Search results

Question about requirements

No, everything is covered there. So for the periodic audits after 26th May 2021, you need to have in place the following elements for the MDR (point 17.-4 in the document that you referred to):

a) Registration of economic operators and of devices (see Art. 31 MDR and Art. 29 MDR)
b) Post market surveillance (PMS) (see Art. 83-86, 92 MDR including Annex III but without the PMS having to be an integral part of the QMS)
c) Market surveillance (see Art. 93 – 100 MDR, but device standards to be met = Directives)
d) Vigilance (see Art- 87-92 MDR)

Storing data on Google Suite/Drive

We wondered if you could help us regarding the following. We would like to know:

When collating our list of client emails when sending out a seasonal greeting (our annual Christmas email) we store the list on Google Suite/Drive, and also CETA - our facilities managing database. Is this permitted?

Yes, the data controller can choose the means and purpose of data processing and Google is a third-party processor which claims to be compliant with EU GDPR.

I update an online excel sheet which tracks which clients attend for which jobs. This is also stored on G Suite and CETA. Is this permitted?"

Yes, you need to verify if any particular category of data is stored and if it is protected (maybe you can add a password to access the sheet in order to increase security).Remember to verify the Google G Suite privacy notice because the personal profile gives fewer security options compared to the business account.

Here you can find some information on cybersecurity:

• Privacy, cyber security, and ISO 27001 – How are they related?: https://info.advisera.com/27001academy/free-download/privacy-cyber-security-and-iso-27001

Rework procedure

Rework procedure is just needed if the rework is possbile. As you know, it is mandatory to have a procedure to handle non conformities, and rework is one of the possibilities of treating a non conformity. That is why in our toolkit, we covered rework in documented procedure:  15_Procedure_for_Control_of_Non_Conforming_Products. 

Test method validation

Validation must be performed in the cases when you are not able to verify the product by subsequent monitoring or measurements. Of course, validation of the product should be on the final product, not on the sample from the design. Therefore, as soon as you perform the transfer from the design to the real production, a process in which the final product will be produced must be validated. For more information on the validation, please provide a more specific question.

In the following link you can find some more details for the validation process:

• Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/

• Auditing process

  First of all, you can start with checking the procedure, is there a procedure in place, who is responsible to carry out the procedure, to whom non-compliances products should be reported. Then you can check when the last time was reported non-conforming product and how it was resolved. Have any corrective actions been taken, what records are there about that? Review the evidence that the corrective action taken is effective.

  For more detail on this topic, you can see the following articles:

  • ISO 13485:2016 nonconforming product – How to approach the post-delivery actions https://advisera.com/13485academy/blog/2017/04/11/iso-134852016-nonconforming-product-how-to-approach-the-post-delivery-actions/
  • What are the consequences of noncompliance with ISO 13485 for manufacturers of medical devices? https://advisera.com/13485academy/blog/2017/11/02/what-are-the-consequences-of-noncompliance-with-iso-13485-for-manufacturers-of-medical-devices/
  • Five steps for ISO 9001 non-conforming products https://advisera.com/9001academy/blog/2014/01/13/five-steps-iso-9001-nonconforming-products/

  You can see how we prepared the form for the non-conforming product so, maybe it will give you an idea about the additional questions:

  • Non-Conforming Product Record https://advisera.com/13485academy/documentation/non-conforming-product-record-iso-13485-2016/
  • Registry of Non-Conformities https://advisera.com/13485academy/documentation/registry-of-non-conformities-iso-13485-2016/

  • Clinical Evaluation for Class A Medical Software

    In Iso 13485:2016 there is a requirement 4.2.3 Medical device file. It is stated that for each medical device, the organization must establish and maintain files containing documents to demonstrate conformity to the requirement of this ISO standard, but also of applicable regulatory requirements. On the EU market, medical devices must be in compliance with MDR, and there is a requirement that within technical documentation there must be a clinical evaluation.

    For more information regarding the clinical evaluation for medical software please see the following guidance: https://ec.europa.eu/docsroom/documents/40323

  • GDPR - Credit card details

    Yes, under the legal basis of a contract. The data controller can process and store data required to perform a contract (book your room) and to fulfill with a legal obligation (i.e. anti-fraud, billing, taxation).

    Here you can find an article that explains the legal basis of data processing under GDPR.

    • Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

    If you want to know more about the EU GDPR compliance, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • Business continuity terms

    Considering the definitions from ISO 22300 (which can be seen here - https://www.iso.org/obp/ui/#iso:std:iso:22300:ed-2:v1:en), Maximum Tolerable Period of Disruption (MTPD) and Maximum Acceptable Outage (MAO) are equivalent terms. The maximum Tolerable Downtime (MTD) term is not used by ISO 22301, but it is equivalent to MTPD and MAO: the maximum time business activities, in a given performance level, can be disrupted before the impact becomes unacceptable.

    This article will provide you a further explanation about ISO 22301 terminology:

    • Explanation of the most common business continuity terms https://advisera.com/27001academy/blog/21/01/18/explanation-of-most-common-business-continuity-terms/

     This material will also help you regarding ISO 22301:

    • Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Mandatory and non-mandatory documents

    1 - So what are the Documents needed to pass and What documents are NOT, and Still Pass the ISO 27001 cert?

    First of all, sorry for this confusion.

    Since you subscribed to Conformio, it will take care you have all the mandatory documents plus any nonmandatory documents that are the most appropriate for your situation.

    The mandatory documents required for ISO 27001 certification are:

    • Scope of the ISMS (clause 4.3)
    • Information security policy and objectives (clauses 5.2 and 6.2)
    • Risk assessment and risk treatment methodology (clause 6.1.2)
    • Statement of Applicability (clause 6.1.3 d)
    • Risk treatment plan (clauses 6.1.3 e, 6.2, and 8.3)
    • Risk assessment report (clauses 8.2 and 8.3)
    • Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)

    2 - Are you saying the List you show in the List are the Items We dont Need?

    Please not note that “commonly used documents” are nonmandatory documents that many organizations find useful to make the information security management system implementation and operation easier (and that’s why they are presented in this article). The need for these documents should be evaluated considering your organization's context.

    For further information about which documents to have, see:

    • 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • ISO 27001 Lead Implementor - need to maintain certification

    Thank you for this question, Lee!
    After obtaining the certificate, the certificate is valid until the standard itself changes its version officially. Specifically for ISO 27001, minor changes have been made to the standard in 2017, but the current version of the standard remains ISO 27001:2013. From this, we conclude that the standard will not change very soon.