Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Examples of Applicable regulatory requirements
Each medical device must be designed and manufactured in accordance with the relevant technical standards. Given the variety of medical products (from the spoon for giving antibiotics to the artificial heart), it is clear that the same standards do not apply to all medical products. So it is the responsibility of the manufacturer to determine what the additional standards are that apply to his product. Some of such standards are e.g. EN 12470 for clinical thermometers, or EN 12184 for electrically powered wheelchairs, or EN ISO 11608 for needle-based injection systems.
Furthermore, certain standards refer to some procedures such as standards covering sterilization. Given the different methods of sterilization, there are dozens of standards associated with sterilization. Again, it is the responsibility of the manufacturer to determine which sterilization standards must be met.
According to the Medical device regulation (MDR 2017/745), all manufacturers of medical devices must comply with the so-called harmonized standards or state-of-the-art standards (Article 8 – Use of harmonized standards).
For more information, see:
- EU MDR Article 8 – Use of harmonised standards - https://advisera.com/13485academy/mdr/use-of-harmonised-standards/
The link to the harmonized standards published in the Official Journal of the European Union 24-03-2020 is following: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2020:090I:TOC
with an amendment from 14-04-2021: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2021.129.01.0153.01.ENG
For more information about What are EU harmonized standards please see the following link:
- What are EU harmonized standards? https://advisera.com/13485academy/blog/2020/06/12/what-are-eu-harmonized-standards/
-
3.6. Documents of external origin
1. In the section 3.6 Documents of external origin- in Procedure for document and record control. There is a line saying- “Each external document that is necessary for the planning and operation of the QMS must be recorded in the incoming mail register“ This is basically all emails, from purchase, sales, quality etc etc. basically everyone email that needs to be registered because it can be necessary for the planning and operation of the QMS. This makes it completely inefficient to run the company. What is the absolute minimum to do here?. We have several different systems that track important emails and documents. We have a program for QMS- to handle all documents- we have a ERP system to track all sales/production/shipments. This email registering system will break us. Why do we need it? Please advise.
No, you do not need a e-mail incoming register. Here, the incoming register meant all those paper documents that come to your company by regular mail (for example, contracts with suppliers, contracts with customers, some correspondence from regulatory institutions, if your orders come by mail). Of course, if everything is via email, then you don’t need this part. That is, describe here exactly what you wrote in your question: „We have several different systems that track important emails and documents. We have a program for QMS- to handle all documents- we have an ERP system to track all sales/production/shipments.“
What is most important here is that you have control over incoming documents, that you know exactly when which document came and where it was stored or to whom it was forwarded.
2. In iso 13485. It only states: “ensure that documents of external origin, determined by the organization to be necessary for the planning and operation of the quality management system, are identified and their distribution controlled” SO why does the tookit refer to that we have to have an advanced document email document system.
Everything has already been answered in the previous question.
-
Recording speakers at events
"I hope you can assist me and that my previous purchases cover asking questions like this.
I have a query for you about recording video, taking photographs and other media we record for events / webinars / podcasts etc.The question relates to capturing the presenters and speakers at the events using video / photographs.Do we need to ask for consent under GDPR to process this data?Or do we ask them to sign a release so they are giving us copyright for the recordings / images etc?
You need to distinguish the contractual side of the relationship with the artist with the privacy compliance profile. When you take photographs, register a podcast, etc. you need to ask the artist to sign a release to give you the copyright for the images/recordings, etc. From a GDPR perspective, the legal basis of the data processing will be the contract, under article 6.1.b.
If we ask them to sign a release from so we own copyright of the material, how will this affect their rights under GDPR?For example if they sign a release for a video and then later claim they want it deleted under GDPR – can they do this as we own copyright? Or is there some other way we should process this data under the GDPR without relying on consent?"
The data subject will be able to exercise all the rights under GDPR which are linked to the management of the agreement. Of course, this will not have any effect on the copyrighted images because in the release they waived such rights.GDPR will allow them to request erasure for personal data which are covered under the legal basis of consent (i.e., newsletter subscription, marketing communication, etc.), but the data controller will be able to continue processing data under the contract.Of course, consider the terms and condition of the copyright release, if the agreement can be terminated and the artist can demand to stop using his/her image/recording it is another aspect which does not involve privacy law but the contract with the artist.
Here you can find some information about the legal basis:
- Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
-
ISMS - In scope or out of scope
Some information is missing for providing a direct answer, so I’ll provide one considering two possible scenarios.
In case your company is a small one (i.e., up to 50 employees), it is better to include all your organization in the ISMS scope because the effort to separate elements that are inside the scope from that outside it wouldn’t be worthy.
In case your company has more than 50 employees, you should evaluate if keeping Sales and Marketing separated from the other divisions is worthy (you would have to treat them like external parties, for which you need to implement controls to separate them from the ISMS scope, at the same time you need to provide access to information in the ISMS scope they need).
This problem is described in detail in this article:
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
-
Does ISO 45001 cover electrical and fire or just medical?
The ISO 45001 provides requirements for companies to implement a management system to prevent injury and ill health in their employees; this does not certify the products and services that are provided by the company against any OH&S requirements. So, if you are purchasing a piece of equipment from an ISO 45001 certified company, this has nothing to do with the safety of that equipment.
However, the ISO organization has over 23000 standards, and many of these are used to provide requirements to certify equipment. It may be possible that you are purchasing a piece of equipment that is ISO certified for electrical and fired building codes to an ISO standard, however, you would need to compare the requirements of this standard against your NRTL certification requirements to ensure they are equivalent.
You can learn a bit more on what the requirements of ISO 45001 for an Occupational Health & Safety management system are in the whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001
-
ISO 9001 Certification Documentation
Plese find below the answers to your questions:
@Guest user
Can I appear as General Manager even if I am not in the Chamber of Commerce registration? If you need an engagement letter for certification purposes?
