Search results

Example of a completed Risk Assessment Table

For an example of Risk Assessment and Risk Treatment I suggest you take  look at this paper:

• Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

Which records need to be signed with a hand-written signature (or electronic equivalent)?

In ISO 13485:2016 there are no strict requirements regarding the type of signature. In the requirement 4.2.4 Control of documents is stated following documents need to be review and approve documents for adequacy prior to issue; that each document needs to be reviewed, update as necessary and re-approve documents; ensure that the current revision status of and changes to documents are identified; ensure that relevant versions of applicable documents are available at points of use; ensure that documents remain legible and readily identifiable.

In requirement 4.2.5 Control of records is stated that each record shall be maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system.

So it is up to your organization how this will be solved.

For more information about common mistakes with ISO 13485:2016 documentation control and how to avoid them, please see the following link:

• Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/

• List of documents for BCMS

  It is feasible to have a sequential document list only for BCMS.
  I can tell you that we already have an ISMS in place and we will start implementing our BCMS shortly. Regarding the documents, we acquired the complete package to help us complement the ISMS that we currently have.

  Please note that included in your toolkit there is a List of documents file that identifies the documents applicable to an ISO 22301 BCMS implementation.

  Some of them are exclusive for ISO 22301 (e.g., Business Continuity Policy), and will need to be created from zero, while others are common for both ISO 27001 and ISO 22301 (e.g., Training and Awareness Plan), and you will need only to perform some adjustments.

  Regarding the sequence, the List of documents file presents the documents in the order they need to be implemented.

  For further information, see:

  • Checklist of ISO 22301:2019 mandatory documentation (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-iso22301-mandatory-documentation
  • Diagram of ISO 22301 implementation process (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-22301-implementation-process

• Measurement uncertainity

  You asked

  Is measurement of uncertainty applicable for our scope of work? 

  All testing laboratories must evaluate or, at least, estimate measurement uncertainty by identifying contributions to measurement uncertainty and considering all significant contributions including those arising from sampling and using appropriate methods of analysis. Where detailed measurement uncertainty evaluation is not possible due to the nature of the test method, the measurement uncertainty may be estimated based on principles of the techniques or practical experience of the performance of the method.

  You also asked

  what are factors to be considered if we requires to calculate the same? 

  Measurement uncertainty is a statistical representation, representing the statistical certainty that the true result lies within the stated margin. It is understood as the margin of doubt regarding the results of any measurement.

  To establish how large the margin of doubt is for a method, at a specified confidence level (e.g., 95% confidence), all the contributions (from your method steps and calcultions) must be included either a mathematical budget or by using long term quality control data of reproducibility and bias. It depends on the method and what you have available - standard uncertainties derived from various sources (such as calibrations) or long term “whole method” standard deviation

  You also asked

  can you suggest some tools for the calculation?"

  For more information regarding the measurement uncertainty, see the ISO 17025 toolkit document template: Evaluation of Measurement Uncertainty Procedure at https://advisera.com/17025academy/documentation/evaluation-of-measurement-uncertainty-procedure/ This  covers the basic principles and steps to plan, measure and calculate the data required for an evaluation of measurement uncertainty. The two appendices related to the document, Measurement Uncertainty Checklist and Measurement Uncertainty Record support the process. I recommend you also look to your sector and suppliers for commonly used approaches.

• Providing consultation to a 3rd party

  Concerning consulting if the third party agrees to work with you it is something that it is up to the two parties.

  Concerning performing ISO 9001 internal audits it is up to your audit client to determine internal auditor requirements. If you comply with their requirements I, as external auditor, would not have anything against it.

  You can find more information below:

  • How to choose the most appropriate training - https://advisera.com/training/compare/
  • How to become an ISO 9001 consultant - https://advisera.com/9001academy/blog/2016/11/15/how-to-become-an-iso-9001-consultant/
  • How to choose an ISO 9001 consultant - https://advisera.com/9001academy/blog/2019/11/12/iso-9001-consultant-how-to-hire-the-right-one/
  • How to sell your ISO 9001 consulting services - https://advisera.com/9001academy/blog/2017/06/20/how-to-sell-your-iso-9001-consulting-services/
  • Free webinar on demand – How to sell ISO consulting services - https://advisera.com/9001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/
  • Enroll for free course - ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• Carrying out document control effectively

  Document control means that relevant documents for the quality management system:

  • Are approved by an authorized person
  • Relevant users have access to those documents
  • Obsolete versions are removed
  • It is easy to check the current version of a document and what changed from the previous version

  Please check in this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ the list of mandatory records required by ISO 9001:2015

  You can find more information about records below:

  • How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
  • New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
  • Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
     

   

• GDPR Privacy querries

  Having longitude and latitude i.e. G. location coordinates (and hence the home address t believe if I am not wrong) of some person be considered as Pll

  Yes, GDPR considers location coordinates as well as the home address as personal data. Article 4, (1) GDPR states that ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

  Since Clouds like Amazon AWS have backups happening across the world to maintain a high availability and for BCP purposes, so I feel it's a fair assumption to thin, that AWS will he considering PrwacY laws Eke GDPR before sent. European resident Pll data to any other country outside Europe. Correct?

  Yes, Amazon AWS implemented the GDPR compliance system in its services. Here you can find what Amazon does for GDPR https://aws.amazon.com/it/compliance/gdpr-center/

  While doing assessment, Do I need to ask vendors to give me list of countries where the cloud is sending the backup data (containing PII) to, while thinking of pnvacy Logic being European resident data is going outside Europe ask if the cloud follow GDPR by having controls or not

  You need to establish with your vendors who act as data processor a data processing agreement requiring them to select cloud providers who are compliant with GDPR (i.e. with data centers in the EU) you can also demand proof of compliance with GDPR of their cloud servers as the data controller has the power to give instruction on data processing, according to article 28 GDPR.

  Am I correct regarding applicability of GDPR in below practical life scenarios-

   a) European resident I not citizen) went to India and registered an account with Uber by giving his Pil and rode on cab So GDPR would NOT be applicable regarding handling of this European person. Correct, I think GDPR should be as law of land will prevail which is India in this case and not Europe. 

  Article 3 GDPR defines the territorial scope of GDPR and it is applicable to data processing taking place in the EU or from data controller located in the EU. Therefore, the EU citizen in India will not be under GDPR.

  b) Indian resident went to Europe and registered an account with Uber Europe by giving PII and is currently doing a cab ride, so GDPR will be applicable as per what's written in the GDP. regulation. Correct? 

  Yes, it is correct.

  Now the Indian resident has completed the trip and has gone back to India and left Europe. Will GDPR still protect his Pll data which is now residing in Europe?

  GDPR will protect data collected through the EU company, while the data collected through the Indian company will not under GDPR, because the data processing is outside the EU, with non-EU citizens and through non-EU data controller.

  Someone from India want to make a trip to Europe and thought of advance booking, so while sitting from India itself register an account by giving his PII on the website of some European tour operator with its data center in:  c.1) Europe - Will GDPR be applicable?  c.2) Outside Europe - Will GDPR be applicable?

  Yes, all data processed by the EU data controller (European tour operator) are under GDPR, for the processing carried all around the world.

  Will the time of the actual visit make any difference on GDPR applicability i.e. GDPR is ON only after the actual visit has happened and not before?

  No, even if the Indian tourist does not leave India but gave some PII to European Tour Operator, personal data will be processed according to GDPR.

  Since IP is a PII, so will even the Dynamic IP not static IP) be considered as PII? By the time the captured dynamic IP will. processed to find PII, the dynamic IP would have changed/expired 

  Requesting your guidance on these as I believe these will help me in understanding Privacy better"

  Yes, dynamic IP is a PII because it makes the individual identifiable, according to article 4 GDPR.

  Here you can find more information:

  • Article 3 GDPR: https://advisera.com/eugdpracademy/gdpr/territorial-scope/ 
  • Article 4 GDPR: https://advisera.com/gdpr/definitions/ 
  • What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/

  If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Sterilization procedure template

  1. We have a procedure “Sterilization” covering below topics: Elements of the validation process - Bioburden Method validation - Bioburden enumeration -Sterilization process validation – Sterility testing - Validation by The Bacteriostasis/Fungistasis Test - Sterility testing - EO residue - Bacterial endotoxins (LAL) test – Product Package Testing - Functional test - Validation records and approval - Impact on manufacturing and packing in routine –Process review – requalification – Concession. However, we have a separate procedure on Sterility monitoring, covering below topics: Microbial environmental monitoring - Product bioburden monitoring - Sterility testing (confirmation) -Bacterial endotoxins (LAL) test Product Package integrity testing In the sample we see from your documentation we only find “Sterilization”. Are the monitoring topics included in the Sterilization procedure template?

  Yes, monitoring and validation topics are included in the Sterilization procedure. We wanted to simplified documentation so we prepare just one procedure for that. 

  On this link you can find out how to manage the medical device sterilization process according to ISO 13485:2016

  • How to manage the medical device sterilization process according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/06/28/how-to-manage-the-medical-device-sterilization-process-according-to-iso-13485/

  The documents show a very adequate relationship to the ISO13485 paragraph that is the basis for the requirement. Although most of these requirements are (then again) based on Article, annexes of the EU MDR (2017/745) For example: For 7.3.9 (ISO) is based (now in MDR) on Annex IX, 2.2 c and Article 10. Are there any referrals in the document point to these specific MDR article/requirements (possible?)

  No, in our procedures we refer only to the MDR in general. However, this is a very good suggestion, we will think about it to implement in our documentation. Thank you for pointing it out to us.