Search results

Risk Management for Pharmaceuticals

Firt you need to identify the risks associated to the context of your organization. You can use a SWOT analysis to determine the risks and opportunities. You have to identify the risks related to the customer requirements but also additional risks associated to other requirements that have to be complied, for instance risks coming from the regulatory environment, spepecific levels of toxic that cannot be exceeded, etc. Some other examples of risks may include: human capital risks, financing risks, IT risks, etc.

Once you have identified the risks, you will need to use certain criteria to determine their significance, for instance, frequency of the risks, impact, etc. These criteria are not stated by the ISO 9001:2015, so you can decide which are the criteria that best fit your organization. After, you will have to carry out the necessary actions to eliminate or mitigate the risks according to their significance. Those risks that are subject to comply with laws and regulations will automatically be significant and your company will need to take the necessary actions to mitigate the risks (i.e. fulfill the regulatory requirements). These actions may include HR training, new equipment, better facilities, work instructions, improvement on calibration procedures, etc. Once these actions have been implemented and run for a certain amount of time you will need to measure their effectiveness. 

Basically these are the steps that you will need to follow:

1. Determine risks
2. Assess risks
3. Mitigate risks
4. Monitor results 

You can find more information below:

- Free webinar on-demand – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//
- How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
- For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
- Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (I use a lot of examples based on the risk-based approach)

Who should Quality report to?

There is no such requirement in ISO 9001:2015, so you can do whatever works best for your organization. Actually this is an old view of the processes and departments in an organization and I believe the opposite is true, that is, if Quality Department  reports to operations can be an efficient way to ensure that the best resources are deployed to the operating processes. Quality and Operations should work as a team rather than adversaries in order to bring real benefits for your company. 

For more information about quality and operations in ISO 9001:2015, see the following materials:

- What is operational planning in the ISO management system standards: https://advisera.com/blog/2021/02/15/what-is-operational-planning-in-the-iso-management-system-standards/

- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

- Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Secure Development Life Cycle

Another question. I think we know the answer, but just double check.
Q2 – We produce hardware and software that sale to our customers. The software is based on licences.
2.1 - Do the ISO controls apply in any way to these products? I think not. That once they are acquired by the customer the responsibility in terms of ISO27001 falls under them. Am I right?

You are partially correct. While ISO 27001 does not apply to products or services, it can be applied to a product lifecycle process, which may cover support to sold products, and the release of updates to fix identified security breaches. For example, regular security updates for smartphones, released by their manufacturers, are an example.

2.2. - Does the ISO indicate controls for SDLC (Secure Development Life Cycle?)? And for hardware?

ISO 27001 does not explicitly specify controls for SDLC, but by the nature of the controls from section A.14 (System acquisition, development, and maintenance) these can be applicable to SDLC.

As for hardware, please note that the SDLC concept applies to both hardware and software, and controls from section A.14 from ISO 27001 Annex A refer to systems, which are composed either by hardware, and software elements.

For further information, see:

• How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

2.3 - If we provide some sort of support service (maintenance, improvement, patching, etc), How does this affect us in term of the ISO? If we just intervene in the systems and leave without collecting any data, I guess that we have nothing to do for ISO, but if we collect some data (logs, record, etc) and store it in our systems then this data become our responsibility and thus is affected by the ISO. Is this assumption right? What controls would affect this logs/records/info?

In case your support service process is included in your ISMS scope, then you need to go through all ISO 27001 requirements. The situation about collecting data or not will only affect make difference regarding which risks your process will be exposed to, and the applicable controls (i.e., by intervening and collecting data you will be in a more complex and riskier situation).

About which controls to consider regarding logs/records/info, this will depend on the results of risk assessment and applicable legal requirements.

For further information, see:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/

Biggest challenge when seeking EU MDR compliance

The biggest challenge is to prepare all the necessary documentation that MDR requires. Now, it depends on whether you already have a certified product according to MDD or it is a completely new product that has never been certified before. If you already have a medical device certified according to the MDD (so-called legacy devices), then the situation is somewhat easier because you have most of the documentation already prepared. 

