Search results

Distributor and ISO 13485

There is no MDR requirement that distributors of medical devices need to be certified according to ISO 13485. But, as stated in Article 14 - General Obligations of Distributors, the following elements must be in place: 

• storage conditions as stated on the medical device and by the manufacturer
• have in place a complaint system - how they can receive a complaint and how they will inform the manufacturer of the received complaint
• must have in place a system for recall - distributor of course will never start a recall, but rather will be a part of the process - they must know how they must behave in a situation when they receive information from the manufacturer that they must withdraw the products from their market.
• communication with a competent authority
• have and maintain a shorter version of the medical device file - declaration of conformity, EC certificate, instruction of use, storage conditions, installation, and/or service manual (if applicable)

For more information, see:

• EU MDR Article 14 - General obligations of distributors - https://advisera.com/13485academy/mdr/general-obligations-of-distributors/

• Scope definition

  For companies of your size, our recommendation is to include all the organization in the Information Security Management System (ISMS) scope (i.e., you need to include all the systems you listed in the scope) because the effort to separate what is and what is not part of the scope is not worth it.

  For further information, see:

  • All you need to know about setting the ISO 27001 scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
  • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  This material can also help you:

  • Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

  • Integrated checklist for ISO 9001:2015 and ISO 14001:2015

    First, I can only help you develop a checklist based on the standards, you should not forget that auditing compliance against internal procedures and effectiveness against management systems objectives is very important.

    Start by determining which ISO clauses are related with the quality department. For example:

    • 9001 – 8.6, 8.7, 9.1, 9.2, 10.2, 10.3
    • 14001 – 6.1.2, 8.1, 8.2, 9.1, 9.2, 10.2, 10.3
    • Some organizations may include also clauses 6.2 and 9.3.

    Now, think about what you want to know regarding those clauses. For example:

    • Are quality control activities being performed according to plan?
    • Is nonconforming product segregated, treated and recorded? Are corrective actions developed?
    • Is process monitoring, analysis and evaluation performed according to plan?
    • Is the audit program executed? Are audit results available?
    • What environmental aspects are related with the quality department?
    • Are environmental operational controls in place at the quality department?
    • And what about preparedness and emergency situations in the quality department? Are prevention measures in place? Are response measures in place?
    • Any simulation done? Any emergency happened? What was learned? 

    Please check in this Free webinar - How To Perform an ISO 9001:2015 Internal Audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/an example about how to develop an audit checklist from a document.

  • Consultants considered processors?

    We have a couple of consultants at our company, most of them working full time. Some of them are hired through a consultacy firm and some of them are self employed. The consultants work according to our policies and processes as any other employee. Some of them work from home and some of them work mainly in the office. Would you consider these cosultants (or the consultancy firm) to be a data processor? I would say that they are not but we have different opinions at my company so just seeking advise. 

  • Request for guidance

    To be compliant with the 2022 revision of ISO 27001, you need to make a new Statement of Applicability with 93 controls.

    From your question, it is not clear if your Information Security Management System (ISMS) is certified or not. In case you are searching for certification, you can certify your ISMS against ISO 27001:2013 until October 31, 2023, and there is no need to change your SoA. For certifying after October 31, 2023, you need to be compliant with ISO 27001:2022, and for that, you will need to update your SoA to the 93 control version. 

    For further information, see:

    • ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

    This material can also help you:

    • How to Make the Transition From 2013 to 2022 Revision of ISO 27001 https://advisera.com/27001academy/webinar/transition-iso-27001-2013-to-iso-27001-2022-free-webinar-on-demand/
    • ISO 27001:2022 Transition Course https://advisera.com/training/iso-27001-transition-course/

    • TIA/TRA assessment tools

      There are not so many TIA/TRA tools in the market, as the term became popular after Schrems II decision, however a well-known Transfer Impact Assessment model is David Rosenthal’s TIA template, shared under Creative Commons license. The model has examples related to personal data transfers to several countries outside EU, but not all of them.

      When an international transfer of personal data occur, if the risks are high, a DPIA should be performed, and you have a DPIA Methodology in the EU GDPR Documentation Toolkit that you already purchased, in Directory 06 – Data Protection Impact Assessment.

      Please consult these links:

      • David Rosenthal template: https://www.rosenthal.ch/downloads/Rosenthal_EU-SCC-TIA.xlsx
      • Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data: https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en

    • ISO 27001:2013 VS ISO 27001:2022

      My question was to get free upgrade to 2022 version

       

    • ISO 9001 - Control Chart in Monitoring Variation

      If you monitor quality or process control through laboratory analysis results you can use a control chart to check if variability is normal or if special causes are present. If special causes are present, it makes sense to investigate to discover and eliminate them. If only random causes are present, and performance is not adequate, the system must be modified.

      Moreover, the use of control charts makes the analysis and evaluation of the results much more objective because it does not depend on opinions or states of mind, it follows clear rules of interpretation.

      If your question is not about quality or process control, but about the quality of laboratory results I do not use control charts, but Repeatability and Reproducibility (R&R) studies.

    • No budget to implement control A.8.12 Data Leak Prevention

      A way to implement control A.8.12 Data leakage prevention is by implementing the following documents (the mentioned sections specifically cover the requirements of control A.8.12):

      • Information Classification Policy (https://advisera.com/27001academy/documentation/information-classification-policy/)
        
        • section 3.4 Handling classified information already provides a good set of rules for preventing data leakage (e.g., sensitive documents must not be exchanged via services such as FTP, instant messaging, etc.), but you can add more rule in case of specific needs.
        • Section 3.5 Handing data exposure provides rules to prevent leaked data from being exploited (e.g., by application of data masking)
      • Security Procedures for IT Department (https://advisera.com/27001academy/documentation/security-procedures-for-it-department/)
        
        • sections 3.4 Network security management and 3.9 System monitoring helps you define which systems for monitoring and prevention of data leakage should be used by administrators and their parameters (e.g., log review frequency)
      • IT Security Policy (https://advisera.com/27001academy/documentation/it-security-policy/)
        
        • section 3.14 Internet use provides rules for what is and what isn’t allowed for regular users to minimize risks of data leakage (e.g., use o proper communication channels)

      For further information, see:

      • Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/

    • Important parameters when analyzing samples in ISO accredited laboratory

      The parameters all depend on the purpose of the test. You must meet the requirements of ISO 17025:2017 Clause 7.2.  A laboratory needs to understand the client’s requirement, i.e. the purpose of the test and if there are any self-imposed or regulatory specifications for a pass or fail. For example, a specific measurement should be below a particular threshold. When these conformity statements are made, the laboratory must specify the decision rule and get agreement from the client. This addresses whether measurement uncertainty is considered in the decision of a pass or failed result. When deeming the actual test method as suitable (fit for purpose) the laboratory needs to follow regulatory or sector guidelines and any mandatory requirements from the accreditation body. For example which method performance parameters such as limit of detection are evaluated. It usually starts by proving the method is specific, sensitive enough, and accurate (from assessing trueness and precision).

      If you are interested, view the ISO 17025 toolkit procedure for validation and verification of methods, named Test and Calibration Method Procedure, along with two supporting documents Test Method Development, Verification and Validation Register and Test Method Development, Verification, and Validation Record. The procedure is also available separately at https://advisera.com/17025academy/documentation/test-and-calibration-method-procedure/