Search results

Questions about the implementation

1. When the ISO needs to be finished / audited? (e.g. when company is founded, when first device is sold or…? – E.g. Section 7: Product Realization is with planning etc. is running right now while the company is not yet founded.

ISO 13485 must be implemented and certified before manufacturing starts and before you put a medical device on the market. You have to prepare your quality management system like you can start the production right now. Of course, you can have some pilots production conducted, due to perform validations of certain processes, like cleaning and sterilization.

2. Is English as language enough or is the country language additionally necessary?

Given that notifying bodies reviewing the quality system according to ISO 13485 are internationally recognized, that they have offices in different countries, English is sufficient.

3. Is the IVD guideline 98/79/EG (IVDD) and/or German “In-vitro-Diagnostika-Verordnung (IVDR)“ additionally necessary and incorporated in your toolkit? If not, can you recommend a toolkit for this? Background: In simple terms, the product is a special microscope with which a view of a tissue sample can be created and viewed. The interpretation of this image is done by a pathologist (unlike, for example, a blood pressure monitor, where the device interprets something). Staining of the tissue sample is done outside the device using standard procedures/products from appropriate manufacturers (e.g. H&E staining).

Our ISO 13485:2016 documentation toolkit is prepared for all small manufacturers of medical devices. Since In vitro diagnostic products are also medical devices, our ISO 13485:2016 toolkit is applicable for in vitro diagnostic product manufacturers.

ISO 13485 implementation

With the usage of the Advisera toolkit, you can definitely save a lot of money. Templates are arranged so that they meet all the requirements of ISO 13485 in a logical sequence. Your task is to write down in the documentation the name of a particular job in your company is and possibly to add some specifics. 

On average, we can say that for the company with 10 employees it will take 3-4 months, for the company with up to 50 employees, some 8-12 months.

As for the preparation of technical documentation for a Class IIa medical device, it all depends on whether your product is completely finished (or is still in the development phase), and whether you have done all the necessary tests.

I would like to point out here that if you take the documentation toolkit from Advisera, you are not just getting templates. YOu are also receiving e-mail support, review of the documents, and live on-on-on online consultations.;

For more information please see the following:

• Six key benefits of ISO 13485 implementation https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/
• Checklist of ISO 13485 implementation and certification steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
• How can ISO 13485 help with MDR compliance? https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/
• What are the EU MDR technical documentation structure and requirements? https://advisera.com/13485academy/blog/2021/04/06/what-are-the-eu-mdr-technical-documentation-structure-and-requirements/

• Inventory of assets & risk methodology

  1. How detailed and far does the inventory of assets need to be? (do we need to list each laptop and cell phone for example)

  ISO 27001 does not prescribe any level of detail for the inventory of assets, so you can adopt the levels you understand that will better fulfill your needs.

  This is generally a balance between the administrative effort and the need for information to ensure proper security. For example, you do not need to record organizations laptops as individual assets (you can add a single asset called "laptop"), but if they have specific purposes with different risk levels you can use specific assets like "laptop", "development laptop", and "finance laptop". The same concept applies to cellphones of your organization and other assets. 

  For further information, see this article:

  • How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  These materials will also help you regarding:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  2. When a risk assessment is performed does the risk owner have to do a risk assessment on all the assets every year or the assets that are deemed to be threats or vulnerable.

  The update of risk assessment needs to be performed over all assets included in the ISMS scope, at planned intervals (e.g., quarterly, semiannually, annually, etc.) or when significant changes occur (e.g., deployment of new technology, new business, etc.). This is so because changes in the context of the organization may result in assets previously not relevant to become relevant and vice versa, which can affect treated risks and the risk treatment plan.

  For further information, see:

  • ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  These materials can also help you:

  • The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  3. Why is the inventory of assets not listed under the reference document as well as 3.1.2 in the Risk assessment and risk treatment Methodology document?

  Please note that for performing risk assessment and risk treatment you do not need an inventory of assets. The only information you need is assets' names and assets' owners, which can be maintained in the Risk Assessment and Risk Treatment tables, making an inventory of assets unnecessary.

  Additionally, the inventory of assets for ISO 27001 is a control (A.8.1.1), and before performing risk assessment and risk treatment it does not make sense to apply a control (at this point there is no identified need for it).

  This article will provide you a further explanation of controls selection:

  • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

• CISO and document management

  1. Is it okay if a Chief Information Security Officer (CISO) also releases documents (instead of the CEO)?

  Answer: I’m assuming that by “releases” you mean “approves”.

  Considering that, besides the Information Security Policy, which needs to be approved by top management (usually the CEO when the scope is all organization, or the top role in the ISMS scope when the scope does not cover all organization), ISO 27001 does not prescribe who needs to approve documents, so other documents can be approved by the CISO.

  If by release you mean making documents available and communicating them to relevant personnel, these activities are usually performed by roles like the CISO, or the quality manager (top management usually only approves documents).

  For further information, see:
  - Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
  - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

  This material will also help you regarding document management:
  - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  
  2. Can we omit the chapter "Managing records kept on the basis of this document" for the document "00_Procedure_for_Document_and_Record_Control"?

  Thank you in advance!

  Answer: In theory, you can, but since it is highly unlikely an organization does not require any document of external origin for the purposes of its ISMS, you would need to register how to handle incoming mail (which is the record suggested for this section in this procedure) in some other place, what would only increase your effort to maintain documentation.

  Examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself), and documents and records from customers, suppliers, and partners (e.g., contracts, service agreements, product/service specification, operation manuals, etc.)

  For further information, see:
  - Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

• PECR and GDPR

  The Privacy and Electronic Communication Regulations (PECR) is the UK implementation of the e-Privacy Directive and covers the use of cookies and similar technologies for storing information, and accessing information stored, on a user's equipment such as a computer or mobile device.

  If you are located in the UK and you apply for the PECR you probably will need to refer to the UK GDPR too. For the regulations (EU GDPR, UK GDPR, and PECR), the legal ground for marketing purposes is always consenting under the GDPR. The legitimate interest may cover the so-called soft-spam which is information provided on products purchased without a call-to-action or general introduction of the company and services/products offered without a call-to-action in B2B context.

  Here you can find more information on how to perform marketing activities under the GDPR:

  • How does GDPR impact marketing activities? https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/
  • Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/
  If you need to understand how to comply with GDPR you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Xl sheet

  All Type A and Type B standard uncertainties must be combined to calculate combined standard uncertainty and then an expanded uncertainty. The specific mathematical, statistical aspects are not part of the scope of the ISO 17025 Academy toolkit. I suggest you look to sector guidelines and the references in the ISO 17025 Toolkit. The Evaluation of Measurement Uncertainty Procedure and associated checklists at https://advisera.com/17025academy/iso-17025-documentation-toolkit/  guides you on what is required to meet ISO 17025 requirements.

• Stage 1 and stage 2 in internal audit

  Specific questions will depend on each audited control, but generally speaking, the questions are related to:
  - how actions are performed. E.g., how do you perform backup procedures?
  - information knowledge. E.g., what can you tell me about the information security policy?

  Additionally, verifications can be made by observing behavior, like asking someone to do something to keep him/her away from his/her workstation and see if the person locks his/her computer when he/she leaves, or by asking for evidence demonstration, like requiring to see the reported incidents from last week.

  The important thing is that audit questions are open questions, i.e., they cannot be answered simply by a Yes or No, the answer needs to be developed by the auditee.

  In the ISO 27001 Internal Auditor Online Course you bought you can find more details in Module 10 - The main audit “Interviewing techniques” 

  These articles will provide you a further explanation about auditor questions:

  - Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
  - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

• Data Protection Legislation

  I am afraid that you will need a Data Protection Officer and a Data Protection Impact Assessment because your organization is going to process on a large scale the health data which belong to a particular category of data under Article 9 GDPR.

  Here you can find more information about the DPO and the DPIA process:

  • How to hire the right DPO? https://advisera.com/eugdpracademy/blog/2018/08/27/how-to-hire-the-right-dpo/
  • 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
  If you need to know how to implement GDPR in your organization you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Requirement for Post Market Surveillance

  According to Article 83 - Post-market surveillance system of the manufacturer - is stated that for each device, manufacturers shall plan, establish, document, implement, maintain and update a post-market surveillance system in a manner that is proportionate to the risk class and appropriate for the type of device. Then, in Article 85 - Post-market surveillance report - Manufacturers of class I devices shall prepare a post-market surveillance report summarising the results and conclusions of the analyses of the post-market surveillance data gathered as a result of the post-market surveillance plan.

  Therefore, class I medical devices are not exempt from the post-market surveillance system.

  More information on the Post-market surveillance system you can find on the following link:

  • What are the post-market surveillance requirements in the MDR? https://advisera.com/13485academy/blog/2021/04/29/what-are-the-post-market-surveillance-requirements-in-the-mdr/