Search results

Auditing integrated ISO 27001, ISO 20000 and ISO 9001

An integrated management system can be audited/certified against only one of its component standards, so you do not need to implement all standards first and then go for auditing/certification.

Please note that some certification bodies can perform integrated audits (you can ask for this information from your chosen certification body), so you also need to consider that when defining your implementation strategy.

This article will provide you a further explanation about certification audit:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

These materials will also help you regarding certification audit:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
• ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

Requirements for SAMD

Classification of software is covered in the MDR by Rule 11.

"Software intended to provide information which is used to make decisions with diagnosis or therapeutic purposes is classified as class IIa, except if such decisions have an impact that may cause:

• death or an irreversible deterioration of a person’s state of health, in which case it is in class III; or
• a serious deterioration of a person’s state of health or surgical intervention, in which case it is classified as class IIb.

Software intended to monitor physiological processes is classified as class IIa, except if it is intended for monitoring of vital physiological parameters, where the nature of variations of those parameters is such that it could result in immediate danger to the patient, in which case it is classified as class IIb.

All other software is classified as class I“

In my opinion, it is class IIb – because if the software is wrong, and the dental doctor receives the wrong picture, there can be conducted a wrong surgical intervention.

For software, the following requirements from the ISO 13485:2016 standard are definitely not applicable:

• 7.5.5 Particular requirements for sterile medical devices
• 7.5.7 Particular requirements for validation of a process for sterilization and sterile barrier systems
• 7.5.9.2 Particular requirements for implantable medical devices

Following requirements have to be taken into consideration:

• 7.5.3 Installation activities
• 7.5.4 Service activities

All requirements that are not applicable must be stated in the Quality manual with justification why those are not applicable.

Annex A section 5.1

Controls A.5.1.1 and A.5.1.2 are covered by ca 20 policies and procedures you can find in folder "08 Annex A" - it does not make sense to have a specific document focused only on these two controls.

Additionally, is important to understand that ISO 27001 does not require every applicable control to be a separate document. In some cases, you only need to make a brief description of how it is implemented, and you can do that in our SoA template, in the column "Implementation Method".

This article will provide you a further explanation about the Statement of Applicability:
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

Is ISO 22301 mandatory for audits?

Please note that an ISO management standard is mandatory for an audit only if you are certified on that standard, or in case you have to comply with a law, regulation, or contract that demands the application of the standard during an audit.  

In case these situations do not apply to you, the standard is not mandatory in an audit.

These articles will provide you a further explanation about the identification of legal requirements (the same concept applies for both ISO 22301 and ISO 13485):

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

Multiple titles

Yes, you can have two business cards. 

Enforcing the quality management system requirements

Mark hit it on the head. While QA really has no power to enforce requirements for leadership, you can always remind them that corrective action requirements, including obviously internal audit findings and/or 2nd and 3rd party audit findings that drive CARS/SCARS/RCA and follow up audits to ensure the corrective actions that were initiated are effective, are the ONLY requirments of AS9100 that a CB 3rd party auditor can pull your cert immediately. I've witnessed this in action. The CB auditor physically pulled the framed cert off the wall on his way out and after reporting to the CB, the cert was revoked within 3 days. This means this info is available on the IAQG website and your basically out of business. So, if they like the fat paychecks executives tend to receive, it's in their best interest to support the QMS to their fullest extent, it's a requirement of the standard. So, the 3rd party auditor would write up Majors on leadership as well as lack of continuous improvement through the methods I mentioned. Hope this helps!

Applicable exclusion from standard

In our documentation toolkit, in 03_Quality_Manual_Premium_EN, in section 2.1 you can state all requirements that are not applicable for your company, with proper justification.

Need of explicit consent

Tecnically, your client is the data controller who should acquire consent before sharing its clients' data with third parties. You could send a cold email under legitimate interest and acquire consent acting as a data controller.

Quality manual & Procedure under the ISO 13485:2016

That's a really great post describes all the important points which are very useful to get ISO 13485 Manual. Get more information about ISO 13485 Manual on 

ISO2 7001 / 2 website changes

ISO 27001:2013 was confirmed by its responsible committee on 2019 review, and it will not undergo a new review for some years. No changes were required in our material.

Regarding ISO 27002:2013, it is under review at this moment (current DIS is available at https://www.iso.org/obp/ui/#iso:std:iso-iec:27002:dis:ed-3:v1:en) and the new ISO 27002 will be published in 2022, and by then we will of course make all necessary changes.