Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • EU GDPR Status

    The GDPR text did not modify in the past months or years, so the course remains very relevant and up-to-date. Please restart the course whenever you like, and if you have questions, don’t hesitate to contact us!

    Meanwhile, we developed more resources to help you:

  • What are the main areas of ISO 17025 that most Laboratory miss?

    When considering gaps in the implementation there are two types of issues. The first is a deficiency, where a mandatory requirement is not met. For example, external proficiency testing to meet clause 7.7.2. The second is where there is a process implemented, but it is not achieving the intended result. An example here is ineffective Management Review.

    In my experience the requirements for monitoring and evaluation is often not achieved. For example all the requirements for Management Review input (clause 8.9). Another area is method validation / verification (clause 7.2), where it is often not to the extent required. Furthermore labroatories often underestimate the effort and requirements for the management of personnel (clause 6.2), equipment (clause 6.4); and quality control (clause 7.7.1 and 7.7.2) to ensure competency and validity of results.

    The following may be useful to you:

    The article What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/
    The webinar – What are the steps in the ISO 17025 accreditation process? at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar/
    Also have a look at other articles at https://advisera.com/17025academy/blog/

  • ISO 27001 Integration

    We're not experts in PCI DSS, but generally, we recommend ISO 27001 documentation toolkit as a way to contribute to achieving PCI compliance, because PCI-DSS has some requirements that can be fulfilled by ISO 27001 controls from Annex A, such as access control policy, back up policy, etc.

    These articles will provide you with a further explanation of PCI DSS and ISO 27001:

    This material will also help you regarding ISO 27001 implementation:

    This article from ISACA can provide you with a comparison between ISO 27001 and PCI DSS: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-1/comparison-of-pci-dss-and-isoiec-27001-standards

  • Qualifications of EU-rep from May 26th

    Yes, you are correct. You must have an EU rep according to the requirements from the IVDR when you will be ready for the certification with IVDR. For more details please see Article 110 from the IVDR 2017/746 Transitional provisions. There is stated that the requirements of this Regulation relating to post-market surveillance, market surveillance, vigilance, and registration of economic operators, and devices shall apply and replace the corresponding requirements in that Directive 98/79/EC.

  • Do we need ISO 13485 if we have IEC 62304?

    If you are on the EU market then ISO 13485 is mandatory for all manufacturers of medical devices, no matter the type of device. It is stated in Article 8 of the MDR 2017/745 that all manufacturers need to be in compliance with standards that are published by the EU Commission and are called harmonized standards. On that list is more than 300 different standards, but the only standard that covers the quality management system is the ISO 13485:2016/A11:2021.

    For more information, see:

    • EU MDR Article 8 Use of harmonised standards https://advisera.com/13485academy/mdr/use-of-harmonised-standards/

    • Internal audit on Sampling & Analysis

      You asked

      We made a procedure for 7.3 and I am now realizing that 7.3 only needs to be a "plan". I was wondering if we should keep these two requirements separate or possibly roll them together into one procedure that covers both 7.3 and 7.4.  What do you think?"

      It all depends on the activities and scope of work for the laboratory. Clause 7.3 isn't applicable to laboratories that are not involved in sampling. If the laboratory is responsible for sampling, clause 7.3 requires more than just a plan. It requires a sampling plan and method, and a number of forms and records. It is recommended to document a sampling procedure and to keep the procedures separate. 

      Clause 7.4 is applicable for any processing and  “sub sampling” of the sample, for example grinding and splitting into a test portion.

      For more information see the links and my response to a question on the topic Sampling at https://community.advisera.com/topic/sampling-clause-7-3/  and  https://community.advisera.com/topic/cab/ 

    • Clause 8.1

      I’m assuming you are referring to clause 8.1 Operational planning and control.

      Considering that, please note that this clause does not require a specific document by itself.

      To fulfill this clause, you need to implement:

      • the first version of the Risk assessment, Risk Treatment, Statement of Applicability, and Risk Treatment Plan (clauses 8.2 and 8.3 refers to subsequent implementations of risks assessment and risk treatment processes)
      • the controls from Annex A stated as applicable in the Statement of Applicability
      • the mandatory documents related to clauses 4 to 10.

      These articles will provide you with a further explanation of ISO 27001 required documents:

    • 27001 question

      In order to keep their certification status, ISO 27001:2013 Lead Auditor certificate holders might need to attend some updated training events (for more information you need to contact your certificate issuer).

      Regarding Lead Implementer certificate holders, they will not need to "upgrade" their certificates because there is no such requirement from accreditation bodies. 

      Regarding the certification of organizations, they will need to transition to the new version if they want to keep their certification. Most probably the transition period will be of twenty-four months after the release of the new version of ISO 27001 (the transition period will be confirmed soon after the release of the new version of the standard).

      For further information, see:

    • Merging ISMSs

      You should treat this merge as an implementation project with some adjustments:
      1) reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the merged organizational context and requirements of interested parties;
      2) review of risk assessment and treatment methodologies, to see which elements can be merged and which ones need to be kept separate;
      3) review the risk assessment and define the updated risk treatment plan;
      4) adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new merged context;
      5) people training and awareness;
      6) controls operation;
      7) performance monitoring and measurement;
      8) perform internal audit;
      9) perform management critical review; and
      10) address nonconformities, corrective actions, and opportunities for improvement.  

      Regarding challenges, some of them may be:

      Lack of management support: without this support, you won't have the minimal resources and engagement to implement a proper merging.
      Not using a project management approach: such implementation involves coordinating several people to perform dozens of activities, and without a methodology, you will finish inside a huge mess with no security at all.
      Lack of time for the merging project: The project can be very important, but normally, there are a lot of urgent things happening that postpone the project.
      ISMS scope wrongly defined: not protecting information that really matters considering the merged context.
      Documentation: Procedures in excess or lack of details may compromise operations.
      These articles will provide you additional information:
      - Three strategies for ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#options 
      - ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    • Risk Register section

      In risk assessment, you need to identify risks that exist in your context, and you consider relevant. The fact that some of them may already have controls in place is considered when you analyze them to define likelihood and impact (in most cases this will mean that they will have low risk and won’t be part of the risk treatment step).

      Considering that, both of your examples would be included in the risk assessment, so you can document either the risks or the controls already implemented to treat them.

      For further information, see:
      - 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
      - Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
Page 97-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +