Search results

Risk assessment review

1. When we revise a risk management table on annual basis (new document), I'm not sure if we assess risks (consequence and likelihood) with all implemented controls/safeguards on our mind or without them? If we take already implemented controls into account when assessing risks, almost all risks are acceptable (few residual remains), there is no need for additional treatment at this moment.

When you perform a risk assessment review, you need to consider the risk values including the effects of implemented controls. You only need to ensure that the information about the implemented controls are also documented in the risk assessment.

2. Hypothetical: if all risks are acceptable according to our methodology, is it ok not to have a Risk treatment plan?

It is acceptable to have no update in the current Risk Treatment Plan in case all risks are acceptable, but please note that the Risk Treatment Plan can also be used to improve controls efficiency (i.e., you can achieve the same results using fewer resources), or in case you need to change technology, but this change will not have an effect on the risk value.

This article will provide you a further explanation about continual improvement:

• Achieving continual improvement through the use of maturity models https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/

Risk Assessment Methodology

It is expected that under an ISO 27001 certified ISMS an organization has only one risk assessment and risk treatment methodology approach, so it can produce comparable results all across the ISMS scope, but there are rare cases where parts of the scope may be under different legal requirements (e.g., laws, regulations or contracts) demanding each one of them to use a different approach, or the performed processes defined by the organization require different approaches (e.g., risk management process for project development and for financial risk assessment).

In such cases, the ISMS must provide a way for the risks from different approaches to be compared (e.g., by using a conversion table, so the results from one approach can be translated to the other and vice versa)

This material will also help you regarding risk management for ISO 27001:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

ISO 45001 implementation

The ISO 45001 standard is best implemented as any other project, with a structure plan and a firm foundation in approval by top management. The plan needs to have adequate resources to see it though, from performing the gap analysis to see what you already have in place that meets the standard, through the certification process. The steps of the implementation are graphically represented below.

You can see the implementation process in this free: Diagram of ISO 45001 Implementation Process, https://info.advisera.com/45001academy/free-download/diagram-of-iso-45001-implementation-process

Cookies after blocking them

It depends on cookies, there are some cookies for functionalities that cannot be blocked without preventing the website to work (in this case the website will be compliant).

You should check what kind of cookies are still working and verify if they belong to cookies that can be blocked by users or not (tracking and statistic).

Cookies are ruled by the e-privacy directive and they are connected to GDPR through Article 13 on consent. This may the European Data Protection Board reviewed the guideline on consent under GDPR and listed cookies: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en 

You can find more information here:

• EU GDPR vs. European data protection directive: https://advisera.com/eugdpracademy/blog/2017/10/30/eu-gdpr-vs-european-data-protection-directive/

You may also consider enrolling in this online EU GDPR Foundations Course:

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Requirement of mentioning details of outsourced process in Clause 4.1.5 of ISO 13485

  In requirement 4.1.5 is stated that the control of the outsourced process should be written in the quality agreement. We in our ISO 13485 Documentation toolkit have a template for Quality agreement for critical suppliers. How template looks and which elements it has as you can find on the following link: 

  • Quality Agreement for Critical Supplier - https://advisera.com/13485academy/documentation/quality-agreement-for-critical-supplier/

  Another part of this topic is how you will define in your Purchasing process control over companies that provide you outsourced processes. According to the requirement 7.4.1 Purchasing process, an organization must plan monitoring and evaluation of suppliers. Usually, manufacturers that have outsourced processes plan an audit in those companies in a frequency that they find justified. These audits are performed by the same rules as their internal audits.

  You can find more information on how to control outsourced processes in the following article:

  • How to control outsourced processes using ISO 9001 - https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/

  • Objectives for Textile Unit manufacturing isolation gowns

    It is very hard for me to say what objectives you can have for your medical device. According to the requirement 5.4.1 Quality objectives, quality objectives are a tool to highlight essential elements in your quality policy, while giving employees a framework for achieving continual improvement.  For example, one goal can be to have less than 1% scrap in the production; or to reduce customer complaints from 5% to 3%. 

    Following articles can help you in that process:

    • Setting good quality objectives for ISO 13485 - https://advisera.com/13485academy/knowledgebase/setting-good-quality-objectives-for-iso-13485/
    • How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/

    You can also see how in our ISO 13485:2016 Documentation toolkit looks the template for setting quality objectives and planning:

    • Quality Objectives and Realization Plan https://advisera.com/13485academy/documentation/quality-objectives-iso-13485-2016/

    • ISO 9001 implementation

      Theoretically, the steps are the same as for any other company. In practice, there are differences around the more or less flexibility of the people involved.

      The first step is to perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis you can develop your Project Plan, listing what needs to be done, by whom, until when.

      Then, an important step is to design a model of how your organization work as a set of interrelated processes. For example:

      

      Decide how to describe and monitor those processes.

      From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

       

      This is a very short description of the journey but below you can find more detailed information:

      • Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
      • Free ISO 9001:2015 Gap Analysis Tool -https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
      • Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
      • ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
      • Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
      • Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
      • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
      • If you are in a hurry to implement your QMS, perhaps our ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/ may be useful
      • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
         

    • Effect of medical device class on ISO 13485 documentation

      I would like to know how the class of a medical device affect in the documentation required to implement a quality management system according to ISO13485:2016.  

      The class of medical device does not affect the documentation required to implement a quality management system according to ISO13485:2016. The Claas of medical device only affects the technical documentation necessary to prove compliance with Medical device regulative. 

      For more information, please see the following articles:

      • What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
      • How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

      I mean if we manufacturing the medical device of class IIa (specifically a gamma probe) what type of certifications should have it. (IEC60601 for electromedical equipment, electromagnetic compatibility, among other).

      Your medical device must be certified by the notify body and get the CE mark. If it is equipment that is active (need electricity for the operating) then it has to have IEC 60601 certificate for electromagnetic compatibility. If you have some software that drives the device, that it should be validated according to the IEC 62304:2006 Medical device software — Software life cycle processes. Is there any other standard, it is hard to know because I do not have enough data.

      It's possible to know all documentation that is necessary for design and manufacturing gamma probes? thanks 

      All documentation that is necessary for design and development of medical devices according to ISO 13485:2016 you can see in our ISO 13485:2016 Documentation toolkit on the following link: https://advisera.com/13485academy/iso-13485-documentation-toolkit/

      At the end of the page under the title "Toolkit Documents", you can search for Design and development. There you will find all the necessary documents.

    • Risk Treatment Implementation and Risk Treatment Plan

      1. We are discussing the implementation steps and we are a bit confused about the Risk Treatment Implementation and the Risk Treatment Plan. Please what’s the difference between the two. When are the risks actually treated?

      In the risk treatment implementation, you need to define what to do with risks (e.g., risk mitigation, risk avoidance, risk acceptance, and risk transfer), while in the Risk Treatment Plan you define the actions, responsible, and deadlines to implement the chosen option. For example:

      • Risk: information loss due to virus
      • Risk Treatment: mitigate the risk
      • Risk treatment plan: The IT manager must develop and implement a backup policy in the following 90 days.

      These articles will provide you a further explanation about risk treatment and risk treatment plan:

      • Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
      • 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

      2. Also, what’s the difference between the risk treatment methodology and the risk treatment plan?

      The risk treatment methodology refers to the rules (e.g., steps and criteria) to be followed when performing the risk treatment, while the Risk Treatment Plan is one of the outputs of the risk assessment and risk treatment process as a whole (together with the Statement of Applicability). Please note that the most common reference you will find is about the Risk Assessment and Risk Treatment Methodology because ISO 27001 requires the definition of processes for both risk assessment and risk treatment.

      These articles will provide you a further explanation about risk management process and risk treatment methodology:

      • ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
      • How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

      These materials will also help you regarding risk management:

      • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
      • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    • Changing certification bodies

      First, were those unavoidable circumstances related with the certification body? Let us consider that the answer is no.

      Second, the certification body while revoking certification was just following known procedure.

      Third, while choosing the certification body for the first time did your organization followed this set of rules in the article – How to choose a certification body? https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

      Fourth, how did your organization feel during the revoke process? Were they clear, were they reasonable, were they treating your organization fairly?

      If during the revoking process they were clear, reasonable, approachable, and fair, and if they were the right choice at the first time, and since they already know your organization and your organization knows them perhaps pursuing certification from the same certifying body could be a decision to follow.