Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Minimum time frame to implement ISO 13485 to Stage 1

    The time necessary for the implementation of ISO 13485:2016 depends on the number of the employees, how many and how complex your processes are; and what your medical device is (is it low-risk medical device, do you have sterilization process, is it software). Usually, for the company with 10 employees, it is necessary some 2-3 months for companies, and for companies with up to 50 employees, it takes some 6-8 months. 

    Here you can find a Checklist of ISO 13485 implementation and certification steps:

    Although this article is written for ISO 27001, the content is universal, so maybe you will find it useful:

    • The documentation myth – Why the templates are not enough? https://advisera.com/27001academy/blog/2012/04/24/the-documentation-myth-why-the-templates-are-not-enough/

    • ISO 9001 vs ISO 22000

      I’m not an expert on ISO 22000 and Advisera does not provide services about ISO 22000. However, I invite you to check that both standards have a common structure (the so-called High Level Structure) and it is straightforward to integrate clauses 4, 5, 6, 7, 9 and 10.

      Major differences are around clause 8 in both standards.

      With ISO 9001:2015 you are working with:

      8.2 – handling customers’ orders
      8.3 – developing new products
      8.4 – purchasing materials, services and processes
      8.5 – manufacturing the products
      8.6 – controlling quality
      8.7 – treating non-conforming product
       

      With ISO 22000:2018 you are working with food safety:

      8.1 Operational planning and control
      8.2 Prerequisite programmes (PRPs)
      8.3 Traceability system
      8.4 Emergency preparedness and response
      8.5 Hazard control
      8.6 Updating the information specifying the PRPs and the hazard control plan
      8.7 Control of monitoring and measuring
      8.8 Verification related to PRPs and the hazard control plan
      8.9 Control of product and process
       

      Please check this article - Similarities and differences between ISO 9001 and ISO 22000 - https://advisera.com/9001academy/blog/2018/11/20/similarities-and-differences-between-iso-9001-and-iso-22000/

    • ISMS roles and responsibilities

      This is not sufficient, because not only the ISMS champions must know about their information security responsibilities, but also all personnel included in the ISMS scope, so they can know who to look for in case of a situation related to information security.

      In  this case, you must also consider:

      • Document information security roles and responsibilities in the policies and procedures used by the organization.
      • Provide awareness and training sessions for all personnel included in the ISMS scope.

      This article will provide you a further explanation about documenting roles and responsibilities:

      These materials will also help you regarding roles and responsibilities:

    • ISO 22301 gap analysis

      Please note that ISO 22031 does not require a gap analysis to be performed, and it is not recommended for smaller companies, because, in general, it is not worth the effort due to their size and complexity. As an alternative, you can use the internal audit checklist, located on folder 10 Internal Audit, to make a quick assessment of your situation.

    • Ecosystem degradation cause

      Environmental changes that cause ecosystem degradation are based on many factors including:

      • Urbanization
      • Population growth
      • Economic growth
      • Intensification of agriculture
      • Increase in energy use
      • Increase in transportation


      You can find more information about ISO 14001 below:

    • Internet Access

      Although ISO 27001 does not prescribe access to the Internet only through the organization as mandatory, what happens in real life is that this is more a common sense for business practice, as survival and competitive question than a standard's requirement (most of the businesses and their relations go through the Internet).

      Considering that, when organizations resources, like email services, are available through direct access to the Internet (e.g., to allow remote work), a common practice is the usage of access through Virtual Private Networks (VPNs), where the organizations implement controls such as protected communication, and access control to limit external access to authorized users, only to needed information, and also can monitor activities and information flow.

      A third important point is awareness activities, so employees can understand the importance to access the Internet only through the organization, and the consequences on direct access.

      This article will provide you a further explanation about network controls:

      This material will provide you further information about employee awareness:

    • Procedure for clinical trials

      Yes, you are right. Unfortunately, in our toolkit there is no procedure for clinical trials because, in MDR 2017/745, requirements for documents for clinical investigation are very detailed described in Article 63, Article 72, and in Annex XV (Chapter II and III). Further on, clinical trials must be performed according to harmonized standard ISO 14155:2011 Clinical investigation of medical devices for human subjects — Good clinical practice. In most cases, clinical trials are conducted by specialized companies. 

      Which documents are necessary for medical devices you can find in the following material: 

      • EU MDR Checklist of Mandatory Documents https://info.advisera.com/13485academy/free-download/eu-mdr-checklist-of-mandatory-documents

      • Risk assessment for GDPR

        "Hi Team,

        I do have a question as part of our toolkit plan.
        We have finished the risk assessment and treatment plan based on the 27001 approaches, which is asset-based.
        In the webinar "How to integrate GDPR with ISO 27001" it was mentioned that recommended is combined "Risk Assessment" for 27001 and GDPR.
        My question is in case you have template methodology that combines both approaches? 

         

        The webinar does not recommend the combined risk assessment for ISO 27001 and GDPR. On the contrary, the webinar recommends doing the risk assessment for ISO 27001, and DPIA for GDPR.  

        In fact, ISO 27001 is focused on information security and, as you said, is asset-based. GDPR focuses on the risks for freedom and rights of individuals arising from data processing, so the focus is on the data subject.

        ISO 27001 risk assessment helps to implement GDPR requirements but there is no template that combines both GDPR and ISO 27001 because they are different regulations and require different implementation. 

        In our EU GDPR & ISO 27001 Integrated Documentation Toolkit you can find a chart with the list of relevant documentation and with reference to mandatory requirements by both regulations. You bought ISO 27001 Documentation Toolkit so you can verify what documentation you need to implement in order to comply with GDPR requirements.

        You can find this chart in the free demo of the EU GDPR & ISO 27001 Integrated Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/

         

        How do we need to augment current 27001 methodologies & template to be GDPR compliant?Our current risk register includes assets of type "Processes/Services", which map with processing activities.To confirm I am not speaking about DPIA, which is unique to GDPR.

        As I said, the focus between the two regulations is slightly different so ISO 27001 can help you to implement GDPR, however, implementing GDPR will require specific documentation. To comply with GDPR requirements you have to perform DPIA, and there are templates in the GDPR Toolkit or in ISO 27001 & GDPR Integrated Toolkit for that purpose. 
         

        Is there anything specific in GDPR that would require to extend methodology that is included in your 27001 templates? 

        You need to implement the data protection policy, data retention policy, employee data protection policy, privacy policies, and documentation which is specific of GDPR and is not covered by ISO 27001, like the inventory of processing activity according to requirements of Article 30 GDPR, eventually appointing a Data Protection Officer.

        Here you can find our Toolkit to help you implement GDPR requirements.

        Here you can find more information:

        You may also consider enrolling in this online EU GDPR Foundations Course:
        EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

      • E-privacy laws compliance

        From your question, I understand that your company processes the personal data of your clients. Your company collects personal data in order to send newsletters and communication. This processing activity falls in the scope of GDPR (EU Regulation 2016/679) while e-privacy Directive applies to “the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices” (Article 3 ePrivacy Directive).

        In order to comply with GDPR you need to verify your process of data, have a privacy policy, inform data subjects about data processing, data retention periods, and be sure you are processing data under a legitimate ground and implement GDPR requirements.

        Here you can find some articles to guide you and we developed a toolkit to help data controller to comply with GDPR requirements.

        You may also consider enrolling in this online EU GDPR Foundations Course:EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

      • Remote auditing

        In such instances as these, and I am envisaging at least another two similar audits of this nature, how can I be confident of the effectiveness of the outcome of an audit as this

        Answer:

        An effective audit is an audit that meets its objectives. As a good start, work with your client on the definition of the audit objectives. That way you can focus your time and attention in a very specific set of topics. You can use this picture to set the stage of the audit:

        https://www.screencast.com/users/ccruz5284/folders/Default/media/b4f51120-6c47-40fa-ba20-609eef9e78ef

        Start with the audit objectives. Then, it's backwards. What audit findings should be collected and what audit sample size? And, therefore, what evidence needs to be audited? What areas of the organization and what topics? Hence, what documentation do you need to audit? How long will it take to read it? Allocate time for this reading during the audit.

        I also have another where I've to submit to a surveillance audit via remote means.

        Next June 25th Advisera will present a webinar on remote internal audits. With this pandemic event I already performed some internal remote audits myself. You can do the interviews with videoconferencing applications; you can review digital documents and records through share screening and with permission take screen shots to document evidences. You can audit operations with an auditee or a surrogate auditor using a smartphone or a tablet. You can interview operators, you can ask to zoom and review hard copies of documents and records, you can take a panoramic view of locations.

        I invite you to read this article – What are the benefits and barriers when performing remote audits? - https://advisera.com/articles/what-are-benefits-and-barriers-when-performing-remote-audits/

        Perhaps these Accreditation and Certification Bodies requirements may be useful to pick some ideas:
Page 384-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +