Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Bar codes under MDR

    In MDR, Chapter III - Requirements regarding the information supplied with the device it is stated that all labels for medical devices must be provided in a human-readable format and may be supplemented by machine-readable information, such as radio-frequency identification (‘RFID’) or bar codes.

    In ANNEX VI – Information to be submitted upon the registration of devices and economic operators, in Part C are guidelines on how to implement bar code in UDI number.

    There are also several guidelines from the Medical device coordination group (MDCG) showed in the table:

    MDCG 2018-1 v3                Guidance on basic UDI-DI and changes to UDI-DI

    MDCG 2019-1                     MDCG guiding principles for issuing entities rules on basic UDI-DI

    MDCG 2019-2                     Guidance on application of UDI rules to device-part of products referred to in article 1(8), 1(9) and                                                1(10) of Regulation 745/2017
    MDCG 2018-2                     Future EU medical device nomenclature - Description of requirements

    Link to this table and all guidelines is: https://ec.europa.eu/growth/sectors/medical-devices/new-regulations/guidance_en

     

    For more information, see the following article: 

    EU MDR – Easy-to-understand basics https://advisera.com/13485academy/what-is-eu-mdr/

  • FAI vs Design Validation?

    FAI is referenced in clause 8.5.1.3 of AS9100 Rev D as an equivalent to “production process verification”. That is because the FAI process does a lot more than just validate the design, it verifies that all the processes, documentation and tooling utilized to create the first product are working properly to meet the design requirements. The FAI gives you a “line in the sand” stating, when everything was set up in this manner the product created meets the requirements. Design validation is making one article to show that the design can work.

    In answer to your question, though, this greatly depends on how your customer has defined the FAI and design validation requirements. The FAI does show that the design works, but it also shows much more and a failure in FAI might be due to other situations in the processes and could give a false negative of your design validation. However, if your customer accepts this as a design validation then it could be acceptable.

    Find out more on FAI in the article: How does First Article Inspection fit into AS9100 Rev D?, https://advisera.com/9100academy/blog/2017/11/07/how-does-first-article-inspection-fit-into-as9100-rev-d/

  • Certification of IT Service Provider

    Thank you for the response

  • Data deletion request

    I have a question regarding a data deletion request -  once we delete all the data do we need to inform the data subject that the deletion has been done? Is there an official form that we need to send the data subject? Or anything we should do or be aware of?

    Yes, according to article 19 GDPR the data controller must inform the data subject of erasure of data, which must be carried out, according to article 17 GDPR, "without undue delay".

    The GDPR does not require a specific form for communication of erasure, however, we developed a template that you can find here.

    EU GDPR document template:Confirmation for Erasure of Data:  https://advisera.com/eugdpracademy/documentation/confirmation-for-erasure-of-data/

  • Classification policy

    ISO 27001 does not prescribe how to built the inventory of assets, so organizations are free to build them the best way to fulfill their needs. In cases like this, you can group files per type (i.e., files that share similar risks), and include only the type as an asset the inventory of assets. For example, you can have an asset called "customer contracts", and others like "project specifications".

    This article will provide you further explanation about inventory of assets:

  • Risk owner

    1. I'm trying to find out who the risk owner would be for a technical risk (one of the nine from the STEEPCOIL)

    I'm assuming that by STEEPCOIL you are referring to the acronym to Social, Technical, Economic, Environmental, Political, Commercial, Organizational, IT & Legal, used to grouping risks and opportunities.

    Considering that, please note that ISO 27001 does not prescribes who the risk owner must be, so you can define any role you see fit. The concept adopted by ISO 27001 to risk owner is the one with the accountability and authority to manage a risk, i.e. the one who is both interested in resolving a risk, and with enough authority to do something about it.

    For example, an asset owner of a server might be the IT administrator, and a risk owner for risks related to this server might be his boss, the head of the IT department.

    For further information, see:

    2. With regards to the risk categories, do you know which one a power surge or a loss of power would fall under?

    Considering common definitions used for STEEPCOIL: the most adequate category for power surge and loss of power would be organizational risks because it covers risks related to structure and ownership assets responsible for the establishment and operation of a process facility (e.g., a power plant, or electricity company).

  • ISO 9001 application in Information technology

    Currently I’m working with an Information Technology company. Let me explain the core of the quality management system:

    Main processes, main sets of activities:

    1. Develop service (development of an application from scratch, development of new modules for current applications, development of new attributes for current applications)
    2. Promote the organization
    3. Promote service (commercial activities)
    4. Implement service (implement the application at customer facilities, customize application, train users, monitor initial operation, make corrections)
    5. Support the operation (local or remote client support during use of the application by customers)
    6. Acquire resources (buying know-how, buying materials and components) 

    Comparing with ISO 9001:2015 clauses we have:

    1. 8.3
    2. 8.2
    3. 8.2
    4. 8.5; 8.6 and 8.7
    5. 8.5; 8.6 and 8.7
    6. 8.4; 8.6 and 8.7

    Please check this article about the main steps to implement a QMS according to ISO 9001:2015 requirements - Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/ - step 3 is where you define the borders of the QMS

     

  • Appendix_1_Risk_Assessment_Table - vs. - A.8.1_Inventory_of_Assets

     I have a question regarding asset list/inventory. We are creating the list of assets for the Risk Assessment and Risk Treatment process. Once that list is complete and we come up with threats and vulnerabilities for each, is there any need for a separate list of assets as in A.8.1 Inventory of Assets?

    ISO 27001 does not prescribe how to built an Inventory of Assets, and normally a single inventory is sufficient when control A.8.1 is considered applicable, so if you do not have any other requirement (e.g., a law, regulation, or contract) demanding a separated inventory, you can keep a single inventory.

    For further information, see:

    I know that you have stated that "assets are not only the information in electronic and paper form, but also software, hardware, services, people, facilities, and everything else that provides value to an organization.", so I have a question on that as well:

    Our company is using a consulting group that has an online tool for managing all records and policies, but it seems to define assets stictly as devices. Also, risks are listed separately and are linked only to "category type" not to a specific detail asset.

    Unfortunately, I am not sure I understood your question entirely. Could you please clarify?

  • GDPR in software development and blockchain

    This is a great and very useful answer, Alessandra! And right in time. My organization has decided to partake in the EBSI initiative (European Blockchain Service Infrastructure). Some people in the organization have a pilot node running, and this was done without consulting with the CISO & DPO and now questions are being raised. Particularly concerning how compatible blockchain can be with someone requesting his data to be rectified or deleted... as that is precisely one of the key elements of blockchain technology: you cannot delete things.

    Your CISO and DPO raised the point of tension between GDPR and blockchain. The question is under discussion among Data Protection Authorities. Most depend on the kind of blockchain you are implementing (public, private, permissioned?). However, you need to make a Data Protection Impact Assessment and structure the project following the principle of privacy by design and privacy by default (can data be anonymized or encrypted? Can you store personal data off-chain?). You also need to make clear in your privacy notice that you are using blockchain in order to be transparent with your users and make them aware of the impact of their actions on their rights.

    Then, the main suggestion arrived are:

    • Avoid storing personal data on a blockchain. Make full use of data obfuscation, encryption, and aggregation techniques in order to anonymize data
    • Collect personal data off-chain or, if the blockchain can’t be avoided, on private, permissioned blockchain networks.
    • Consider personal data carefully when connecting private blockchains with public ones
    • Continue to innovate and be as clear and transparent as possible with users.

    Do you happen to have any references discussing this? The compatibility between GDPR and blockchain technologies?

     

    You can find some information on blockchain and GDPR in these articles:

     

    Do you happen to know how to proactively integrate this technology into the ISO 27001 framework, as I'm sure the next ISO 27001 version will have to take it into account regarding security and privacy issues.

    ISO 27001 can help you to implement risk assessment, identify vulnerabilities, and implement action required. You should use principles and guidelines provided to implement processes considering the particular structure of the blockchain.

    You can find some useful information in our free whitepaper EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help 

  • Company only with manager/owner

    ISO 45001 is applicable for any organization in any industry, so it can definitely be used by a company with a single owner/manager. The requirements are written to be descriptive but not prescriptive, meaning they tell you what needs to be done but not how to do it. So, you can perform the necessary processes with the employees you have, and in the best way for your organization.
    For more information on what is included in the requirements, see our whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001
Page 429-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +