Search results

ISO 13485 toolkit ref 11

If you are a distributor, then you need to understand that your "production" is basically service provision. SO everywhere in the documentation that says "production," you can put "service". 
Your point of view regarding 3.3.7 is OK. You cannot exclude this; you will just use the identification provided by the manufacturer. You need to have in your system the possibility to track to which customer went which LOT of medical devices.   

Security objectives in Conformio

This approach will not cause problems in the system.

However, by developing its own objectives, the organization will have to identify how they can be related to Conformio processes and modules (i.e., which information will be needed and where it can be found), while the suggested objectives in Conformio already have a defined logic related to them (e.g., suggested data sources), making using them easier to fulfill standard’s clauses related to security objectives.

ISO 27001 Internal Auditor

First of all, sorry for this confusion.

The toolkit you have is still current.

The documents from sections A.5 and A.18 are not missing from the toolkit – you can find them here:

• A.5 – all the documents from folder “08 AnnexA” cover the requirements about information security policies (A.5.1.1 and A.5.1.2)
• A.18 – these documents are covered in the toolkit in folder "02 Procedure for identification of requirements”

Included in the toolkit there is a List of Documents file that shows which documents cover which clauses of the standard.

DEVOPS position according to ISO27001

Awesome Rhand! Thank you so much for your answer

Audit management

I’m assuming that by “ISO 27001” you mean “ISO 27001 Toolkit”

Considering that, if you plan only on managing audits, the toolkit would be the best choice, because you can use only the documents related to internal audit.

Conformio is a platform to manage the whole implementation and maintenance of an Information Security Management System from definition of security objectives to continual improvement, which requires much more effort to manage (e.g., document management, risk assessment, and treatment, incident management, etc.).

Storing fulfilled forms

The forms can be filled in two types of support, paper or digital. In some companies, paper-based records are digitized a posteriori.

Records in digital support are archived on the company's server.

Paper-based records are filed in folders according to rules and filing criteria defined on a case-by-case basis by the companies.

The bottom line is: records are the memory of the company. If we can't access the records we need when we need them, we're a memoryless company. Memoryless companies don’t learn.

You can find more information about documentation below:

• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ 
• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Doubts about lead auditors in 27001

1) In which cases, an auditor can decide whether to waive an audit in a company.

Answer: Considering certification/surveillance audits, these cannot be waived, because not performing a certification/surveillance audit will impact the certificate issuance.

In the case of internal audits, these can be waived considering the results of previous audits, provided that all ISMS scope is audited before a certification/surveillance audit.

For example, if you have a process audit twice a year, due to the results of previous audits (that were good), you can decide to waive one audit and perform audits only once a year.

2) In case of detecting illegal software in an audit which is the procedure for which an auditor has to go, who is required to communicate how to proceed.

Answer: This is a situation to be treated very politely.

The recommended approach is to state that it was not possible to evidence the proper management of intellectual property rights of software *** (you should NEVER state that software is illegal, remember that your findings are based on the evidence you have found, or not found).

Regarding who to communicate with, you need to communicate with the audit customer during the briefings at the end of each audit day, and that the nonconformity will be also formally communicated in the Audit report.

ISO 27001 questions related to Conformio

1 - We are a little bit lost with the Initial training plan as we are not sure how to structure it and what are good practice. Can you provide good practice for training when defining the Initial Training Plan?

Answer: The easiest way for defining the Initial Training Plan, you should consider insert the trainings specific to steps/policies that are relevant employees to master, and then that training is automatically added to the Training step.

For example, for the risk register step this is how it looks like:

In each of the steps a user can define specific trainings and assignees, those are then automatically added to the Training module. In case you want to update the training status or define new trainings, you can do this inside the Training module itself. 

2 - We are not sure if we need to define different suggested training for different skills. Should it be on different skills or different rules depending on the role in the company? 

Answer: Please note that there is no single answer to this question because you have different publics with different objectives:
- top management needs to make decisions over issues that many times are not so clear for them, and they do not need deep knowledge about technicalities of security issues (they will be more concerned about how it impacts the business). In these cases, your presentation should be focused on decisions they need to make on each policy
- technical personnel with operational responsibilities for security needs deep knowledge over technologies, methodologies, and process, so your presentation should be focused on the procedures and rules they need to follow
- overall personnel needs a basic understanding of security, to properly identify, report, and react to risky situations. In these cases, your presentation should be focused on examples and how to proceed according to the policies

3 - What are good training or skills for an IT Manager or Compliance officer for example? 

Answer: Examples for an IT Manager would be integration of information security in IT strategy or evaluation of security of solutions providers. As for Compliance Officer, trainings related to laws and regulations impacting information security (e.g., on EU GDPR, or US HIPAA).

4 - We would also appreciate a catalog of links to training on your website that can be useful in completing the training plan?"

Answer: These articles will also help you regarding awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/

This material will also help you regarding awareness and training:
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

5 - "We were going over the "Procedure for identification of requirements" and we ran into this part that wasn't clear: - what document does the "Information Security Management System Policy" refer to? "

Answer: First of all, sorry for this confusion.

The “Information Security Management System Policy” is the same “Information Security Policy” used in Conformio.

MDR requirements for IFU

No, there are no restrictions on the font size for IFU for medical devices.   

Proficiency testing  and PT provider in pesticide formulation

You asked

I need you help regarding Proficiency testing and PT provider in pesticide formulation

I cannot recommend any providers as it depends on your scope and area. Have a look at EPTIS at https://www.eptis.org for posisble providers. This is an International database of Proficiency Testing (PT) schemes.

You also asked

I need your help with regard to PT testing as we couldn't find any in our scope .is there any alternative?"

The policy document ILAC-P9:06/2014 ILAC Policy for Participation in Proficiency Testing Activities is applicable to your situation. It is available at https://ilac.org/publications-and-resources/ilac-policy-series/

What I suggest you do is contact your accreditation body as well, as they will need to approve the alternative which typically would involve a bilateral study between yourself and one other laboratory or the use of certified reference materials for your own study.