Search results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Security requirements specification


    Answer:

    Version of existing information system refers to the codification used to identify a released software, so you can track the correct documentation regarding the development of that system.

    For example, version 1.0 is commonly used to denote the initial release of a program.

    Considering that, for each existing information system in the ISMS scope you must contact the internal development team, or manufacturer, responsible for that system to identify which is the current version on production environment. For some systems this information may be found on the main screen or as a sub-option on the "About" feature.

    If you think any of the comments included in the template explaining which information has to be included in each field needs further clarification please let me know your specific doubt, so I can provide you a proper answer.
  • Evidences of implementation

    To comply with the standard, we created a Training procedure, however we cannot present evidences of its implementation. What can you advise us to do?

    Answer
    ISO 9001:2015 does not require a training procedure. Have your organization determined competence requirements for each job? Does your organization determine competency gaps? Does your organization provide training or other actions to eliminate those competency gaps? Does your organization evaluate the effectiveness of training or other actions to close those competency gaps? If your answer is not a yes to some of these questions you have to start recording evidences.

    The following material will provide you information about mandatory documents:
    - Article – Using Competence, Training and Aware ness to Replace Documentation in your QMS - https://advisera.com/9001academy/blog/2013/12/17/using-competence-training-awareness-replace-documentation-qms/
    - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
  • Minor and major nonconformities and observations

    I would like to ask for your opinion regarding our practice of declaring several minor non-conformities as a major non-conformity. The minor findings may be found in one or several departments and we usually call this system non-conformity.

    Answer
    I agree with that practice and use it myself in my audits. If I find several minor nonconformities about a similar topic throughout an organization, I normally write a major nonconformity because it is a systemic problem and each previous minor nonconformity support that conclusion.

    Question 2
    Another thing is whenever there are 3 or 4 observations, we elevate and consolidate them into a non-conformity.

    Answer 2:
    About observations I have a problem. There is no ISO 9000:2015 or ISO 19011:2018 definition of observation. What do you consider an observation? Your findings either are conformity or nonconformity. If they are conformities and you think there is an opportunity for improvement it is your opinion based on your experience. You as auditor can suggest that there is an opportunity for improvement. What do you consider as an observation?

    You can find more information about nonconformities at:
    - Article – How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
    - Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
    - Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
  • Combined audits and integrated management systems


    Answer
    Yes, it is fairly common a certification audit being about more than one standard. For example, a combined audit concerning ISO 9001 and ISO 14001, or even a combined audit concerning ISO 9001, ISO 14001 and ISO 45001. If an organization has implemented an integrated management system and wants to obtain its certification it has to contact a certification body and agree on the terms. Again, it is a fairly common situation.

    The following material will provide you information about integrating management systems:
    - Article – How to integrate ISO 14001 and ISO 9001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
    - Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Discover IS O 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
  • Clarification regarding customer communication


    Answer:

    It is a mandatory requirement to inform the customers of the complaint if it is pertaining to a medical device recall or a field safety corrective action as the customers might need to quarantine any stocks that have been sold out or are currently in their warehouse. You should be looking at clause 8.2.2 Complaint handling which provides you with more information on the procedure of complaint handling. With regards to clause 7.2.3, it means that the company should have a way to get feedback from a custom er with regards to the purchased product or services (quality or not quality related), including complaints.



    For more information, please read articles:

    How to comply with the latest changes in ISO 13485 clause 7.2.3 Communication
    https://advisera.com/13485academy/blog/2018/05/16/how-to-comply-with-the-latest-changes-in-iso-13485-clause-7-2-3-communication/

    How to comply with ISO 13485:2016 requirements for handling complaints
    https://advisera.com/13485academy/blog/2017/03/21/how-to-comply-with-iso-134852016-requirements-for-handling-complaints/

    Customer Feedback Report
    https://advisera.com/13485academy/documentation/customer-feedback-report-iso-13485-2016/
  • How to manage risk and clinical evaluation?


    Answer:

    In order to manage risk for the QMS, you will need to identify critical processes or parameters that will affect the safety and performance of the device that you are dealing with or the service that you will render for the medical device. This will be followed by a quick assessment using FMEA or any suitable matrix to assess the occurrence and severity in which you will also propose controls to mitigate the risk and implement them accordingly. All the information should be documented in a risk management report. What I have just summarized was basically in the following steps: Risk Analysis, Risk Evaluation, Risk Control, and Residual risk evaluation.

    As for the clinical evaluation, you need to assess the safety and performance characteristics of the device that will affect its intended uses. You can base the evaluation on the IFU( Instructions For Use) that will be supplied to the client.

    As per reference to ISO 11607, sterile barrier system means minimum package that prevents ingress of microorganisms and allows aseptic presentation of the product at the point of use.

    For more information please read article:

    How to use ISO 14971 to manage risks for medical devices
    https://advisera.com/13485academy/blog/2017/09/21/how-to-use-iso-14971-to-manage-risks-for-medical-devices/
  • RACI chart for ISO 27001 controls


    Answer:

    First it is important to note that a RACI matrix is not mandatory for ISO 27001.
    Considering that, there is no definitive RACI chart for this situation, because organizations are free to implement ISO 27001 controls as best fits them, but in a general manner the roles to include in such RACI matrix should consider at least:
    - Top management / CISO as Accountable for controls implementation decisions
    - Risk owners as Responsible for the overall controls implementation and operation
    - Team members as Responsible for tasks / activities related to controls implementation and operation
    - Units Heads / Processes Owners / Asset owners / Interested Parties as Consulted about controls to be implemented
    - Employees / Users / as Informed about implemented controls

    This article will provide you further explanation about use of RACI charts for ISO 27001:
    - RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/
  • Documentation retention period


    Answer:

    ISO 27001 does not prescribe retention periods for documents, but requires an organization to define them, and you can do that based on legal requirements (e.g., contracts, laws, regulations, etc.) the organization must comply with, business needs, and results of risk assessment.

    As one example you can consider that for a ISO 27001 certified ISMS, you must retain obsolete documents at least for as long as the next certification audit is (i.e., a three year retention period).

    This article will provide you further explanation about control of documents:
    - Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

    This material will also help you regarding control of documents:
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
  • ISO 27001 implementation tips


    Answer: The implementation of ISO 27001 is quite similar regardless the industry and size (what differs is the quantity of resources and complexity of deliverables), and the general steps are:
    1) getting management buy-in for the project;
    2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
    3) development of risk assessment and treatment methodology;
    4) perform risk assessment and define risk tent plan;
    5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
    6) people training and awareness;
    7) controls operation;
    8 performance monitoring and measurement;
    9) perform internal audit;
    10) perform management critical review; and
    11) address nonconformities, corrective actions and opportunities for improvement.

    This article will provide you further explanation about ISMS implementation:
    - ISO 27 001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    Regarding implementation approaches, the most common are:
    - Use your own staff to implement the ISMS
    - Use a consultant to perform most of the effort to implement the ISMS
    - Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.

    Each one of them have their advantages and disadvantages. For more information, I suggest you the following materials:
    - 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
    - Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

    These materials will also help you regarding ISO 27001 implementation:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
    - ISO 27001 Documentation Toolokit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    2. Is risk committee necessary?

    Answer: ISO 27001 does not prescribe the specific need for a risk committee, only that relevant information security responsibilities are defined, so you can assign responsibilities for risk management the way it best fit your organization (e.g., you can adopt a risk committee, or this responsibility can be assigned to the CISO)

    This article will provide you further explanation about responsibilities:
    - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Page 567-vs-13485 of 1130 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +