Search results

Surveillance audit

Normally, less than 12 months because a previous time period was already audited in a previous audit. Unless auditing a current issue one needs to look for records older than that (if the system was already implemented).

If an organization is audited about a product develop 5 years ago and the company implemented the standard 2 years ago, it is not possible to expect records older than 2 years

Relevant documents for software medical device

Following documents you do not need definitely:

• Procedure for EtO Sterilization
• Procedure for Steam Sterilization
• Procedure for Dry Heat Sterilization
• Procedure for Ionizing Radiation Sterilization
• Procedure for Filtration Sterilization
• Appendix 1 – Record for Sterilization
• Appendix 4 – Notification to a Customer about Changes on Property

Documents listed below you might need when taken into consideration following comments:

• Appendix 4 – Request and Order for Purchasing –  If you use specific programs for software programming and need some licenses for then you need to order some education or similar. Also, if you use cloud service or have a server at your place, then you need to order some specific elements, so you will need a form Request and order for purchasing.
• Appendix 1 – Product Specification – You need this because your software is your product and you know which specification that software has to have.
• Procedure for Production and Service Provision – This procedure is a procedure where you will describe how you will program your software, who is involved in it, how you will solve bugs, and so on.
• Warehousing Procedure –  if you do not use computers, motherboards, hardware, or anything like that, then you do not need a warehouse.
• Appendix 1 – Record for Temperature and Humidity Control –  If you use a server room then it is necessary for the server to be in an appropriate environment (temperature and humidity). In that case, you need to monitor the temperature and humidity in that room.
• Appendix 6 – Record of Medical Device Installation –  If the customer makes his own installation of the app, then you do not need these records.
• Appendix 7 – Record of Servicing Activities –  Take into consideration that services in your case are solving bugs. So, you probably have some process of receiving customer complaints and the process of solving those bugs. You can then customize this form to your needs.

Just a note, that for each ISO 13485:2016 requirement that you define is not applicable for you, you need to write a justification in the Quality Manual why it is not applicable. For example, for the requirement for 7.5.5 Particular requirement for sterile medical devices, you will state that your medical device is software and that it does not require sterilization.

Risk register

Suggested controls for this set of Asset-Threat-Vulnerability are:

• A.9.1.2 Access to networks and network services
• A.13.1.1 Network controls
• A.13.1.2 Security of network services

For further information, see:

• Using Intrusion Detection Systems and Honeypots to comply with ISO 27001 A.13.1.1 network controls https://advisera.com/27001academy/blog/2016/07/04/using-intrusion-detection-systems-and-honeypots-to-comply-with-iso-27001-a-13-1-1-network-controls/
• How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/

Pre audit visit by our assessment organization

I can offer some comments here, but am not in a position to recommend a particular approach – it is up to your company to consider the benefit and risk. The optional pre-assessment on-site visit by the accreditation body (AB) will increase you accreditation costs significantly. The initial document review step that is included as part of the optional pre-assessment, is part of the non-optional initial assessment activity and fee anyway. Many laboratories do not go for a AB pre-assessment, accepting the risk of nonconformance findings (along with the financial benefit) as the document review step of the initial assessment will indicate if there are significant gaps that need to be addressed before the initial on site assessment by the AB. Even if the initial assessment onsite audit results in certain nonconformances, the laboratory will have time to address them. The only risk is possible delay in accreditation if the laboratory does not have a good understanding of the requirements for major activities. This could result in absent or ineffective implementations that are only observed as non-conformances during the onsite visit. The impact could be not being recommended for accreditation at the time of the initial assessment and having to re-apply after finishing the implementation. However, if your laboratory has given attention to the major mandatory requirements and technical competencies, then the likelihood of this should be low.

Furthermore, consider that in the current pandemic environment, many initial assessments are still being performed remotely, so it is not clear if the accreditation body would do an pre-assessment on-site visit. I suggest you engage with the accreditation body to help make your decision.

As a minimum, it is advisable to at least perform a full pre-accreditation gap assessment, including the technical scope using inhouse (independent internal auditors) or by a third party organisation or consultant, as part of your internal audit program. 

For further information see the article ISO 17025 technical internal audit: The basics

at https://advisera.com/17025academy/blog/2020/11/10/iso-17025-technical-internal-audit-the-basics/

The following will also provide more information on internal audits:

ISO 17025 document template: Internal Audit Procedure at https://advisera.com/17025academy/documentation/internal-audit-procedure/

The Five Internal Audit Procedure appendices Internal Audit Program, Internal Audit Checklist, Audit Nonconformity Report, Internal Audit Process Checklist and Internal Audit Report available separately from the procedure link above; or included in the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

Privacy Notices

You need to consider the purpose of data processing, not the mean. Why do employees fill these forms? If they fill the form to perform their job task, then, the processing is included in the employee privacy notice which is attached to the employment agreement (if not, you should).

If the form is a survey to better understand the education or expertise of your staff it may fall under the legitimate interest of the data controller (art. 6 lett. F) GDPR)

In case the processing is not included in the employee privacy notice you can decide whether to make a specific privacy notice or to implement the employee privacy notice.  

Here you can find more information on the legal basis to process personal data according to the GDPR:

• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course/

Normative Reference

You can include in the manual or use a List of compliance including regulations and statutory references. My recommendation is to have a separate document where you write this list. This is actually part of the needs and expectations from interested parties, for example complying with a law is a need from a government institution. 

For more information about normative references in ISO 9001:2015 see the following materials:

- How to include statutory and regulatory requirements in your QMS: https://advisera.com/9001academy/blog/2017/02/14/how-to-include-statutory-and-regulatory-requirements-in-your-qms/

- Free on-line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/

- Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Can company share their employee personal data?

No, it means that in the agreement with your client you state that personal data connected to the performance of the contract will be processed as stated in the attached privacy notice. You may also link to the web portal, but if you attach the privacy notice to the contract it is easier to demonstrate compliance to the obligation of providing information about data processing.

ISO 9001 Audit

You just need to include the records that have been produced when the implementation starts. During the first steps of the implementation you must to do an assessment of the training gaps that the personnel of your company have in order to prepare a training plan. The records produced from those training will be the ones you can include to demonstrate the competence of your people to  carry out the processes in an effective way.

For more information about training in ISO 9001, see the following materials: 

- https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/

- Enroll for a free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- ISO 9001 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/

- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Sample data for MSP

Please note that is our policy does not offer such sample artifacts.

This is so because even organizations of the same industry and using the same IaaS provider have unique objectives and risk appetites, so the use of such sample artifacts can mislead organizations into adopting a security profile that does not fit their needs.

These genetic papers can provide you an idea about a filled in risk register:

- Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home - Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

Please note that you can schedule a call with our ISO 27001 expert, where he can give some tips on how to adapt Risk register, Statement of Applicability and your documents to your specific circumstances.

Additionally, since Conformio can automatically suggests threats, vulnerabilities, and applicable documents based on the specific assets you enter, you can use the examples provided in the abovementioned papers to see how the process goes through the platform.