Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Is shift change confirmation report required?

    According to IATF 16949 standard, 9.2.2.3; While the production process is being audited, each shift should be audited and the shift change should be sampled and the relevant evidence should be written in the audit report. 

  • Certification Requirements

    We have prepared the template for Technical documentation that is requested in Annex II of the MDR 2017/745. This document is much broader than is requested by ISO 13485:2016 but can be a guide if necessary.

    The question here is are you a manufacturer, distributor, or some other business entity? If you are a manufacturer, for the EU market, your medical device file must be totally in compliance with the Annex II and Annex III of the MDR 2017/745. If you are a distributor or some other business entity then it is enough to have in the Medical device file what is written in the standard.

  • Company Acquisition and Integration ISO27001

    Company Y can be included in the scope of company X. You can think that as an addition in the company X ISMS scope, and for that company X needs performing all sequential steps after a scope update with some adjustments:

    1. reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the organizational context of both companies and requirements of interested parties;
    2. review of risk assessment and treatment methodologies, to see which elements can be handled together and which ones need to be kept separate;
    3. review the risk assessment and define the updated risk treatment plan;
    4. adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new context;
    5. people training and awareness;
    6. controls operation;
    7. performance monitoring and measurement;
    8. perform an internal audit.
    9. perform management critical review; and
    10.  address nonconformities, corrective actions, and opportunities for improvement.

    These articles will provide you with additional information:

    Regarding how to audit this new scope, you may have these options:

    • perform a single audit covering both companies
    • perform separate audits for each company
    • perform separate audits covering similar areas in both companies (e.g., one audit covering HR of both companies X and Y) and audits related to specificities of each company (e.g., one audit for R&D of company X and one audit for R&D of company Y)

    Examples of criteria you can use to decide how to define the audits are the complexity of execution, availability of auditors, size of organizations, and number of employees.

    For further information, see:

  • Question related to Antivirus

    1. In the section titled "Managing records kept on the basis of this document" of the SECURITY PROCEDURES FOR IT DEPARTMENT document, it is stated under Controls for record protection that "Once the record is created, the record cannot be changed." Given that the record cannot be changed, what will be the record name that we can provide? This information has not been included in the documents, so I believe they should be erased because they are not applicable. Please let me know if you have any ideas or suggestions that we might write down or if we need to prepare any additional documents for this since records cannot be modified once they have been produced.

    For the change record name you can use the name of the current documentation you use to handle changes. In case you are implementing this record for the first time, you can use any name you want.

    The information about change record name is not included because ISO 27001 does prescribe it, and organizations normally already have their own named records (e.g., change plan, change order, change ticket, etc.)

    2. "There are 12 team members total, so I believe we will initially go for 3 team members as of now. I hope that will be fine to achieve the ISO 27001 certification or will there be any blockers for that? Yesterday we discussed antivirus, and I told you that we don't have any antivirus in our company. So as per your suggestion, we will run a pilot run for 3 employees basically with the IT administrator handling all the server data so we will install it first. How would you advise in this situation?

    In the Risk Treatment Plan, you can specify that you will start implementing a control gradually - as you suggested only for 3 employees initially, and afterward for the rest of the company.

  • Queries ISO 27001

    Hello, I did a translation of a documentation that I found from English to Spanish and there are things that I do not understand what they refer to, for example:

    Information security risk assessment does not require...

    What would not be required in this case, define risk acceptance criteria, define sanctions for non-compliance in information security, identification of security risks or identification of risk owners?

    Taking into account ISO 27001, the following is required for risk assessment:

    • Define a risk assessment process (risk identification, risk analysis, and risk evaluation)
    • Define risk acceptance criteria
    • Define criteria for performing risk assessment
    • Identify risk owners
    • Retain documented information about the risk assessment process

    Considering that, from your examples, defining sanctions for non-compliance in information security is not required.

    For further information, see:

  • Query on ISO 27001:2022 SOA

    ISO 27001 does not prescribe that information about how a control is implemented needs to be included in the SoA (the four items you listed are the only ones mandatory to be included in the SoA).

    However, we highly recommend including in SoA this information, because since SoA is a document that summarizes security practices adopted by an organization, this additional information makes the SoA a more useful document.

  • Improvement Log

    Please note that ISO 27001 does not prescribe any specific document for logging improvements, but typically the improvements will be documented through Corrective actions.

    To see what fields to consider, please take a look at this template of a corrective form: https://advisera.com/27001academy/documentation/corrective-action-form/

    This article will provide you with further explanation about continual improvement:

  • Change Management and QMS

    Regarding your question about where change management procedures are captured in a QMS, if you are talking about changes for production or service provision please check clause 8.5.6. However, if you are talking about changes to the quality management system please check clause 6.3.

  • Should we have risk management procedure including FMEA for all product lifecycle?

    You can make a Risk analysis for your part of the life cycle (sales and storage??) but then claimed that other parts of the risk analysis are within a particular outsourced company. To allow your awareness of this, you need to have an exact number of documents and revisions of the risk analysis from your outsourced companies, and during your audits of the outsourced companies you need to audit their risk analysis as well. 

    All of this is of course part of the Quality agreement. Just have in mind that no meter that you outsource everything, you are responsible for the product because it is under your name. So, you need to have control over all processes. 
Page 28-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +