Search results

QA Manual format changes

Thank you Mark. That's helped clarify the situation completely. Very helpful to understand the context of the QA Manual need outside the framework of the standard

Implementation ISO 13485 on making medical materials for medical laboratories

Yes, clinical chemistry reagents are considered to be in vitro diagnostic medical devices, therefore ISO 13485:2016 is apllicable as quality management standard.  

IT Assets Disposal/ Write-Off

First of all, congratulations on your company’s achievement.

Regarding the IT assets disposal, you need to evidence that the applied data deletion method has made the previously stored information unrecoverable and that its application was verified and approved by the data owner.

For example, for a laptop, you can perform full disk encryption two or three times in a row, and at each time encryption is performed you must destroy the related encryption key.

As a proof for auditors you can develop a "Destructio/Deletion Record" containing the information about the asset, the deletion method aplied, date when the procedure was performed, and the signature of the person responsible for the deleted data, as a confirmation that the procedure was successfull.

For technical guidance, you should consider these references:
- ISO/IEC 27040 Information technology — Security techniques — Storage security - https://www.iso.org/obp/ui/#iso:std:iso-iec:27040:ed-1:v1:en
- NIST 800-88 - Guidelines for Media Sanitization https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

Risk managment plan

No, these non-medical devices do not require risk assessment. Of course, you have under the ISO 9001:2015 risk analysis and you can cover any specific risks for these there. 

More about risk management within ISO 9001 you can find on the following links:

• Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
• How to identify risk controls in ISO 9001:2015 https://advisera.com/9001academy/blog/2019/01/21/how-to-identify-risk-controls-in-iso-90012015/
• How to identify risk significance in ISO 9001:2015 https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/

• Conformio - Company Settings and Users

  I am not sure where you’re getting your information, but good topic. I needs to spend some time learning more or understanding more. Thanks for magnificent info I was looking for this info for my mission.

• ISO 27001 Conformio expert question

  First is important to note that ISO 27001 does not require an ISMS manual to be written, neither that documents are organized according to specific sections.

  Considering that, the documents under the Documents module become available after you: finish the templates wizard, or upload your own documents. The template wizards are suggested for the mandatory documents, and for documents related to the results of risk assessment and applicable legal requirements.

  For further information, see:

  • Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
  • List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

• Paper documents found in warehouse

  In a general way, the proper treatment of such information will depend on the results of risk assessment and applicable legal requirements.

  For example, if the risks are low and there are no legal requirements, you do not need to apply specific protections for those documents. On the other hand, you may have a legal requirement (e.g., law, regulation, or contract) requiring the use of safes to protect such information.

  In case you already have the Information Classification Policy implemented, you need to consider the information classification this information has, and the related treatments identified in the policy.

  For further information, see:

  • Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
  • Why is ISO 27001 applicable also for paper-based information? https://advisera.com/27001academy/blog/2019/01/21/why-is-iso-27001-applicable-also-for-paper-based-information/

• Complying with EU GDPR

  If your company provides services to individuals based in the EU you will need to appoint an EU representative, according to Article 27 GDPR. Of course, you don't have if your service to EU individuals is occasional. You can offer your services internationally from UAE and if your customer base in the EU grows and services will not be occasional, then you can appoint an EU Representative.

  Here you can find more information about the roles in the EU GDPR:

  • Key roles defined in EU GDPR https://advisera.com/eugdpracademy/knowledgebase/key-roles-defined-in-eu-gdpr/9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
  • Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/ 

  If you need to understand how to comply with the EU GDPR you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/ 

• ISO 22301 toolkit - disaster recovery plan

  Please note that while ISO 22301 requires recovery plans to be documented, the standard does not define how to document them.

  The disaster recovery plan template included in the toolkit, as explained in the previous answer, has all the content structure you need to define the recovery plan (i.e., plans to return to normal). This was made this way to avoid creating additional documents, which would only unnecessarily increase the administrative work to maintain the documentation. In case you want recovery plans as separated documents, then you should use the blank template to develop this specific document.

  Please note that included in your toolkit there is a List of documents files that shows which clause of the standard is covered by each template. There you will find out that clause 8.4.5 is covered by templates Appendix 6 – Disaster Recovery Plan and Appendix 7 – Activity Recovery Plan.