Search results

Conformio number of documents

Please note that some documents from the toolkit are now embedded in some Conformio Module (e.g., Risk Assessment and Treatment Table are embedded in the Risk Register Modules, and Audit program, audit checklist, and audit report are embedded in the Audit module). In case of need, you can export this information to documents.

Regarding templates for policies and procedures related to ISO 27001 Annex A, all templates available in the toolkit are also available in Conformio. They will be displayed according to the results displayed in the Statement of Applicability (i.e., related to the results of risk treatment and applicable legal requirements). In case all controls are identified as applicable in the SoA you will have access to the same template available in the documentation toolkit.

Scope question

1 - Our owner/parent company (***) is also our supplier for several IT services (e.g., network). They define rules and settings that automatically apply to us (in their role as owner). However, in their role as supplier they would have to adhere to the standards, we (subsidiary = ***) set for them, correct? How should we formulate this in our ISMS Scope and how should we treat it in the SOA?

Answer: Please note that this question about rules, settings, and standards does not apply to the definition of the ISMS scope.

In the definition of the scope, you only need to mention that your IT services are outsourced (you do not even need to identify the provider in the scope). The detailed information about the outsourcing situation is used when performing a risk assessment.

For further information about scope, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Regarding your scenario, as the owner/parent company, your “supplier” will have the last word in any setting you define regarding the provided services, so you need to agree with them if these settings are needed (based on the results of risk assessment and applicable legal requirements) and feasible. In this situation you have two possible scenarios:
- they agree with your settings and create specific rules for your organization.
- they do not agree with your settings, and you will need to evaluate the related risks to decide on another way to treat them.

2 - And are there any recommendations regarding how such a relationship should be clearly formulated in an SLA?

Answer: The fact that your owner/parent company is also your IT supplier does not affect the regular content a SLA should cover, so you need to define in your SLA items like service description, scope, performance supported, contacts, etc.

This article will provide you a further explanation about SLA:
- What’s the content of an ITIL/ISO 20000 SLA? https://advisera.com/20000academy/blog/2016/06/14/whats-the-content-of-an-itiliso-20000-sla/

Module 9 - reviewing documents off-site

You are partially correct. While some documents can be classified in a way that forbids them to leave premises, you may need to make such documents available to the internal auditor when he is off-premises (e.g., during a remote audit due to pandemic) because they are related to mandatory clauses, or are paramount to evaluate a specific control. In these cases, you need to evaluate related risks and implement proper controls to decrease risks to acceptable levels (e.g., sign a specific NDA, provide only access to electronic version through a secure connection to your network, etc.)

These materials will provide you a further explanation about remote audit:

• How to perform an internal audit remotely [free webinar on demand] https://advisera.com/27001academy/webinar/remote-internal-audit-free-webinar-on-demand/
• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/

Question about data storage

Raw data do not need to be in eLN, it is enough to refer to the documents containing data.

Potential Customers list (Names and Mail adresses etc.)

It depends on the reason you want to make this list. Potentially, yes, you can make this list, you can send them a cold email under legitimate interest (the so-called soft-spam) in order to introduce your company and services, but you don't have to insert a call to action because marketing activities require consent as the legal basis.

Here you can find more information on GDPR extraterritorial effect and on consent.

• What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
• Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

If you need to understand how to process consent under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Expanding and elaborating scope

My question is I am going to Update the medical device file as per Eumdr (Article 1) so what should be the scope? As per my understanding, I have defined the scope for PACS This procedure applies to: Technical/engineering documentation required for the release of XYZ medical device software. Changes to the product, process, facility, quality system, or organization. All countries and territories where XYZ medical devices are approved for sale (EU for CE Marking) Just want to confirm is this sufficient scope or should expand our scope or if you suggest some more.

If this scope is enough to completely describe your product and if the purpose of the product is clearly seen within that scope, then it is enough.

What is the new changes as per new ISO 15223-1:2021 for PACS software

Yes, there is a special symbol for software. And also there is a symbol pointing to a website with additional installation instructions (if you have one). 

Is there any specific retention time period for software? As per MDR 10 years after the last device covered by EU DOC & for implantable for 15 years .

So far there is no specific retention time period for software. However, be aware that you need to follow additional information from the MDCG group. They regularly publish new guidelines and interpretations: https://ec.europa.eu/health/md_sector/new_regulations/guidance_hr

Lateral flow device

According to my knowledge, it is under FDA the class 1. But, please take that with a grain of salt. Namely, we are not authorized to define the classification of medical devices.

Definitions for classification can be found on the following link:  https://www.fda.gov/medical-devices/overview-device-regulation/classify-your-medical-device

For more information regarding fulfilling FDA regulatory classes for medical devices, please see following link:

• How to use ISO 13485 to fulfill FDA regulatory classes for medical devices https://advisera.com/13485academy/blog/2017/09/14/how-to-use-iso-13485-to-fulfill-fda-regulatory-classes-for-medical-devices/

• ISMS TIER 1 - 4 Documents

  Please note that ISO 27001 does not prescribe or make reference to documents tiers.

  Considering that, the concept of tiers is a common interpretation made by organizations to make ISO documentation management easier to understand.

  In this interpretation the tiers are:

  1. Policies: define rules for the ISMS. They are composed of the Information Security Policy and additional subject-specific policies (e.g., Access Control Policy, Backup Policy, etc.).
  2. Procedures: they describe what needs to be done, by who, when, and in what order.
  3. Work instructions: they detail how specific tasks are performed.
  4. Records: documents that provide evidence of performed activities or results achieved.

  This material will provide you a further explanation about document management:

  • Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• Exclusion to 8.3

  thank you very much, Sir. This information is very helpful.

• Measurement uncertainty in chemical process

  Measurement uncertainty is a statistical measure, offering a range within which there is an equal probability of the result value lying, at a particular confidence. This uncertainty estimate is therefore a combination of all  the factors that affect the variability of results, on a method to method basis. The approach is to firstly know your method and the process steps, then determine the type of contributors to uncertainty. This depends on your method. It helps to use a checklist and record to guide and report the process. Where detailed measurement uncertainty evaluation is not possible due to the nature of the test method, the measurement uncertainty may be estimated based on principles of the techniques or practical experience of the performance of the method.

  Advisera’s ISO 17025 toolkit guides you through the implementation of ISO 17025. The  ISO 17025 document template: Evaluation of Measurement Uncertainty Procedure and related Measurement Uncertainty Checklist and Measurement Uncertainty Record are available as part of the ISO 17025 toolkit; or as separate documents; to guide you in the process.   A complete discussion of measurement uncertainty is however outside of the scope of the toolkit. 

  Technicians responsible for uncertainty calculations need some technical training and support to fully understand what is required because you need to have an understanding of type a and type b uncertainties and the statistical calculations. Type A are based on the statistical analysis of measurements and Type B is based on other sources of information such as calibration or reference material certificates and that reported uncertainty from the certificate. In many chemical processes , Type A contributors to precision are typically the largest contribution.

  For more information regarding the measurement uncertainty, see the ISO 17025 toolkit document template: Evaluation of Measurement Uncertainty Procedure at https://advisera.com/17025academy/documentation/evaluation-of-measurement-uncertainty-procedure/ This covers the basic principles and steps to plan, measure and calculate the data required for an evaluation of measurement uncertainty. The two appendices related to the document, Measurement Uncertainty Checklist and Measurement Uncertainty Record support the process. 

  I recommend you also look to your sector and suppliers for commonly used approaches.