Search results

Help with management review

To see how a management review minute compliant with ISO 27001 looks like, please take a look at the demo this template: https://advisera.com/27001academy/documentation/management-review-minutes/

As for tips about the management review, we can list:

• ensure that you have information for all inputs required by the standard
• study this information so you can be able to explain results and deviations
• ensure decisions made are properly recorded v(e.g., what need to be done, by whom, and related deadlines)

This article will provide you a further explanation about management review:

• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

17025 vs 13485

You asked

Would it be best practice to integrate the ISO17025 requirements in the ISO13485 QMS or make a separate ISO17025 QMS for the labs?

In my experience it all depends on the management structure of the laboratory. If you have different people responsible for the different standards implementation and maintenance, then keep them separate, at least to start with and then integrate to a practical extent later. Otherwise if you try and do this upfront, it could slow down the adoption of ISO 17025.

It is however, unnecessary to reinvent the wheel, so use the current process and strategies already implemented in 13485 for common ISO 17025 activities, wherever possible. Examples a document control and dealing with complaints and nonconforming work.

I suggest you do a gap assessment of what is in place for ISO 13485.  List the current processes and documentation in place for ISO 13485 which are applicable to ISO 17025, and then list the additional required by or needing customisation for ISO 17025. The project plan is a handy tool to use. This way you can track your progress.

For more information, the following may be of interest:

The whitepapers

• Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/
• Checklist of mandatory documents required by ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/checklist-of-mandatory-documents-required-by-iso-17025

Free implementation resources at https://advisera.com/17025academy/free-downloads/ including 

• Project Plan for ISO/IEC 17025 implementation
• Project Checklist for ISO 17025 implementation

ISO 17025 accredited labs and services

You asked

Are there any sorts of items that don't necessarily need to be sent out on a regular basis?"

Yes, certain equipment need not be calibrated by an external ISO 17025 calibration laboratory. Furthermore, the frequency of external calibration can vary.

Based on your knowledge of your method, if a particular piece of equipment could influence the results, it must be calibrated. You need a certificate with reported uncertainty. This is so that you can be confident that the method performance is still valid (as per validation studies) and that the measurement uncertainty of the device and contribution to the uncertainity of the test result is known.  If there was no confidence in the consistent performance of equipment, there is no confidence in the validity of the test results. To ensure valid results and metrological traceability of measurements, there needs to be an unbroken chain of calibrations and known controlled contribution of uncertainty of a device to the overall Measurement uncertainty of the test method.

For more information and important reference links, have a look at a similar Q&A at https://community.advisera.com/topic/re-calibration-time/

Data protection

You need to write: "Personal data will be processed for the provision of the service and for the following legal obligation (i.e., for bookkeeping purposes) and in compliance with the requirements of EU Regulation 2016/679 (EU GDPR) for more information about how we process your data and rights of data subjects, please consult our privacy notice at our store."You should have a privacy notice for your customer data in your store (or on your website, if you have one).

Here you can find more information about privacy notice.

• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you need to understand how to implement EU GDPR compliance in your organization, you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Preparing procedure on Meteorological Traceability

Typically, a laboratory will not have a procedure specifically for Meteorological Traceability. For a laboratory to confirm metrological traceability, a number of processes are involved where certain processes must be documented (mandatory by ISO 17025). For example, methods, procedures and supporting documentation, such as instructions, standards, manuals, and reference data must be kept up to date (clause 7.2) and a calibration programme (clause 6.4) is mandatory. These requirements from different clauses are typically linked via your Quality Manual.  An Equipment and Calibration Procedure ican be used to document how Meteorological Traceability is confirmed. Alternatively depending on the size of your laboratory, it may be included in the Method Validation and Quality Assurance Procedure.

Let’s look at the ISO 17025 requirement – that is to establish and maintain (i.e. confirm) metrological traceability of its measurement results”  What traceability does is ensure that on an ongoing basis the measurements accurately represent the specific quantity subject to measurement, within the stated uncertainty of the measurement. This is achieved through an unbroken metrological traceability chain to an international measurement standard or a national measurement standard. Simply stated a laboratory ensures metrological traceability for a measurement result by having equipment (used for the method) calibrated by laboratories conforming to ISO 17025 and or using reference materials with certified values where the reference material producers conforming to ISO 17034.

The following elements must be in place present to meet clause 6.5 requirements to ensure metrological traceability:

• a documented measurement procedure,
• quality measurement control
• suitable (performance) calibrated standards
• documented method measurement uncertainty
• defined calibration intervals,
• technical competence

For more information, have a look at

The article: What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
The ISO 17025 toolkit document template: Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure/
The ILAC P10:07/2020 ILAC Policy on Metrological Traceability of Measurement Results  available from https://ilac.org/publications-and-resources/

Auditing according to section 8.2.2

Basically yes, but of course in accordance with Records management (requirement 4.2.5) and 8.3 Control of non-conforming product. 

ISO 27001 Mapping to CSA CCM Matrix

The Cloud Control Matrix can be found on the Cloud Security Alliance site: https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/

This matrix contains the mapping between ISO 27001 and the CSA alliance cloud security domains.

How to fill out "Appendix 1 - List of Legal, Official, Contractual and Other Requirements

Here is a practical example of how to fill the List of Legal, Official, Contractual and Other Requirements template:

Consider that, a customer named Jon has a service level agreement with your company which defines, on clause 32-b, that access to all information provided by the customer to information system ABC is restricted to customer personnel only. In this case, the person responsible for system ABC is responsible to ensure compliance of the system to this requirement. Then your document would be like this:

Interested party: Customer Jon
Requirement: Clause 32-b (Information provided to system ABC are restricted to customer's personnel)
Document: Service level agreement
Person responsible for compliance: System ABC administrator
Deadline: when system ABC is made available for customer use
Besides Service Level Agreements, you should consider laws and regulations applicable to the locations where you operate the same way described in the example (i.e., identifying interested party, requirement, document, etc.). For the identification of specific requirements for your organization we recommend you seek expert legal advice. 

Regarding the example for the ISMS scope, it can be defined in terms of information, location or process to be protected, and here are some examples:

• The ISMS scope is the customer and Research and Development data of organization ABC.
• The ISMS scope is the Headquarters of organization ABC.
• The ISMS scope is the software and development process of organization ABC.

By the way, included in your toolkit you have access to a video tutorial that can help you develop the scope, with real data examples.

IEC 62366-1 question

No, this standard ISO 62366-1 is applicable for all types of medical devices. 

Guidance for dealing with "old" devices

Your guidance is MDR itself. It means that if you are a class I device, that from 26th May 2021. you need to be in compliance with the MDR, The only excuse for that is the implementation of the UDI number, which must be applied until May 2025, as stated in Article 123 Entry into force and date of application.  

For more information, see:
 
EU MDR Article 123 Entry into force and date of application https://advisera.com/13485academy/mdr/entry-into-force-and-date-of-application/