Search results

BC strategy and ISO 9001

1 - How does BC strategy fits into an ISO 9001 certified company?

Answer: The BC strategy in an ISO 9001 certified company needs to be considered during the planning and creation of the product or service, because it is related to how an organization will ensure its recovery and continuity (i.e., keeping delivering its product or service) in the face of a disaster or other major incident or business disruption (e.g., pandemic). It covers general decisions like the use of alternative sites, redundancy on suppliers, etc., which will affect the need for resources.

For further information, see (ISO 22301 is the leading ISO standard for business continuity management):
- Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/

- ISO 22301 Case study in the travel industry: Business continuity as a necessity in customer care https://advisera.com/27001academy/blog/2016/11/07/iso-22301-case-study-in-the-travel-industry-business-continuity-as-a-necessity-in-customer-care/
- How to use ISO 22301 to continue operations during the pandemic [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-iso-22301-to-continue-operations-during-the-pandemic-free-webinar-on-demand/

2 - What is the impact on QMS Supply chain CRISIS, sales, training and communication, etc., if you have or not BC strategy?

Answer: To define a business continuity strategy a company needs to think upfront about potential impacts that can arise from disruption of its operations, so the main impacts for a company that has a BC strategy are:

- processes for delivering products and services are more robust and less prone to situations that can lead to a disruption (if you already have considered where major impacts can happen, then you can work on how to prevent situations that can lead to them).
- it makes its response time quicker in case of disruption because people will already know what to do.  

For further information, see:
- Enabling communication during disruptive incidents according to ISO 22301 https://advisera.com/27001academy/blog/2016/12/19/enabling-communication-during-disruptive-incidents-according-to-iso-22301/

3 - How should I convince my CEO on its importance/ (to my knowledge we don't have a documented BC Plan) Thank you for clarification and presenting this topic.

Answer: To obtain support from top management to implement a BC strategy, it is very important to show the benefits of such implementation, which basically are:
- less effort in the compliance process, and fewer penalties to be paid.
- marketing advantage
- reducing dependency on individuals
- prevention of large-scale damage 

Since you are already ISO 9001 certified, and BC strategy is only one part of business continuity, you should consider integrate in your QMS practices from ISO 22301. ISO 9001 and ISO 22301 have many common requirements, so this integration is possible.

For further information, see:
- ISO 22301 benefits: How to get your management’s approval for a business continuity project https://advisera.com/27001academy/knowledgebase/wledgebase/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project/
- How to implement integrated management system https://advisera.com/articles/how-to-implement-integrated-management-systems/

Information in third party systems

In case the information you want your Information Security Management System to protect interact with these systems, then you need to ensure these systems fulfill your information security standards.

In cases like these, where you find relevant risks to information that are related to systems managed by third parties, you need to consider controls from section A.15 (Supplier relationships), which will help you enforce your security needs and requirements upon suppliers.

For information about controls from section A.15 (Supplier relationships), I suggest you look at these articles:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
• How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/

List of ISO Standards for medical devices and IVD’s

According to the Medical device regulation MDR 20174/745, in Article 8 – Use of harmonized standards – is stated that medical device manufacturers must be in compliance with ISO standards published by the Official Journal of the European Union. Currently, valid lists of standards are:

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.LI.2020.090.01.0001.01.ENG&toc=OJ:L:2020:090I:TOC />https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2021.129.01.0153.01.ENG
Please be aware that not all standards from that list are applicable for all medical devices. 
 
For more information, see:

EU MDR Article 8 – Use of harmonised standards - https://advisera.com/13485academy/mdr/use-of-harmonised-standards/

Mock recall in medical devices

There is no direct requirement regarding the mock recall in both ISO 9001 and ISO 13485. In ISO 13485:2016 recall is covered under the requirement 8.2.3 Reporting to regulatory authorities. There it is said that complaints that can have unacceptable risks to the health or safety of patients must be reported to the competent authority in accordance with the applicable regulatory requirements.

In Medical device regulation MDR 2017/745, Article 95 Procedure for dealing with devices presenting an unacceptable risk to health and safety is also stated that recall is necessary and describe the process of recall.

Fortunately, recall is a rare situation with most manufacturers. That is why it is logical to do a recall simulation from time to time to make sure that the entire traceability process and the recall are under control.

The requirement that the manufacturer must have its processes under control is specified in 4.1 General requirements.

Implementation questions

I am currently researching on the topic of ISO 27001 as our number of institutional clients is increasing.

I would be interested in some information regarding the standard so I would be very grateful if you could take some time to help me with the questions:

1. I looked at the phases of standards from Planning, Implementation, Verification and Further Improvements. I wonder how long on average full implementation and verification takes?

Answer: The duration of the implementation project varies according to many variables (e.g., available resources, experience with standard's requirements, top management involvement, etc.), but for small and medium-size organizations the implementation generally varies from 3 to 12 months.

To get an insight into the time duration for your organization, please read:
- ISO 27001 checklist: 16 steps for the implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - you should also note that this is the timing that is needed for companies that use our toolkits

2. Where are and what are our potential financial costs?

Answer: There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information, it's not possible to precise a value. What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated/implemented
- Employee's effort and time
- The certification process

These articles can provide you more information:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/

3. At what stage would the Auditor come and is this something you could do for us? (Also, I'm interested in the fee for that)

Answer: From your question is not clear if you are referring to an internal auditor or a certification auditor, so the answer will cover both situations.

The internal auditor should come sometime after the implementation of the required controls when at least one cycle of required monitoring and measurement had been performed, so the internal auditor has enough evidence to evaluate if controls are implemented and working as planned.

For further information, see:
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/

The certification auditor should come sometime after the performing of the first management review, when at least some corrective actions or opportunities for improvement had been addressed, so the certification auditor has enough evidence to evaluate if all requirements of the standard are implemented and working as planned.

For further information, see:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

At this time Advisera does not perform any kind of audit services.

4. Any PDF resource would be great, which could describe the whole process in more detail. So if you have something similar, please send it to me.

Answer: At Advisera’s site, you can find several free-access materials that can help you understand ISO 27001, such as:
- Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001 
- Checklist of mandatory documentation required by ISO 27001:2013 (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001 
- Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation 
- How to perform an internal audit using ISO 19011 (PDF) https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011

5. Since we are just starting to look at the standard, we do not have too much prior knowledge, so please add anything that you think is important and I failed to ask

Answer: For an initial view of ISO 27001, I suggest you take a look at these materials:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Business impact analyses questionnaire assistance

The Business Impact Analysis questionnaire is used to document the impact over time of disruptive events over a business process, not over assets. For this questionnaire, you only identify the assets you need to recover the analyzed process.

For example, you can apply the BIA questionnaire in your payroll process, and after identifying the time you need to recover this process, and the minimum acceptable service level, you can identify which assets you need to recover this process.

Included in the toolkit you bought you have access to a video tutorial that can help you fill in the Business Impact Analysis questionnaire. Please note that BIA is required only for ISO 22301, but not needed for ISO 27001.

This article will provide you a further explanation about performing a BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

Training sessions

Questions to be asked will depend on the content of the workshops, but in general, you can propose a scenario related to the presented topic and ask the attendee what the best course of action in a multiple answer list is.

For example, on the topic use of mobile storage units, in case you find a pen-drive at the door of your company, what you should do?
a) leave it there
b) pick it up and connect it to your computer to see its content
c) pick it up and deliver it to IT personnel

As for results and statistics, to be used by you or to present to management, completed status for workshop training or completed quizzes can be used to check if the workshop was successful, or if any adjustments are needed. 

This article will provide you a further explanation about awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

This material will also help you regarding awareness and training:
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

By the way, this functionality you want is available in our Company Account https://advisera.com/training/etraining-company-account/

Question on enterprise risk management framework

I’m assuming that you are thinking about an enterprise risk management framework to support you BC framework.

Considering that, to make your implementation of business continuity easier, you should consider ISO 22301 only. This ISO standard for business continuity management does not need anything else (you do not need to implement a complete risk management framework).

These articles will provide you a further explanation about ISO 22301:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

To see how risk assessment documents, as well as other required documents compliant with ISO 223301 looks like, please take a look at the free demo of this toolkit: https://advisera.com/27001academy/iso22301-documentation-toolkit/

management of measuring instruments

The IATF 16949:2016 standard makes calibration and/or verification possible. All measuring instruments you use for manufacturing and quality control must be calibrated and/or verified. Calibration or verification frequency may vary depending on the frequency of use and protection conditions of the measuring instrument. This frequency may vary depending on the situation, such as monthly, annually, 2 years, 3 years. As you know, calibration is done with an external company and this company must be accredited according to ISO 17025 standard. The verification process is to done using in-house calibrated equipment. My personnel advice is; 

• First, review the calibration or verification frequency based on equipment usage conditions and frequencies.
• Identify the equipment that can be verified in-house and thus your external calibration cost will decrease.

Complying with ISO 14971

Yes, because requirement 7.1 Planning of product realization points to the ISO 14971 for further information regarding the risk management for the medical devices. Furthermore, all medical device manufacturers must be in compliance with the harmonized standards which are published in the Official Journal of the European Commission (Annex 8 of the MDR 2017/745). On that list, ISO 14971:2019 is the only standard that covers risk management.

For more information, see: 

EU MDR Article 8 – Use of harmonised standards - https://advisera.com/13485academy/mdr/use-of-harmonised-standards/