Search results

Conformio questions

1. Can I treat the Project Plan as a statement of intention? If we do not meet the deadlines, we have set in the Project Plan, would this be a problem during certification?

Answer: The purpose of the project plan is to clearly define several elements (e.g., the objective of the project, documents to be written, deadlines, roles, and responsibilities, etc.), so yes - project plan can be used as a statement of intention. On a general level, the top-level objectives are also a statement of intention.

ISO 27001 does not require a project plan to be documented (it is a supporting document for the implementation, not for the ISMS itself), so if you do not meet initial deadlines this will not be a problem during the certification (the project plan always can be updated to reflect the real progress of the implementation). 

For further information, see:
- ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
- How to use Scrum for the ISO 27001 implementation project https://advisera.com/27001academy/blog/2017/03/27/how-to-use-scrum-for-the-iso-27001-implementation-project/

2. At the end of each document in the wizard, there is a set review cycle of 6 months or 12 months depending on the document. Why is this set in such a way and could I change it?

Answer: 6 months and 12 months are the most frequent review periods adopted by organizations. ISO 27001 does not prescribe document review time, so organizations can define them as they fit their needs.

You can change the review period according to your needs by adjusting the document review period field in the document properties tab when you are creating it.

For further information, see:
- How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

ISO 9001 8.3 in a fertility clinic setting

Yes, that is my understanding of the situation.

Consequences and Costs of not abiding waste management

What are the details of the possible consequences and cost implications of employers and employees not abiding by legislation and regulations with regard to waste management?

Interested Parties

What follows is a list of potential interested parties. Annex A.3 of ISO 9001:2015, last paragraph, states that only an organization has the authority to determine who are the relevant interested parties.

You may consider:

• Client (payer)
• Client (users)
• Regulators
• Programmers (as suppliers or as employees)
• Influencers 

Please, check this free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar/ - where I present examples of different interested parties and their requirements and expectations.

You can find more information below

• How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

DevOps

In this case, you only need to include in the asset register the outsourcing organization as a service provider.

Risks related to the outsourcing organization (i.e., risks related to hardware/software used by them) you can handle through the supplier security policy.

These articles will provide you a further explanation of asset register and supplier security:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

Mandatory documents for SaMD to develop QMS

You do not need any sterilization documents of course. Considering the installation, if it is done by the user without any record for that, then you also do not need installation procedure and documents.

In your case, the service procedure will cover solving bugs and similar problems.

All other documentation is necessary for you, but you need to adjust it to your process. For example, you need Production and service procedure because here you will describe how you will program your software, who is involved in it, what kind of test you will do, how you will solve bugs, and so on.

You also need Purchasing procedure because you need to define specifications for programs for software programming and licenses. Also, if you use cloud service or have a server at your place, then you need to order some specific elements for the server.

You need a warehouse procedure if you use some computers, motherboards, hardware, and so on. If you use a server room then it is necessary for the server to be in an appropriate environment (temperature and humidity). In that case, you need to monitor the temperature and humidity in that room.  

Ang release of Product

There is no direct requirement for the release of the product. There is only in the requirement 7.5.8 Identification following requirement:

"The organization shall identify product status with respect to monitoring and measurement requirements through product realization. Identification of product status shall be maintained throughout production, storage, installation, and servicing of the product to ensure that only  product that has passed the required inspections and test or released under an authorized concession is dispatched, used, or installed."

So here is stated that release of the product must be controlled, but who will be that is up to the manufacturer.

Surveillance audit

Normally, less than 12 months because a previous time period was already audited in a previous audit. Unless auditing a current issue one needs to look for records older than that (if the system was already implemented).

If an organization is audited about a product develop 5 years ago and the company implemented the standard 2 years ago, it is not possible to expect records older than 2 years

Relevant documents for software medical device

Following documents you do not need definitely:

• Procedure for EtO Sterilization
• Procedure for Steam Sterilization
• Procedure for Dry Heat Sterilization
• Procedure for Ionizing Radiation Sterilization
• Procedure for Filtration Sterilization
• Appendix 1 – Record for Sterilization
• Appendix 4 – Notification to a Customer about Changes on Property

Documents listed below you might need when taken into consideration following comments:

• Appendix 4 – Request and Order for Purchasing –  If you use specific programs for software programming and need some licenses for then you need to order some education or similar. Also, if you use cloud service or have a server at your place, then you need to order some specific elements, so you will need a form Request and order for purchasing.
• Appendix 1 – Product Specification – You need this because your software is your product and you know which specification that software has to have.
• Procedure for Production and Service Provision – This procedure is a procedure where you will describe how you will program your software, who is involved in it, how you will solve bugs, and so on.
• Warehousing Procedure –  if you do not use computers, motherboards, hardware, or anything like that, then you do not need a warehouse.
• Appendix 1 – Record for Temperature and Humidity Control –  If you use a server room then it is necessary for the server to be in an appropriate environment (temperature and humidity). In that case, you need to monitor the temperature and humidity in that room.
• Appendix 6 – Record of Medical Device Installation –  If the customer makes his own installation of the app, then you do not need these records.
• Appendix 7 – Record of Servicing Activities –  Take into consideration that services in your case are solving bugs. So, you probably have some process of receiving customer complaints and the process of solving those bugs. You can then customize this form to your needs.

Just a note, that for each ISO 13485:2016 requirement that you define is not applicable for you, you need to write a justification in the Quality Manual why it is not applicable. For example, for the requirement for 7.5.5 Particular requirement for sterile medical devices, you will state that your medical device is software and that it does not require sterilization.

Risk register

Suggested controls for this set of Asset-Threat-Vulnerability are:

• A.9.1.2 Access to networks and network services
• A.13.1.1 Network controls
• A.13.1.2 Security of network services

For further information, see:

• Using Intrusion Detection Systems and Honeypots to comply with ISO 27001 A.13.1.1 network controls https://advisera.com/27001academy/blog/2016/07/04/using-intrusion-detection-systems-and-honeypots-to-comply-with-iso-27001-a-13-1-1-network-controls/
• How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/