, internal audit, business continuity, access control, etc.

    Considering that, ISO 27001, which is an international standard for information security, can be used to implement some of the controls defined by SOC, but they do not have a direct relation, neither one is required to implement the other.

    These articles will provide you a further explanation about ISO 27001:

    • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    • Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

    These materials will also help you regarding ISO 27001:

    • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/