Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Some Information regarding ISO 13485 and ISO 9001

    Yes, the manufacturing of surgical masks must lie under the scope of ISO 13485.

    There is a difference between ISO 9001:2015 and ISO 13485:2016, and by implementing the ISO 9001 not all requirements for the manufacturing of medical devices will be fulfilled. It is not a question of preference, but what the legal regulations are and what requirements must be met in order for a medical device to comply with its regulations. ISO 13485:2016 is a standard that is specific for Manufacturers of medical devices (Medical devices — Quality management systems — Requirements for regulatory purposes). Besides that, on the web pages of the European Commission are stated which standards are applicable for all types of medical devices:  https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/medical-devices_en 

    On that list, which has around 300 standards, only ISO 13485:2015 is the standard for the quality management system.

    For more information on this topic, please see the following articles:

    • Similarities and differences between ISO 9001:2015 and ISO 13485:2016 https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/
    • What is ISO 13485? - https://advisera.com/13485academy/what-is-iso-13485/
    • How to get ISO 13485 certified? - https://advisera.com/13485academy/iso-13485-certification/
    • Checklist of ISO 13485 implementation and certification steps - https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

    • Risk Assessment Table

      Please note that ISO 27001 objective is the protection of information, regardless of its format and where it is.

      Considering that, you need to evaluate your situation not by what you do, but by how it impacts the information you want to protect (in this case I'm assuming it is the data you access remotely).

      In your stated scenario, the loss of utility power may impact availability of processed information in the following ways:
      - an unauthorized person may have access to your facility an damage the equipment you use to remotely process data, so when utility power is back you cannot resume the work.
      - during the power loss, you cannot provide processed information

      In these cases, you need to consider how the UPS and generators affect your operational capacity to maintain the remote process of information. Basically, all these risks are actually related to availability of information, which is part of the C-I-A triad

    • ISO 9001:2008 vs ISO 9001:2015 risk analysis

      I recommend keep the old risks in the register and add the new risks. What must be updated is the columns in the register about, for example, probability, severity and result. If corrective actions were taken and were effective either probability was reduced or either severity was reduced or both.

      You can find more information below:

    • ISO 9001 sales metrics

      I recommend organizations to see sales as a process in order to develop metrics.

      For example, about the outputs:

      • Sales revenue (total or per line of product/service)
      • Number of complaints
      • Number of clients lost
      • Number of clients won
      • Average price

      For example, about the process:

      • Rate of successful proposals
      • Average time to proposal
         

      You can find more information below:

    • Statement of Applicability

      1 - My understanding of the SOA is that it lists the 114 controls of Annex A. An organization should select the controls that are ‘applicable’ to safeguard the assets that are in the scope of the organization's ISMS. Is this correct?

      There is something I do not understand. The above makes sense if the SOA only applies to 1 asset (for example, a single business system). In this example, 112 out of 114 controls might be applicable. But what happens when you add more and more assets? The 2 controls that are not applicable for the first asset might be applicable for the other assets – eventually, you just end up saying that all 114 controls are applicable and therefore the SOA does not really have much value at this point?

      When you add more assets, in fact, the number of applicable controls will increase, but from our experience with our customers, smaller companies are usually at ca 100 controls, while larger ones are usually above 110.

      For example, for companies that use only Commercial off-the-shelf (COTS) software, there is no need to apply control A.9.4.5 Access control to program source code, because there wouldn't be source codes in the organization.

      Please note that the Statement of Applicability purpose is not only to list the applicable controls, but also to provide justification for applicable controls (e.g., needed to treat risk, needed to fulfill a legal requirement, etc.), a justification for non-applicable controls, and the implementation status of the applicable controls. This information can be used to summarize an organization's approach to protect the information and to guide auditors during audits.

      For further information, see:

      2 - My other question is around risk assessments. If all 114 controls are applicable for a system, does that mean our risk assessment has to cover all 114 controls? Or would a better way be to do a ‘compliance assessment’ to verify which of the 114 controls are applicable and which of those controls are implemented and working effectively and then document the risks based on the control gaps?

       Please note that for ISO 27001 risks and requirements lead to controls applicability, not the other way around.

      Considering that, you do not need to identify risks to justify the applicability of all 114 controls, only the controls that are relevant to your organization.

      What you could do in the next regular risk review (e.g. in 6 or 12 months time) is to include the risks that you realized were missing from your existing risk assessment.

       This article will provide you a further explanation about risk assessment and risk treatment:

      This material will also help you regarding risk assessment and risk treatment:

    • Assessment/Treatment Methodology

      The list of legal, regulatory, and contractual or other requirements summarizes all requirements, interested parties, and responsible persons for complying with requirements that must be fulfilled by the ISMS.

      An example of how to fill in the List of Legal, Regulatory, Contractual, and Other Requirements, is this scenario:

      A customer has a service level agreement with your company which defines, on clause 32-b, that in case of a disruptive incident, access to information system ABC must be restored to at least 30% of normal capacity in no more than 24 hours. In this case, the person responsible for system ABC is responsible to ensure compliance of the system to this requirement. Then your document would be like this:

      Interested party: Customer Jon
      Requirement: Clause 32-b (recovering access to system ABC to at least 30% of normal capacity in no more than 24 hours)
      Document: Service level agreement
      Person responsible for compliance: System ABC administrator
      Deadline: 24 hours after the occurrence of disruptive incident which makes access to system ABC unavailable

      To see how a list of legal, regulatory and contractual or other requirements looks like, please take a look at the free demo of our List of Legal, Regulatory, Contractual and Other Requirements at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/

      This article will provide you a further explanation about the list of requirements:

    • ISO 22301 Accreditation

       PECB does not require a specific set of courses or curriculum of study as part of the certification process, so self-study or third party training are optional. If you go for training, the completion of a recognized PECB course or program of study would be a better approach.

      For further information, see: https://pecb.com/en/examination-rules-and-policies

    • Online internal audit

      Thanks and noted but my query was related to online Internal Audit. Also i would like to inform in India one online external audit was performed. if you required, i can give you details. 

    • Surveillance audit

      The surveillance audit will be used to verify that the quality management system is still working, and procedures are being used. Particular attention will be paid to verifying the actions taken to close any non-conformities raised during the certification audit. The records associated with the system review, internal audits, complaints, treatment of non-conformities and development of corrective actions will be audited. some processes will be audited at random to prove that the system continues to be followed.

      You can find more information below:

    • ISO 9001 for companies vs individuals

      Yes, ISO 9001:2015 is for organizations, not for individuals. If you want to be qualified in relation to ISO 9001:2015 you can look for courses where you can get a certificate.

      You can find more information below:
Page 323-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +