Search results

List of ISO Standards for medical devices and IVD’s

According to the Medical device regulation MDR 20174/745, in Article 8 – Use of harmonized standards – is stated that medical device manufacturers must be in compliance with ISO standards published by the Official Journal of the European Union. Currently, valid lists of standards are:

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.LI.2020.090.01.0001.01.ENG&toc=OJ:L:2020:090I:TOC />https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2021.129.01.0153.01.ENG
Please be aware that not all standards from that list are applicable for all medical devices. 
 
For more information, see:

EU MDR Article 8 – Use of harmonised standards - https://advisera.com/13485academy/mdr/use-of-harmonised-standards/

Mock recall in medical devices

There is no direct requirement regarding the mock recall in both ISO 9001 and ISO 13485. In ISO 13485:2016 recall is covered under the requirement 8.2.3 Reporting to regulatory authorities. There it is said that complaints that can have unacceptable risks to the health or safety of patients must be reported to the competent authority in accordance with the applicable regulatory requirements.

In Medical device regulation MDR 2017/745, Article 95 Procedure for dealing with devices presenting an unacceptable risk to health and safety is also stated that recall is necessary and describe the process of recall.

Fortunately, recall is a rare situation with most manufacturers. That is why it is logical to do a recall simulation from time to time to make sure that the entire traceability process and the recall are under control.

The requirement that the manufacturer must have its processes under control is specified in 4.1 General requirements.

Implementation questions

I am currently researching on the topic of ISO 27001 as our number of institutional clients is increasing.

I would be interested in some information regarding the standard so I would be very grateful if you could take some time to help me with the questions:

1. I looked at the phases of standards from Planning, Implementation, Verification and Further Improvements. I wonder how long on average full implementation and verification takes?

Answer: The duration of the implementation project varies according to many variables (e.g., available resources, experience with standard's requirements, top management involvement, etc.), but for small and medium-size organizations the implementation generally varies from 3 to 12 months.

To get an insight into the time duration for your organization, please read:
- ISO 27001 checklist: 16 steps for the implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - you should also note that this is the timing that is needed for companies that use our toolkits

2. Where are and what are our potential financial costs?

Answer: There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information, it's not possible to precise a value. What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated/implemented
- Employee's effort and time
- The certification process

These articles can provide you more information:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/

3. At what stage would the Auditor come and is this something you could do for us? (Also, I'm interested in the fee for that)

Answer: From your question is not clear if you are referring to an internal auditor or a certification auditor, so the answer will cover both situations.

The internal auditor should come sometime after the implementation of the required controls when at least one cycle of required monitoring and measurement had been performed, so the internal auditor has enough evidence to evaluate if controls are implemented and working as planned.

For further information, see:
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/

The certification auditor should come sometime after the performing of the first management review, when at least some corrective actions or opportunities for improvement had been addressed, so the certification auditor has enough evidence to evaluate if all requirements of the standard are implemented and working as planned.

For further information, see:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

At this time Advisera does not perform any kind of audit services.

4. Any PDF resource would be great, which could describe the whole process in more detail. So if you have something similar, please send it to me.

Answer: At Advisera’s site, you can find several free-access materials that can help you understand ISO 27001, such as:
- Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001 
- Checklist of mandatory documentation required by ISO 27001:2013 (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001 
- Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation 
- How to perform an internal audit using ISO 19011 (PDF) https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011

5. Since we are just starting to look at the standard, we do not have too much prior knowledge, so please add anything that you think is important and I failed to ask

Answer: For an initial view of ISO 27001, I suggest you take a look at these materials:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Business impact analyses questionnaire assistance

The Business Impact Analysis questionnaire is used to document the impact over time of disruptive events over a business process, not over assets. For this questionnaire, you only identify the assets you need to recover the analyzed process.

For example, you can apply the BIA questionnaire in your payroll process, and after identifying the time you need to recover this process, and the minimum acceptable service level, you can identify which assets you need to recover this process.

Included in the toolkit you bought you have access to a video tutorial that can help you fill in the Business Impact Analysis questionnaire. Please note that BIA is required only for ISO 22301, but not needed for ISO 27001.

This article will provide you a further explanation about performing a BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

Training sessions

Questions to be asked will depend on the content of the workshops, but in general, you can propose a scenario related to the presented topic and ask the attendee what the best course of action in a multiple answer list is.

For example, on the topic use of mobile storage units, in case you find a pen-drive at the door of your company, what you should do?
a) leave it there
b) pick it up and connect it to your computer to see its content
c) pick it up and deliver it to IT personnel

As for results and statistics, to be used by you or to present to management, completed status for workshop training or completed quizzes can be used to check if the workshop was successful, or if any adjustments are needed. 

This article will provide you a further explanation about awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

This material will also help you regarding awareness and training:
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

By the way, this functionality you want is available in our Company Account https://advisera.com/training/etraining-company-account/

Question on enterprise risk management framework

I’m assuming that you are thinking about an enterprise risk management framework to support you BC framework.

Considering that, to make your implementation of business continuity easier, you should consider ISO 22301 only. This ISO standard for business continuity management does not need anything else (you do not need to implement a complete risk management framework).

These articles will provide you a further explanation about ISO 22301:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

To see how risk assessment documents, as well as other required documents compliant with ISO 223301 looks like, please take a look at the free demo of this toolkit: https://advisera.com/27001academy/iso22301-documentation-toolkit/

management of measuring instruments

The IATF 16949:2016 standard makes calibration and/or verification possible. All measuring instruments you use for manufacturing and quality control must be calibrated and/or verified. Calibration or verification frequency may vary depending on the frequency of use and protection conditions of the measuring instrument. This frequency may vary depending on the situation, such as monthly, annually, 2 years, 3 years. As you know, calibration is done with an external company and this company must be accredited according to ISO 17025 standard. The verification process is to done using in-house calibrated equipment. My personnel advice is; 

• First, review the calibration or verification frequency based on equipment usage conditions and frequencies.
• Identify the equipment that can be verified in-house and thus your external calibration cost will decrease.

Complying with ISO 14971

Yes, because requirement 7.1 Planning of product realization points to the ISO 14971 for further information regarding the risk management for the medical devices. Furthermore, all medical device manufacturers must be in compliance with the harmonized standards which are published in the Official Journal of the European Commission (Annex 8 of the MDR 2017/745). On that list, ISO 14971:2019 is the only standard that covers risk management.

For more information, see: 

EU MDR Article 8 – Use of harmonised standards - https://advisera.com/13485academy/mdr/use-of-harmonised-standards/

ISO 27001-Advice- Clause 6.1.3 d)

To meet this requirement you should consider these fields from your example:

• Annex A reference
• Control title
• Applicability (yes/no)
• Justification for inclusion/exclusion (you do not need separated columns because these situations are mutually exclusive)
• Status

You should also consider these additional fields:

• Control objectives (because security objectives are required by the standard, this field can help you fulfill this requirement in this same document)
• Implementation method (this field can help in the understanding of your security environment by providing a short description of controls that do not require a specific document to be written, or by providing a link to a developed document).  

To see a Statement of Applicability compliant with ISO 27001 looks like, please access this free demo: https://advisera.com/27001academy/documentation/statement-of-applicability/

This article will provide you a further explanation about the Statement of Applicability:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

These materials will also help you regarding the Statement of Applicability:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Annex A.16

1.            How should companies define roles and responsibilities when they are dealing with multiple incidents that need to be handled by separate departments? For instance, incidents related to SFTP server and SQL server should be forwarded to IT department, but our SaaS service issues should be forwarded to software development department.

Answer: ISO 27001 does not prescribe how to define roles and responsibilities, so organizations can adopt the approach that better fit their needs. For your stated scenario, defining roles and responsibilities considering which department handles which type of incident is an acceptable and effective approach.

To decrease complexity for users, you should consider defining unified channels of communication, i.e., all types of incidents would be reported through the same channels, and the person, or system, receiving them would evaluate to which department forward the reports.

For further information, see:
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- Using ITIL to implement ISO 27001 incident management https://advisera.com/27001academy/blog/2015/11/10/using-itil-to-implement-iso-27001-incident-management/t/

2. Also, I know in the tool kit we purchase there is an incident management procedure which I can edit it based on our organization, but I wonder if we should have multiple different incident response plan for different incidents or not.

Answer: Please note that an incident response plan is not required for ISO 27001. In case you want to write such a document, the usual practice for smaller companies is including all plans within one document, and for larger organizations each incident is covered in a separate incident response plan.