For more information what is difference between MDD and MDR see the following links:

• Infographic: EU MDR vs. MDD – What has changed? https://advisera.com/13485academy/blog/2020/11/24/infographic-eu-mdr-vs-mdd-what-has-changed/
• 8-step transition process from MDD to MDR https://info.advisera.com/13485academy/free-download/8-step-transition-process-from-mdd-to-mdr/

• MDCG 2020-6 Regulation (EU) 2017/745: Clinical evidence needed for medical devices previously CE marked under Directives 93/42/EEC or 90/385/EEC https://ec.europa.eu/health/sites/default/files/md_sector/docs/md_mdcg_2020_6_guidance_sufficient_clinical_evidence_en.pdf
• MDCG 2019-5 Registration of legacy devices in EUDAMED  https://ec.europa.eu/health/sites/default/files/md_sector/docs/md_mdcg_2019_5_legacy_devices_registration_eudamed_en.pdf

For more information, see:

• EU MDR Article 10 – General obligations of the manufacturers https://advisera.com/13485academy/mdr/general-obligations-of-manufacturers/
• EU MDR Annex 2 – technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
• EU MDR Annex 3 – Technical documentation for post-market surveillance https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/

To help you in the preparation of the technical documentation, please read the following article:

• What are the EU MDR technical documentation structure and requirements you can find? https://advisera.com/13485academy/blog/2021/04/06/what-are-the-eu-mdr-technical-documentation-structure-and-requirements/

• BC strategy and ISO 9001

  1 - How does BC strategy fits into an ISO 9001 certified company?

  Answer: The BC strategy in an ISO 9001 certified company needs to be considered during the planning and creation of the product or service, because it is related to how an organization will ensure its recovery and continuity (i.e., keeping delivering its product or service) in the face of a disaster or other major incident or business disruption (e.g., pandemic). It covers general decisions like the use of alternative sites, redundancy on suppliers, etc., which will affect the need for resources.

  For further information, see (ISO 22301 is the leading ISO standard for business continuity management):
  - Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/

  - ISO 22301 Case study in the travel industry: Business continuity as a necessity in customer care https://advisera.com/27001academy/blog/2016/11/07/iso-22301-case-study-in-the-travel-industry-business-continuity-as-a-necessity-in-customer-care/
  - How to use ISO 22301 to continue operations during the pandemic [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-iso-22301-to-continue-operations-during-the-pandemic-free-webinar-on-demand/

  
  2 - What is the impact on QMS Supply chain CRISIS, sales, training and communication, etc., if you have or not BC strategy?

  Answer: To define a business continuity strategy a company needs to think upfront about potential impacts that can arise from disruption of its operations, so the main impacts for a company that has a BC strategy are:

  - processes for delivering products and services are more robust and less prone to situations that can lead to a disruption (if you already have considered where major impacts can happen, then you can work on how to prevent situations that can lead to them).
  - it makes its response time quicker in case of disruption because people will already know what to do.  

  
  For further information, see:
  - Enabling communication during disruptive incidents according to ISO 22301 https://advisera.com/27001academy/blog/2016/12/19/enabling-communication-during-disruptive-incidents-according-to-iso-22301/

  3 - How should I convince my CEO on its importance/ (to my knowledge we don't have a documented BC Plan) Thank you for clarification and presenting this topic.

  Answer: To obtain support from top management to implement a BC strategy, it is very important to show the benefits of such implementation, which basically are:
  - less effort in the compliance process, and fewer penalties to be paid.
  - marketing advantage
  - reducing dependency on individuals
  - prevention of large-scale damage 

  Since you are already ISO 9001 certified, and BC strategy is only one part of business continuity, you should consider integrate in your QMS practices from ISO 22301. ISO 9001 and ISO 22301 have many common requirements, so this integration is possible.

  For further information, see:
  - ISO 22301 benefits: How to get your management’s approval for a business continuity project https://advisera.com/27001academy/knowledgebase/wledgebase/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project/
  - How to implement integrated management system https://advisera.com/articles/how-to-implement-integrated-management-systems/

• Information in third party systems

  In case the information you want your Information Security Management System to protect interact with these systems, then you need to ensure these systems fulfill your information security standards.

  In cases like these, where you find relevant risks to information that are related to systems managed by third parties, you need to consider controls from section A.15 (Supplier relationships), which will help you enforce your security needs and requirements upon suppliers.

  For information about controls from section A.15 (Supplier relationships), I suggest you look at these articles:

  • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
  • Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
  • How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/

• List of ISO Standards for medical devices and IVD’s

  According to the Medical device regulation MDR 20174/745, in Article 8 – Use of harmonized standards – is stated that medical device manufacturers must be in compliance with ISO standards published by the Official Journal of the European Union. Currently, valid lists of standards are:

  https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.LI.2020.090.01.0001.01.ENG&toc=OJ:L:2020:090I:TOC />https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2021.129.01.0153.01.ENG
  Please be aware that not all standards from that list are applicable for all medical devices. 
   
  For more information, see:

  EU MDR Article 8 – Use of harmonised standards - https://advisera.com/13485academy/mdr/use-of-harmonised-standards/

• Mock recall in medical devices

  There is no direct requirement regarding the mock recall in both ISO 9001 and ISO 13485. In ISO 13485:2016 recall is covered under the requirement 8.2.3 Reporting to regulatory authorities. There it is said that complaints that can have unacceptable risks to the health or safety of patients must be reported to the competent authority in accordance with the applicable regulatory requirements.

  In Medical device regulation MDR 2017/745, Article 95 Procedure for dealing with devices presenting an unacceptable risk to health and safety is also stated that recall is necessary and describe the process of recall.

  Fortunately, recall is a rare situation with most manufacturers. That is why it is logical to do a recall simulation from time to time to make sure that the entire traceability process and the recall are under control.

  The requirement that the manufacturer must have its processes under control is specified in 4.1 General requirements.

• Implementation questions

  I am currently researching on the topic of ISO 27001 as our number of institutional clients is increasing.

  I would be interested in some information regarding the standard so I would be very grateful if you could take some time to help me with the questions:

  1. I looked at the phases of standards from Planning, Implementation, Verification and Further Improvements. I wonder how long on average full implementation and verification takes?

  Answer: The duration of the implementation project varies according to many variables (e.g., available resources, experience with standard's requirements, top management involvement, etc.), but for small and medium-size organizations the implementation generally varies from 3 to 12 months.

  To get an insight into the time duration for your organization, please read:
  - ISO 27001 checklist: 16 steps for the implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
  - How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - you should also note that this is the timing that is needed for companies that use our toolkits

  2. Where are and what are our potential financial costs?

  Answer: There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information, it's not possible to precise a value. What I can tell you are some cost issues you should consider:
  - Training and literature
  - External assistance
  - Technologies to be updated/implemented
  - Employee's effort and time
  - The certification process

  These articles can provide you more information:
  - How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
  - 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
  - How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/

  3. At what stage would the Auditor come and is this something you could do for us? (Also, I'm interested in the fee for that)

  Answer: From your question is not clear if you are referring to an internal auditor or a certification auditor, so the answer will cover both situations.

  The internal auditor should come sometime after the implementation of the required controls when at least one cycle of required monitoring and measurement had been performed, so the internal auditor has enough evidence to evaluate if controls are implemented and working as planned.

  For further information, see:
  - Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/

  The certification auditor should come sometime after the performing of the first management review, when at least some corrective actions or opportunities for improvement had been addressed, so the certification auditor has enough evidence to evaluate if all requirements of the standard are implemented and working as planned.

  For further information, see:
  - How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

  At this time Advisera does not perform any kind of audit services.

  4. Any PDF resource would be great, which could describe the whole process in more detail. So if you have something similar, please send it to me.

  Answer: At Advisera’s site, you can find several free-access materials that can help you understand ISO 27001, such as:
  - Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001 
  - Checklist of mandatory documentation required by ISO 27001:2013 (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001 
  - Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation 
  - How to perform an internal audit using ISO 19011 (PDF) https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011

  5. Since we are just starting to look at the standard, we do not have too much prior knowledge, so please add anything that you think is important and I failed to ask

  Answer: For an initial view of ISO 27001, I suggest you take a look at these materials:
  - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
  - Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
  - ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Business impact analyses questionnaire assistance

  The Business Impact Analysis questionnaire is used to document the impact over time of disruptive events over a business process, not over assets. For this questionnaire, you only identify the assets you need to recover the analyzed process.

  For example, you can apply the BIA questionnaire in your payroll process, and after identifying the time you need to recover this process, and the minimum acceptable service level, you can identify which assets you need to recover this process.

  Included in the toolkit you bought you have access to a video tutorial that can help you fill in the Business Impact Analysis questionnaire. Please note that BIA is required only for ISO 22301, but not needed for ISO 27001.

  This article will provide you a further explanation about performing a BIA:
  - How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/