Search results

Language requirements on medical device class 1 products

1. What language requirements are there on the following in countries within EU? Labels of main product Labels of product boxes Labels of outer boxes Manuals/IFU

According to Article 10 _ General obligations of manufacturers, Manufacturers shall ensure that the device is accompanied by the information set out in Section 23 of General Safety and performance requirements in an official Union language(s) determined by the Member State in which the device is made available to the user or patient. The particulars on the label shall be indelible, easily legible, and clearly comprehensible to the intended user or patient.  

So, this means that if you put your medical device only on one market, then it is enough to have it in only one official language of the EU.

For more information, see:

• EU MDR Article 10 _ General obligations of manufacturers - https://advisera.com/13485academy/mdr/general-obligations-of-manufacturers/

2. Do you have a list on specific language requirements PER country on the above?

No. We do not have a list of specific language requirements per country.

Help with ISMS Scope Definition

1 - The Document of the scope

The company has around 120 employees, has 2 sites, and 3 different activities: IT Solution integration, Training, and Cloud service provider. 

One site contains the IT Solution integration and training Divisions with the HR & Commercial Departments, the other site contains the Cloud Division.

The company wants to certify only the Cloud Activity, but I want to check if we should include in the Scope the HR and Commercial departments to respond to the A.7 requirements and the security of customers personnel information & customers Contracts.

Answer: Please note that an ISMS scope is defined in terms of location, information, or processes to be protected, so taking into account your intention to certify the Cloud Activity, and that it is located in a separated site, the best options for defining your scope would be by location (Cloud division site) or processes (processes related to cloud service provision).

Considering that, you do not need to include in the ISMS scope the HR and Commercial departments. In the mentioned situation these departments are dependencies to your ISMS scope, and as dependencies, they only need to be identified during the risk assessment and risk treatment process, so proper controls are selected to protect the information in the ISMS scope they have access to.

For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

2 - The Business Continuity 

Should we also prepare all the documents related to A.17 requirements even if the company doesn't plan to include the BCMS and business continuity certification in this scope ?

Thanks in advance for your support.

Best regards

Answer: In case there are no relevant risks or legal requirements justifying the implementation of controls of section A.17, you do not need to implement related documents.

You only need to implement documents related to section A.17 in case you have relevant risks or legal requirements demanding the implementation of these documents. In our experience, we did not see any company that has excluded these controls.

For further information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Question about SoA

Please note that either you have unacceptable risks or you do not have them - if you do not have them, then classification controls will not be applicable; if you have unacceptable risks then the controls need to be applicable, and in such case during the implementation you can define whether these controls apply only to some assets (e.g. secure data center), or all assets. 

This article will provide you a further explanation about the selection of controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Physical and environmental security

Please note that in your stated scenario employees will still have to use some sort of equipment (company or employee’s owned equipment) to access the company’s processes from somewhere (e.g., from an employee’s house or hotel), so you need to perform a risk assessment to identify if there are any relevant risk that requires the implementation of such controls.

This article will provide you a further explanation about remote work:

• How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/

This material will also help you regarding remote work:

• Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home

Risk Management for Pharmaceuticals

Firt you need to identify the risks associated to the context of your organization. You can use a SWOT analysis to determine the risks and opportunities. You have to identify the risks related to the customer requirements but also additional risks associated to other requirements that have to be complied, for instance risks coming from the regulatory environment, spepecific levels of toxic that cannot be exceeded, etc. Some other examples of risks may include: human capital risks, financing risks, IT risks, etc.

Once you have identified the risks, you will need to use certain criteria to determine their significance, for instance, frequency of the risks, impact, etc. These criteria are not stated by the ISO 9001:2015, so you can decide which are the criteria that best fit your organization. After, you will have to carry out the necessary actions to eliminate or mitigate the risks according to their significance. Those risks that are subject to comply with laws and regulations will automatically be significant and your company will need to take the necessary actions to mitigate the risks (i.e. fulfill the regulatory requirements). These actions may include HR training, new equipment, better facilities, work instructions, improvement on calibration procedures, etc. Once these actions have been implemented and run for a certain amount of time you will need to measure their effectiveness. 

Basically these are the steps that you will need to follow:

1. Determine risks
2. Assess risks
3. Mitigate risks
4. Monitor results 

You can find more information below:

- Free webinar on-demand – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//
- How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
- For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
- Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (I use a lot of examples based on the risk-based approach)

Who should Quality report to?

There is no such requirement in ISO 9001:2015, so you can do whatever works best for your organization. Actually this is an old view of the processes and departments in an organization and I believe the opposite is true, that is, if Quality Department  reports to operations can be an efficient way to ensure that the best resources are deployed to the operating processes. Quality and Operations should work as a team rather than adversaries in order to bring real benefits for your company. 

For more information about quality and operations in ISO 9001:2015, see the following materials:

- What is operational planning in the ISO management system standards: https://advisera.com/blog/2021/02/15/what-is-operational-planning-in-the-iso-management-system-standards/

- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

- Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Secure Development Life Cycle

Another question. I think we know the answer, but just double check.
Q2 – We produce hardware and software that sale to our customers. The software is based on licences.
2.1 - Do the ISO controls apply in any way to these products? I think not. That once they are acquired by the customer the responsibility in terms of ISO27001 falls under them. Am I right?

You are partially correct. While ISO 27001 does not apply to products or services, it can be applied to a product lifecycle process, which may cover support to sold products, and the release of updates to fix identified security breaches. For example, regular security updates for smartphones, released by their manufacturers, are an example.

2.2. - Does the ISO indicate controls for SDLC (Secure Development Life Cycle?)? And for hardware?

ISO 27001 does not explicitly specify controls for SDLC, but by the nature of the controls from section A.14 (System acquisition, development, and maintenance) these can be applicable to SDLC.

As for hardware, please note that the SDLC concept applies to both hardware and software, and controls from section A.14 from ISO 27001 Annex A refer to systems, which are composed either by hardware, and software elements.

For further information, see:

• How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

2.3 - If we provide some sort of support service (maintenance, improvement, patching, etc), How does this affect us in term of the ISO? If we just intervene in the systems and leave without collecting any data, I guess that we have nothing to do for ISO, but if we collect some data (logs, record, etc) and store it in our systems then this data become our responsibility and thus is affected by the ISO. Is this assumption right? What controls would affect this logs/records/info?

In case your support service process is included in your ISMS scope, then you need to go through all ISO 27001 requirements. The situation about collecting data or not will only affect make difference regarding which risks your process will be exposed to, and the applicable controls (i.e., by intervening and collecting data you will be in a more complex and riskier situation).

About which controls to consider regarding logs/records/info, this will depend on the results of risk assessment and applicable legal requirements.

For further information, see:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/

Biggest challenge when seeking EU MDR compliance

The biggest challenge is to prepare all the necessary documentation that MDR requires. Now, it depends on whether you already have a certified product according to MDD or it is a completely new product that has never been certified before. If you already have a medical device certified according to the MDD (so-called legacy devices), then the situation is somewhat easier because you have most of the documentation already prepared. 

For more information what is difference between MDD and MDR see the following links:

• Infographic: EU MDR vs. MDD – What has changed? https://advisera.com/13485academy/blog/2020/11/24/infographic-eu-mdr-vs-mdd-what-has-changed/
• 8-step transition process from MDD to MDR https://info.advisera.com/13485academy/free-download/8-step-transition-process-from-mdd-to-mdr/

• MDCG 2020-6 Regulation (EU) 2017/745: Clinical evidence needed for medical devices previously CE marked under Directives 93/42/EEC or 90/385/EEC https://ec.europa.eu/health/sites/default/files/md_sector/docs/md_mdcg_2020_6_guidance_sufficient_clinical_evidence_en.pdf
• MDCG 2019-5 Registration of legacy devices in EUDAMED  https://ec.europa.eu/health/sites/default/files/md_sector/docs/md_mdcg_2019_5_legacy_devices_registration_eudamed_en.pdf

For more information, see:

• EU MDR Article 10 – General obligations of the manufacturers https://advisera.com/13485academy/mdr/general-obligations-of-manufacturers/
• EU MDR Annex 2 – technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
• EU MDR Annex 3 – Technical documentation for post-market surveillance https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/

To help you in the preparation of the technical documentation, please read the following article:

• What are the EU MDR technical documentation structure and requirements you can find? https://advisera.com/13485academy/blog/2021/04/06/what-are-the-eu-mdr-technical-documentation-structure-and-requirements/

• BC strategy and ISO 9001

  1 - How does BC strategy fits into an ISO 9001 certified company?

  Answer: The BC strategy in an ISO 9001 certified company needs to be considered during the planning and creation of the product or service, because it is related to how an organization will ensure its recovery and continuity (i.e., keeping delivering its product or service) in the face of a disaster or other major incident or business disruption (e.g., pandemic). It covers general decisions like the use of alternative sites, redundancy on suppliers, etc., which will affect the need for resources.

  For further information, see (ISO 22301 is the leading ISO standard for business continuity management):
  - Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/

  - ISO 22301 Case study in the travel industry: Business continuity as a necessity in customer care https://advisera.com/27001academy/blog/2016/11/07/iso-22301-case-study-in-the-travel-industry-business-continuity-as-a-necessity-in-customer-care/
  - How to use ISO 22301 to continue operations during the pandemic [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-iso-22301-to-continue-operations-during-the-pandemic-free-webinar-on-demand/

  
  2 - What is the impact on QMS Supply chain CRISIS, sales, training and communication, etc., if you have or not BC strategy?

  Answer: To define a business continuity strategy a company needs to think upfront about potential impacts that can arise from disruption of its operations, so the main impacts for a company that has a BC strategy are:

  - processes for delivering products and services are more robust and less prone to situations that can lead to a disruption (if you already have considered where major impacts can happen, then you can work on how to prevent situations that can lead to them).
  - it makes its response time quicker in case of disruption because people will already know what to do.  

  
  For further information, see:
  - Enabling communication during disruptive incidents according to ISO 22301 https://advisera.com/27001academy/blog/2016/12/19/enabling-communication-during-disruptive-incidents-according-to-iso-22301/

  3 - How should I convince my CEO on its importance/ (to my knowledge we don't have a documented BC Plan) Thank you for clarification and presenting this topic.

  Answer: To obtain support from top management to implement a BC strategy, it is very important to show the benefits of such implementation, which basically are:
  - less effort in the compliance process, and fewer penalties to be paid.
  - marketing advantage
  - reducing dependency on individuals
  - prevention of large-scale damage 

  Since you are already ISO 9001 certified, and BC strategy is only one part of business continuity, you should consider integrate in your QMS practices from ISO 22301. ISO 9001 and ISO 22301 have many common requirements, so this integration is possible.

  For further information, see:
  - ISO 22301 benefits: How to get your management’s approval for a business continuity project https://advisera.com/27001academy/knowledgebase/wledgebase/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project/
  - How to implement integrated management system https://advisera.com/articles/how-to-implement-integrated-management-systems/

• Information in third party systems

  In case the information you want your Information Security Management System to protect interact with these systems, then you need to ensure these systems fulfill your information security standards.

  In cases like these, where you find relevant risks to information that are related to systems managed by third parties, you need to consider controls from section A.15 (Supplier relationships), which will help you enforce your security needs and requirements upon suppliers.

  For information about controls from section A.15 (Supplier relationships), I suggest you look at these articles:

  • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
  • Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
  • How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/