Search results

Career in medical devices space

To be in the medical device field, first, you need to have some medical background. For example: completed medical school, work experience in a hospital or other clinical institution, work experience in a medical device factory. In my opinion, without understanding what are the most important elements for medical device safety and performance is not possible to be in this field. 

The benefit is if you have experience in regulatory business, to know how to read and understand different regulatory requirements, and so on. If you are on the market of EU, then knowledge of MDR is mandatory, and if you are from the US market then you need to know the FDA rules for medical device certification. 

There are websites that offer some certifications for consultants, but even that certification is no guarantee that you fully understand the regulatory requirements. So without a lot of self-study of necessary regulations, there is no success in this business. 

The only thing to keep in mind is that there are medical products and a syringe for giving injections, but also an artificial heart. So there is no consultant who has experience in all types of medical products. Some requirements are universal, but again each product has its own specifics that the consultant must take into account. So the mutual communication of the consultant is also important.

Proof of compliance with GDPR & Data Subject Request Register

I assume that you are referring to the compliance to the data subject request to delete personal data.

Compliance with GDPR starts from a good privacy notice where it is clear how data subjects can exercise their rights. It may be implemented by a reply to the data subject's request to exercise its rights, where the data controller explains how the data subject request is handled and the confirmation that the request has been accepted or denied. Of course, the delation of data will refer to data that are processed under consent on a legal basis. If some personal data are necessary to be processed under another legal basis, then the data controller will have the right to keep those data and process for that purpose. For example, the data controller may need to keep the name and some personal information of the data subject to fulfill the obligation on invoicing. You should keep a register of data subjects' requests in order to demonstrate compliance with the obligation of assuring the rights of data subjects.  

Here you can find more information about how to handle data subjects rights:

• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you need to understand how to implement compliance with GDPR you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Conditions for replicating OEM

If your customers will be direct OEMs (For example Ford, GM, Daimler, VW, etc.), you should discuss the product tests with your customer and consider the technical drawing of the product. But if your customer is going to be the market, duplicating the OEM part and putting it on the market is an "aftermarket" job.

The IATF 16949:2016 standard has excluded the aftermarket.

Therefore, you can know what kind of tests are required only by learning what the original product tests are.

Statement of Acceptance of ISMS Documents

Only the "Statement of Acceptance of ISMS Documents" is not enough to be compliant with ISO 27001 requirements related to competence (clause 7.2) and awareness (clause 7.3).

You will also need information regarding actions taken to provide the necessary competence/awareness (e.g., reading of the documentation, awareness presentation, etc.), and evaluation of actions effectiveness (e.g., questions about the presented documentation).

For those, you can use the Training and Awareness Plan template included in your toolkit, in folder 9 Training and Awareness. Both “Training and Awareness Plan” and "Statement of Acceptance of ISMS Documents" will be sufficient to evidence awareness about the documentation.

This article will provide you a further explanation about awareness and training:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

This material will also help you regarding awareness and training:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

Verification Inspection Reports

This probably depends most on whether the PRRC is within the company, in the same place where the batch release takes place, or is dislocated. If the PRRC is dislocated, one of the simpler ways is that batch release records can be sent to him via email and then he can confirm by email that he complies.

Conflicting approaches to Risk Assessment

First of all, sorry for this confusion.

This is only different writing of the methodology name. The approach is the same regardless of the order of its elements. The results will be the same, because the risk calculation is based on sum or multiplication, which result is independent of the order of elements.

For further information, see:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

This material can also help you:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

Uploading current quality standards/results

Since such in-company information is actually information, I have not seen it shared much. TS 16949:2019 or IATF 16949:2016 also does not have such a requirement from suppliers.

However, if it is a potential supplier, such information can be seen in the company during the audit or company visit.

ISO 27001 - feedback about some documents

I’m assuming you are referring to documents 10.1 Internal Audit Program, 10.2 Internal Audit Report, 11.2 Management Review Minutes, and 12.1 Corrective Action Form.

Considering that, the Internal Audit Program needs to be filled before the internal audits are performed (this is the document that will define how many audits will be needed, covering which topics and their dates).

The internal audit report needs to be filled in after the conclusion of each planned internal audit.

The Management Review Minutes are typically filled out after the management review has been completed, but some companies might use Minutes also as a preparation and in such cases you can use a 2-step approach: 1) data required as input for management review is filled in in the Minutes after all ISMS elements to be implemented are defined and as soon as the data is available; and 2) data required as output for management review is filled in after the end of the meeting.

Corrective action forms are filed at any time a corrective action is required. Please note that corrective action can be originated either as a result of an internal audit or as a result of an incident or operational deviation.

For further information, see:
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
- Project checklist for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation

Implementing controls

First is important to note that only controls deemed applicable due to results of risk assessment and applicable legal requirements need to be implemented. So, depending on the organizational context, not all controls from ISO 27001 Annex A may need to be implemented.

For those controls deemed applicable, not all of them may need to be included in policies or procedures.

These articles will provide you a further explanation about documenting controls:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/