Search results

Filling documents

1. On the risk management matrix, should we include departments such as finance and administration that are not quite an essential part of the process to make and develop our product?

2. On the 9th document "Design and Developempent" there says we should include record of old versions of the designs of the product, but our question is how much records should we include? Should we include since our first design (which is from 2021) or could we just include the designs from a year ago to now? Or is there a minimum record time that must be met?

You need to include records from your first design and keep those records for at least 10 years after the last device is sold on the market for all classes except for class III and class IIB implantable which is necessary to keep for 15 years.

Should nonconformities undergo a documented risk assessment / analysis?

ISO 27001 does not prescribe risk assessment to be performed over identified nonconformities, so a company is not obliged to perform it.

This article will provide you with further explanation about handling non-conformities:

• Complete guide to corrective action vs. preventive action https://advisera.com/articles/complete-guide-to-corrective-action-vs-preventive-action/

Distributor and ISO 13485

There is no MDR requirement that distributors of medical devices need to be certified according to ISO 13485. But, as stated in Article 14 - General Obligations of Distributors, the following elements must be in place: 

• storage conditions as stated on the medical device and by the manufacturer
• have in place a complaint system - how they can receive a complaint and how they will inform the manufacturer of the received complaint
• must have in place a system for recall - distributor of course will never start a recall, but rather will be a part of the process - they must know how they must behave in a situation when they receive information from the manufacturer that they must withdraw the products from their market.
• communication with a competent authority
• have and maintain a shorter version of the medical device file - declaration of conformity, EC certificate, instruction of use, storage conditions, installation, and/or service manual (if applicable)

For more information, see:

• EU MDR Article 14 - General obligations of distributors - https://advisera.com/13485academy/mdr/general-obligations-of-distributors/

• Scope definition

  For companies of your size, our recommendation is to include all the organization in the Information Security Management System (ISMS) scope (i.e., you need to include all the systems you listed in the scope) because the effort to separate what is and what is not part of the scope is not worth it.

  For further information, see:

  • All you need to know about setting the ISO 27001 scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
  • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  This material can also help you:

  • Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

  • Integrated checklist for ISO 9001:2015 and ISO 14001:2015

    First, I can only help you develop a checklist based on the standards, you should not forget that auditing compliance against internal procedures and effectiveness against management systems objectives is very important.

    Start by determining which ISO clauses are related with the quality department. For example:

    • 9001 – 8.6, 8.7, 9.1, 9.2, 10.2, 10.3
    • 14001 – 6.1.2, 8.1, 8.2, 9.1, 9.2, 10.2, 10.3
    • Some organizations may include also clauses 6.2 and 9.3.

    Now, think about what you want to know regarding those clauses. For example:

    • Are quality control activities being performed according to plan?
    • Is nonconforming product segregated, treated and recorded? Are corrective actions developed?
    • Is process monitoring, analysis and evaluation performed according to plan?
    • Is the audit program executed? Are audit results available?
    • What environmental aspects are related with the quality department?
    • Are environmental operational controls in place at the quality department?
    • And what about preparedness and emergency situations in the quality department? Are prevention measures in place? Are response measures in place?
    • Any simulation done? Any emergency happened? What was learned? 

    Please check in this Free webinar - How To Perform an ISO 9001:2015 Internal Audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/an example about how to develop an audit checklist from a document.

  • Consultants considered processors?

    We have a couple of consultants at our company, most of them working full time. Some of them are hired through a consultacy firm and some of them are self employed. The consultants work according to our policies and processes as any other employee. Some of them work from home and some of them work mainly in the office. Would you consider these cosultants (or the consultancy firm) to be a data processor? I would say that they are not but we have different opinions at my company so just seeking advise. 

  • Request for guidance

    To be compliant with the 2022 revision of ISO 27001, you need to make a new Statement of Applicability with 93 controls.

    From your question, it is not clear if your Information Security Management System (ISMS) is certified or not. In case you are searching for certification, you can certify your ISMS against ISO 27001:2013 until October 31, 2023, and there is no need to change your SoA. For certifying after October 31, 2023, you need to be compliant with ISO 27001:2022, and for that, you will need to update your SoA to the 93 control version. 

    For further information, see:

    • ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

    This material can also help you:

    • How to Make the Transition From 2013 to 2022 Revision of ISO 27001 https://advisera.com/27001academy/webinar/transition-iso-27001-2013-to-iso-27001-2022-free-webinar-on-demand/
    • ISO 27001:2022 Transition Course https://advisera.com/training/iso-27001-transition-course/

    • TIA/TRA assessment tools

      There are not so many TIA/TRA tools in the market, as the term became popular after Schrems II decision, however a well-known Transfer Impact Assessment model is David Rosenthal’s TIA template, shared under Creative Commons license. The model has examples related to personal data transfers to several countries outside EU, but not all of them.

      When an international transfer of personal data occur, if the risks are high, a DPIA should be performed, and you have a DPIA Methodology in the EU GDPR Documentation Toolkit that you already purchased, in Directory 06 – Data Protection Impact Assessment.

      Please consult these links:

      • David Rosenthal template: https://www.rosenthal.ch/downloads/Rosenthal_EU-SCC-TIA.xlsx
      • Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data: https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en

    • ISO 27001:2013 VS ISO 27001:2022

      My question was to get free upgrade to 2022 version

       

    • ISO 9001 - Control Chart in Monitoring Variation

      If you monitor quality or process control through laboratory analysis results you can use a control chart to check if variability is normal or if special causes are present. If special causes are present, it makes sense to investigate to discover and eliminate them. If only random causes are present, and performance is not adequate, the system must be modified.

      Moreover, the use of control charts makes the analysis and evaluation of the results much more objective because it does not depend on opinions or states of mind, it follows clear rules of interpretation.

      If your question is not about quality or process control, but about the quality of laboratory results I do not use control charts, but Repeatability and Reproducibility (R&R) studies.