I would not include you in the organizational chart yet, since you are not officially in the company. You can include your position as a planned change in your QMS, and when you enter the company in 2022 your role must be included as well as your tasks and competence needed.
@Guest user
The administration is a service that we buy partly from a professional and partly from the accountant which of the cited? do we have to put names or is it enough the role that can then be played by different people?
You will need to include these services as outsourced services and you should specify that in the scope. Therefore, these services will need to be evaluated according to the criteria for the evaluation of suppliers. In addition, you won´t need to put their names and roles since they are outsourced suppliers and their companies are the ones that should do that.
@Guest user
Can we omit the organization chart or make a simplified one?
You can make a simplified one, as long as you can show how your organization is structured as well as their respective roles and responsabilities are described.
@Guest user
RGQ in our case of coinciding with AD?
It does not need to be the same person, there are not such requirements in ISO 9001:2015.
@Guest user
Are all the chapters and sub-chapters of the manual mandatory? If someone does not belong to us or we have nothing to say, do we put n / a? For example, we do not have offices but we work either digitally from home (especially in the last year and a half) or on-site by the customer.
Firstly you need to know that the Manual is no longer a mandatory document. Having said this, you can adapt to your own organization and delete those parts that don´t apply to your company.
@Guest user
Can we use Teams and Office 365 as a repository?
You can, as long as you can control your documents and records and keep the confidenciality of the documentation.
For more information about ISO 9001 certification, you can see the following materials:
- QMS change management in 7 steps: https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
- How to document roles and responsibilities according to ISO 9001: https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
- How to evaluate supplier performance according to ISO 9001:2015: https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
- Tips to make document controles more useful in your QMS: https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
-
Generating reports as security manager
I’m considering your question based on the information about the purchase of a documentation toolkit.
Considering that, you should create a spreadsheet file (e.g., Excel) containing the information you want to evaluate available in the incident log template (e.g., incident ID, date, affected asset, etc.)
From this database of incidents metadata, you can generate the date for your report.
The incident log template can be found in folder 08_Annex_A_Security_Controls >> A.16_Information_Security_Incident_Management
Alternatively, you can take a look at our Conformio solution, to see if its Report Module features can fulfill your needs. You can access Conformio (online tool for ISO 27001) at this link: https://advisera.com/conformio/
-
Implementation questions
1 - We are a small startup and have very little internal bureaucracy, let alone a document template pre-designed for that purpose, so in that sense we can be very flexible as to how we want the ISO 27001 documents to look like. I thought I'd keep everything in electronic format and rely on the word processor's features for things such as authorship, version control, signature and approval of documents, etc. That means that many of the elements present in the templates from the toolkit (the change history table, table of contents, page numbers, etc.) are redundant since they are already available as document metadata outside of the page. I understand these fields would be useful if we were to ever keep a printed copy of the document, but I don't think that is going to be the case. So my question is, should we nevertheless adhere to the format provided in the templates as a best practice or is any format adequate as long as it is consistent with the specifications from the "Procedure for Document and Record Control" document?
Answer: You can implement the document control in any way you see fit, as long as the basic principles defined in the "Procedure for Document and Record Control" are followed.
For further information, see:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/2 - Similarly, the use of job titles seems excessive for a company our size, where a single employee is usually the only one responsible for writing the document, approving it and monitoring compliance. We do not have upper management levels nor board of directors. In that sense, to what extent should we rely on the use of role names such as Information Security Manager, as opposed to a more generic IT Manager? Should these job descriptions be reflected somewhere else, such as in the employment contract?
Answer: You can designate information security responsibilities to existing roles in your organization, so there is no need to create new ones. Please note that ISO 27001 does not prescribe roles to be adopted by organizations, so they are free to define responsibilities as they see fit.
For further information, see:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/3 - While working on some of the documents I noticed that the assessment of things such as requirements and stakeholders can be rather subjective. Is there any possibility of a certification body raising concerns owing to a disagreement on how this assessment was performed? In other words, how can we judge whether these documents contain enough and accurate information for the certification to be successful?
Answer: As long as your requirements and stakeholders are aligned with the elements identified for your organizational context, there won’t be a reason for questioning your assessment, unless there is an obvious point you missed (e.g., an organization not taking into account a mandatory law related to its industry, or service providers not taking into account contracts signed with their customers).
To help you with that, in the toolkit you will find the Procedure for Identification of Requirements, located in folder 02 Identification of requirements, which systematize and document the criteria you need to consider in the identification of requirements.
For further information, see:
- How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/4 - The documentation toolkit is sold with the premise of it containing all the information we need to become certified, but it refers to the standard itself at various explanatory notes throughout. E.g.: Requirements relevant for ISMS implementation are those established by the standard itself (all statements that contain the word “shall” are requirements). Would you advise purchasing the standard as complementary information to the toolkit?
Answer: The toolkit was designed to cover all the requirements of the standard and to be used with little to no knowledge of the standard, so you only need to buy the standard if you want to have direct contact with its content (before that, we suggest you watch our free to enroll ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/)
These articles will provide you a further explanation about ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/ -
Question about ISO 22301 Project
Please note that these references in the Project Checklist are to articles available on the site, not to templates. That’s the reason they are not included in the zipped folder.
They are available for free so users can get knowledge about topics related to the templates referred to in the checklist.
-
Does ISO 13485 cover code required electrical and fire approval such as UL?
There is no direct requirement for these codes in ISO 13485: 2016. What is more important, however, is that there is a requirement that the medical device must be safe. Given all possible types of medical devices, different codes will be applicable to each. So if the UL code confirms the safety of your product, then it is very much needed