Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Auditable clauses

    Clauses 4 to 10 in ISO 9001:2015 are the auditable clauses. Annexes are not auditable; they are just informative.

    You can find more information below:

  • How to market to potential clients after ISO 9001

    Customers are all different but can be segmented into groups more or less homogeneous. Some segments may value, or even require that their suppliers be ISO 9001 certified. Pick those segments, identify individual potential clients and think about what are the benefits that they want to get, and what kind of function or role will be more likely concerned with that. Search Linkedin or trade databases for those functions or roles and industry sector. Your organization could start a systematic work of presenting communications on seminars and conferences attended by those functions or roles, or publishing technical articles on magazines or specialized blogs

    You can find more information below:

  • Risk based approach in ISO 13485

    1. Has there been a noticeable improvement with the implementation of 13485:2016 with the risk-based thinking approach?

    Since we are not a consulting company, unfortunately, we really do not have feedback from the field about this matter. But, when we discuss with the client that has both our toolkit, it is noted that the risk-based approach helped them in making individual decisions. For example, when defining critical suppliers and making a decision with which to establish a quality agreement and with which not; then when determining when to go to the audit of a critical supplier - whether once a year or less often or more often; then, which software needs to be validated etc. 

    More information about the risk-based approach you can find in the following article:

    2. What must companies do in advance to prepare for the stringent requirements in Eu MDR handling of complaints?

    First of all, you need to learn about MDR requirements. On this link, you can find Full text of EU MDR (Medical Device Regulation): https://advisera.com/13485academy/mdr/ 

    Then it will be best to check which additional documentation you need to have to be in compliance with the MDR and to compare it with your current status.

    Complete EU MDR Checklist of Mandatory Documents you can find on the following link: https://info.advisera.com/13485academy/free-download/eu-mdr-checklist-of-mandatory-documents

    Once you have identified which documents these are, they need to be prepared.

    How templates for the Clinical Evaluation, Post-market surveillance system and Technical file look like you can see in our ISO 13485 & MDR Integrated Documentation Toolkit: https://advisera.com/13485academy/iso-13485-eu-mdr-documentation-toolkit/

  • ISO 13485 for outsourced supplier – is it necessary?

    According to the ISO 13485:2016, requirement 1 Scope, it is stated that this standard is applicable for entities involved in all life-cycle of a medical device. Among others, it is also listed as a supplier or external parties, that provides products or parts of the product. What is most important from the notified body's point of view, is that traceability for the entire production process must be covered. Therefore, it is expected that both manufacturers and outsourced suppliers will have implemented ISO 13485:2016.

    Since your company is already ISO 9001 certified, you can buy only documents that are requested by ISO 13485 from our ISO 13485:2015 documentation toolkit: https://advisera.com/13485academy/iso-13485-documentation-toolkit/

    At the end of this web page, you can check and purchase individual documents as well.

    Also, the following articles can be helpful:

    • Checklist of ISO 13485 implementation and certification steps: https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
    • Six key benefits of ISO 13485 implementation: https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/

    • ISO 27001 scope

      1. We use a third party to provide infrastructure for our product (Installation sits on an AWS Server). On the Scope document, what would we put under “Location” for these servers that are provided by a third party?

      Please note that under “Location” you need to include only your premises locations, not those of your providers. Regarding the infrastructure you mentioned, you only need to specify them and explain they are provided by a third party under "Networks and IT infrastructure", so this information can be used during the other phases of the implementation (e.g., risk assessment and risk treatment).

      For further information, see:

      2. What would we count as our assets regarding these servers that are provided by a third party? These servers are accessed by our staff to do our work using any laptop that is available to us, provided that the IP is cleared by our CTO to access the servers

      The proper approach will depend on the level of control you have over these servers:

      • if you need to operate and maintain the servers (i.e., the provider only offers the virtual machines), you should count as assets the servers themselves
      • if you only use the servers (i.e., the provider operates and maintains the servers), it is better to count them as a single service

      For further information, see:

      3. Do we need to reference anything from the Third Party provider? Where will it be referenced in the ISMS?

      The relation with Third-Party providers should be referenced primarily in the List of legal, regulatory, and contractual requirements, identifying the contracts or agreements signed with them (so the organization is aware of what needs to be considered). They can also be referenced in the risk assessment and risk treatment process (where you can identify relevant risks related to them and define proper treatment).

      4. Can you give examples on how regulations, like GDPR, translate into a policy or procedure – like a specific rule in the Information Security Policy Document. I just want to see an example of the wording pattern in a policy where a regulation is referenced.

      Please note that legal requirements (e.g., laws, regulations, or contracts) should not be directly translated into policies or procedures (this approach would quickly turn the documents into a mess).

      The adopted approach in our toolkit is to list the relevant legal requirements in the List of Legal, Regulatory, Contractual and Other Requirements template, located on folder 02 Identification of Requirements, and from this list, identify which controls from Annex A must be applied (this identification is made in the Statement of Applicability, located on folder 06 Applicability of Controls).

      With this approach, aligning the legal requirements with controls first, we ensure that legal requirements that will use the same controls are under the same general text we already developed, compliant with the standard, and you will only need to include specifics (e.g., references to technologies and activities) as needed (the parts of the text that requires customization are identified in the templates).

      For example, GDPR article 32 requires companies to use (where appropriate) pseudonymization and encryption of personal data. In this case, controls from section A.10 A.10 Cryptography are applicable, and in the related document, Policy on the Use of Encryption, located on folder 08 Annex A Security Controls >> A.10 Cryptography you only need to specify elements like "Name of the system", "Cryptographic tool", "Encryption algorithm", and "Key size"

      5. Let’s say the scope of ISMS for now applies to the Services that we provide that are hosted in a third party provided server. What would be examples to exclude?

      Since you are referring only to your provided services, an example of a scope exclusion would be the organization's administrative departments. Since exclusions of the ISMS scope will depend on the organization's objectives, without more detailed information, it is not possible to provide a more detailed answer.

    • Gap analysis

      You can access the ISO 27001 Gap Analysis Tool at this link:  https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/ - however, we do not recommend using it for companies smaller than 500 employees because it would make your implementation unnecessarily complex. The point is, during the implementation of the toolkit (especially during the risk assessment and treatment) you will analyze which controls you have in place, so this is why the Gap analysis is not needed.

      This article will provide you a further explanation about Gap analysis:

    • Default legal position around data transfers under German Laws

      Germany applies the GDPR which is an EU Regulation with direct application in the EU Member States legislation. Therefore, data transfers are ruled by Articles 44 - 50 GDPR.

      Transfers of data are free among the EU countries, while outside EU are subject to some requirements like:

    • adequacy decision by the EU Commission. Now the EU Commission made adequacy decisions for the following countries: Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States (Privacy Shield). You can verify on the EU Commission website any update to the list: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). 
    • Standard data protection clauses adopted by the Commission which are contractual clauses that grant some protection rights to parties.
    • Standard data protection clauses adopted by a supervisory authority (DPA) This is the link to the Federal Data Protection Authority in Germany: https://www.bfdi.bund.de/EN/Home/home_node.html
    • An approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
    • an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights

      • Here you can find some information:• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/• Standard Contractual Clauses for the Transfer to Processors and Standard Contractual Clauses for the Transfer to Controllers.: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes• EU GDPR Article 44 – General principle for transfers: https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/• EU GDPR Article 45 – Transfers on the basis of an adequacy decision: https://advisera.com/gdpr/transfers-on-the-basis-of-an-adequacy-decision/• EU GDPR Article 46 – Transfers subject to appropriate safeguards: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/• EU GDPR Article 47 – Binding corporate rules: https://advisera.com/gdpr/binding-corporate-rules/• Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

      You may also consider enrolling in this online EU GDPR Foundations Course:EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

    • Assessing the infosec requirements for new ict systems

      The meaning of assessing information security requirements for new ICT systems is to cover at least these points:

      • to identify what the new systems have to provide in terms of information security, so you can make a clear evaluation of the possible solutions
      • to ensure the new systems are compatible with the current systems they have to connect to, so security levels are maintained
      • to plan for potential compensation controls in case the new systems do not fulfill all requirements

      This article will provide you a further explanation about requirements definition:

      These materials can also help you:

    • Is written procedure required for internal Audit if audit is outsourced to outside consultant?

      Yes, it is stated in the requirement 8.2.4 Internal audit that the organization must document a procedure that describes the responsibilities and requirements for planning and conducting audits and all necessary reports. Therefore, in your procedure you will describe that you have an outsourced internal audit process, you will describe which criteria that company has to have, how will you communicate with them, how will you plan the internal audits, how consultant company will give you reports, and so on. To summerise, this procedure needs to have all the elements requested by the standard and needs to prove how will you have this process under control. Remember, that no matter that you have outsourced this process, it is your responsibility for it.

      The following articles can be of help:

      You can also see how ISO 13485:2016 Internal Audit Toolkit looks like here: https://advisera.com/13485academy/iso-13485-internal-audit-toolkit/

    • Sensitive data requested for refund processing

      Article 5 (c) GDPR requires processing personal data according to the principle of data minimization which means that organization shall require as few as possible personal data. However, you should check the privacy notice of the company and their refund policy. Sometimes additional data may be required by antifraud company process or required by law.

      Here you can find some information:

      • GDPR Article 5 – Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
      • Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
      • Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

      You may also consider enrolling in this online EU GDPR Foundations Course:

      • EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Page 369-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +