Search results

Missing documents

 Please note that controls A.12.4.1 (Event logging) and A.12.4.3 (Administrator and operator logs) are covered in template “Security Procedures for IT Department”, located in folder 08_Annex_A_Security_Controls >> A.12_Operations_Security

Regarding controls A.12.4.2 (Protection of log information) and A.12.4.4 (Clock synchronization), please note the ISO 27001 does not require every applicable control to be documented, and in such cases, a short explanation about its implementation included in the Statement of Applicability will be enough (you can find documented information about these controls in the SoA template located in folder 06 Applicability of Controls).

This article will provide you a further explanation about controls documentation:

• How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

Is ISO 9001 mandatory for company distributing medical devices?

No, ISO 9001 is not mandatory for the companies distributing medical devices. However, in the ISO 13485: 2016 standard in section 0.1 Introduction - General it is stated that the ISO 13485:2016 standard can be used by an organization involved in one or more stages of the lifecycle of a medical device including design and development, production, storage and distribution and so on.

Implementation questions

1. Do I need to perform mechanical tests on the liner? If so, which organization can do this?

You are the ones who determine the tests that need to be performed on your product. If this test is crucial to show that your product meets the specifications, then a test is needed.

As for the laboratories where the test needs to be conducted, MDR requires it to be some accredited institution.

However, we are not authorized to refer you to the appropriate institutions because we do not know your product and its specifications.

2. How long do I need to do clinical trials on the liner? How many months and how many patients need to wear the liner as part of the clinical trials?

Clinical trials for medical devices must be prepared in accordance with the standard ISO 14155:2020 Clinical investigation of medical devices for human subjects — Good clinical practice. How long the research will take depends on many factors, which are listed in this standard.

However, please be aware that clinical trials are necessary for those medical devices that are completely new and that there is no other source for clinical data. So, usually, it is for completely new types of medical devices, with new technologies or materials.

For all other medical devices, it is possible to perform the clinical evaluation with the available clinical and scientific data for the literature (Article 61 in the MDR 2017/745). If I understand what silicone prosthetic liner is, it is not a new device, therefore you can find a lot of clinical data on the internet. When you use literature data for your medical device, you need to find an equivalent device with which you will compare your medical device. Equivalence must be demonstrated at the clinical, technological, and biological levels.

For more information, see:

• EU MDR Article 61 – Clinical evaluation https://advisera.com/13485academy/mdr/clinical-evaluation/

• EU MDR Annex 14 Clinical evaluation and post-market-clinical-follow-up https://advisera.com/13485academy/mdr/clinical-evaluation-and-post-market-clinical-follow-up/

On the following links you can find how we have prepared in the ISO 13485&MDR Documentation toolkit documents and reports for clinical evaluation:

• Procedure for Clinical Evaluation https://advisera.com/13485academy/documentation/procedure-for-clinical-evaluation/
• Clinical Evaluation Plan https://advisera.com/13485academy/documentation/clinical-evaluation-plan/
• Clinical Evaluation Report https://advisera.com/13485academy/documentation/clinical-evaluation-report/
• Literature Research Protocol https://advisera.com/13485academy/documentation/literature-research-protocol/

• Transfer of pesonal data under GDPR

  Yes, it would be a data controller even before entering into a contract, because the third-party service provider will be free to decide the purposes and means of the processing of personal data belonging to the potential customer.

  Here you can find more information on the role of processor and controller:

  • EU GDPR controller vs. processor – What are the differences?: https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
  • Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

  If you want to learn how to process data under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course/

• GDPR Checkpoints in ISO 27001 Audit Checklist

  Controls from ISO 27001 Annex A that can help verification of GDPR compliance are:

  • Controls from section A.8 (Asset Management), especially control A.8.2.1 (Classification of information)
  • Controls from section A.14 (System acquisitions, development, and maintenance)
  • Controls from section control A.15.1 (Information security in supplier relationships)
  • A.16.1 (Management of information security incidents and improvements)
  • A.18.1.1 (Identification of applicable legislation and contractual requirements)
  • A.18.1.4 (Privacy and protection of personally identifiable information)  

  This article will provide you a further explanation about ISO 27001 and GDPR:

  • Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

• Statement of Applicability

  Please note that this control refers not only to laws but also to agreements (e.g., contracts) and regulations, so you need to also verify these elements. For example, you may have a contract with a customer or a supplier defining requirements for cryptography, or some regulation applicable to your industry may define requirements for cryptography.

  In case there are no agreements or regulations applicable to your organization, then you can record these controls as an exclusion in your SoA.

  This article will provide you a further explanation about SoA:

  • The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  These materials will also help you regarding SoA:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• ISO Certified Auditor

  Depending upon the training provider, there are two options:

  1. attend an ISO 22301: 2019 transition course, if you are already a certified ISO 22301: 2012 lead auditor, where you will learn about the changes in the standard and how to perform audit considering these changes
  2. attend an ISO 22301: 2019 lead auditor course, where you will perform all the steps to requalify yourself as a lead auditor (i.e., attend the course, execute course activities, and take the final exam).

  Please note that, due to the number of changes in the new ISO 22301:2019, this qualification is not very important if you want to work as a consultant, but this is very important if you want to work as an auditor. 

  These articles will provide you a further explanation about ISO 22301:2019:

  • Infographic: ISO 22301:2012 vs. ISO 22301:2019 revision – What has changed? https://advisera.com/27001academy/blog/2019/12/02/iso-22301-2019-vs-iso-22301-2012-key-changes-infographic/
  • Mandatory documents required by ISO 22301 revision 2019 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
  • Do we need to make the transition from ISO 22301:2012 to the 2019 revision? https://advisera.com/27001academy/blog/2019/11/05/iso-22301-transition-from-2012-to-2019-revision-is-it-needed/

• Is consent obligatory for our products?

  You should use a contract as a legal basis to provide your service. The processing of data through sensors seems essential to make the device working and so it is necessary to provide the service. If you use a contract as a legal basis, and the user denies agreeing with data processing you can deny the use of service since the processing of personal data is necessary.

  Here you can find more information on GDPR extraterritorial effect and on consent:

  • What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
  • Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
  • Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
  • Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

  If you need to understand how to process consent under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

• Transfer mechanisms

  You should use Standard Contractual Clauses (SCCs) as an annex to the contract with the US data importer. SCCs should be implemented by adequate safeguards, like encryption or pseudonymization, and contractual measures.

  If you need to know more about how to transfer data in third countries under the EU GDPR here you can find more information:

  • 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
  • Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

  You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

• Regarding intended purpose or intended use

  Both terms are used in MDR. The term intended purpose should be inserted in the technical documentation, ie in the product description, instructions for use. Intended use can also be used in clinical evaluation and other documents.