Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Software validation for raw material supplier

    We are a raw material manufacturer, planning supplying to medical device industry. Are we required to comply with software validation section, that seems to be talking about medical device manufacturer, within ISO 13485:2016.

    Answer:

    Applicability of ISO 13485 to your business is questionable, depending on the raw material that you supply to the customer. The clause 1 Scope of ISO 13485 says that the standard is applicable to organizations that need t demonstrate ability to provide medical devices and related services. It is limited to the organizations that are involved in one or more stages of the product life-cycle including design and development, production, storage, distribution, installation or servicing of medical devices. Supply of raw materials in not mentioned in the standard, so if you don't supply your customer with some parts of the medical device but only with raw materials, the standard is hardly applicable to your business.

    If you don't have ISO 13485 certificate and are not planning to implement the standard, t he requirements for software validation are not applicable to you. If you are planning to implement the standard, exclusion of all requirements for software validation will be impossible, because the standard allows exclusions from clauses 6,7 and 8, but first requirement for software validation is in clause 4.1.6.

    In your case, it might be better to implement ISO 9001 instead of ISO 13485, since it is more widely applicable and you can also include all requirements of your customer in your Quality Management System regarding medical devices, but you will avoid many requirements of ISO 13485 that would be redundant and inapplicable for your type of business.

  • Asset inventory


    Answer: The article presents enough information for you to build an asset inventory compliant with ISO 27001, but since ISO 27001 does not prescribe which details must be listed in the asset inventory, you should work with members of you organization to identify some other information that can be useful, like asset category, its location, some notes, etc.

    I suggest you take a look a t the free demo of our Inventory of Assets at this link: https://advisera.com/27001academy/documentation/inventory-of-assets/ so you can see how an inventory of assets looks like.
    This article can also provide you useful information about the inventory of assets:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • Cumplir con la cláusula referente a recursos 7.1

    Ambos se tratan de requisitos que la norma no exige que sean documentados, luego simplemente se trata de cumplir con los mismos.
    En cuanto a la infraestructura, ésta puede incluir: edificios y servicios asociados, equipos (incluyendo hardware y software); transporte; tecnología de la información y comunicación.
    El mantenimiento de la infraestructura se puede llevar a cabo a mediante un programa de mantenimiento preventivo planificado, adecuado y proporcionado a las operaciones realizadas y al contexto de la organización, y a cualquier requisito del plan de contingencia en caso de interrupción. Los procesos de planificación empresarial deben determinar los cambios y las necesidades futuras de infraestructura específica.
    En cuanto a la cláusula 7.1.4, ésta incluye que exista un ambiente adecuado que sea resultado de la combinación de factores físicos y humanos, como por ejemplo:
    - sociales: no discriminatorio, tranquilo, sin disputas
    - psicológicos: reducción del estrés, protección emocional
    - físicos: temperatura, humedad, iluminación
    Su organización debe establecer, controlar y mantener sus propios requisitos ambientales.
    En ambos casos los auditores determinarán el cumplimiento de estas cláusulas mediante entrevistas con la alta dirección, los encargados de los procesos correspondientes y la recolección de evidencias objetivas.
    Además el siguiente material puede proporcionarle más información sobre la nueva ISO 9001:2015:
    - Curso gratuito en línea de fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
    - Libro "Gestión de documentación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/

  • Diferencias ISO 9001:2015 vs. ISO 9001:2008

    Respecto a las diferencias existentes entre ISO 9001:2008 e ISO 9001:2015, puede encontrar información en la siguiente infografía: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/infografia-iso-90012015-vs-revision-del-2008-que-ha-cambiado/
    Por otro lado, puede encontrar la información correspondiente a la Lista de documentos obligatorios en el siguiente artículo: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
    Además el siguiente material puede proporcionarle más información sobre la nueva ISO 9001:2015:
    - Curso gratuito en línea de fundamentos ISO 9001:2015: https://advisera.com/training/es/c ourse/curso-de-fundamentos-de-la-norma-iso-90012015/
    - Libro "Gestión de documentación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/

  • Risks in HR depratment


    Answer:

    The risk and opportunities to be identified should be related to the effectiveness of the process, the QMS as a whole and compliance to requirements of the standard and the customers. You need to observe the HR department and all the processes that belong to it and determine what risks exist within this area. The most obvious risk regarding HR department is failure to provide competent employees to other processes within the QMS, of course, depending on the context of the organization this risk can be significant or not.

    As as the methodology for the risk analysis, the most simple approach is to arrange a brainstorming session with the most relevant people in the HR department and talk about the risk, or you can use SWOT analysis.

  • Data Subject Consent Form


    Answer:

    The document is mandatory for those processing activities that are based on consent for example marketing activities. If you rely on any other legal basis you don’t need it but only need to provide the right information to the data subject via you Privacy Notices.

    To find out more about consent you can check out our article “Is consent needed? Six legal bases to process data according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

  • Scope of the IT Security Policy (Doc 8.1)


    Answer:

    Article 32 of the EU GDPR - Security of processing https://advisera.com/eugdpracademy/gdpr/security-of-processing/ requires controllers and processors alike to implement “appropriate” technical and organizational measures to keep the personal data.

    The policies you would find in section 8 of the EU GDPR toolkit are examples of organizational measures taken to protect the data. So, in a nutshell the purpose of the IT Security Policy as well as the whole array of policies in section 8 is to provide you with a set of documents which if implemented correctly will ensure that you have taken the appropriate measures to protect personal data.

    If you want to find out more about keeping data secure please check out our article “How cybersecurity solutions can help with GDPR compliance” https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/

  • People related risks


    Answer: Considering ISO 27001, when thinking about people related threats you should consider how people can endanger information security (e.g., espionage, error, identity theft, etc.), and when thinking about people related vulnerabilities you should consider how weaknesses related to people can endanger information security (e.g., lack of training, lack of awareness, unavailability of the person, etc.).

    These articles will provide you further explanation about assessing risks:
    - Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you regarding assessing risks:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Implementation of controls

    We received this question:

    >Can you also let me know if I decide to implement a control from Annex A, does that mean that we have to implement all the requirements for that control from the ISO 27002 standard ?

    Answer: Most of ISO 27002 text is written as "you should...", meaning that you only have to implement some items if you identify a need to do that (based on the results of your risk assessment). So, for some controls you may have to implement all items, while for others you have to implement only a few of them.

  • Termination of job - activity


    Answer: ISO 27001 does not prescribe how to implement its requirements or controls, only what needs to be achieved.

    Considering that, for the scenario you stated you can consider the control  A.9.2.6 - Removal or adjustment of access rights as basis to support your need to manage users's access rights, but for the definition of specific period of time for account deletion / removal you must consider the perceived risks (results of risk assessment) and legal requirements (e.g., laws, regulations and contracts) that must be fulfilled.

    These articles will provide you further explanation about controls selection and access control:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

    These materials will also help you regarding controls selection and access control:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 774-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +