Search results

Maintaining ISO 13485 certification

Maintaining a quality system is a day-to-day business. Every quality system has some kind of records that are proof of some work done. For example, if you need to procure something (raw materials, equipment) you have a purchase order, communication with the supplier. Then, when those goods arrive at your company you have an invoice, a receipt at the warehouse, a check to see if the goods that arrived are in line with what was ordered and the like. All of this is evidence that some work has been done, but so are the elements of the quality system.

If there are (non-conformities) omissions related to daily work, it is necessary to record such omissions and resolve them. Therefore, there are records of non-compliance, on the basis of which it is necessary to initiate corrective or preventive actions. This is also a day-to-day business.

As far as audits are concerned, an internal audit usually takes place once a year. When that will depend on your business. This can be at the end of one year, or at the beginning of another year, before submitting the final accounts and the like, whichever suits you. Management review is also conducted mostly once a year and is most often after an internal audit is conducted. 

So the maintenance of the quality system takes place throughout the year. 

The following articles can be helpful:

• How to perform management review according to ISO 13485 https://advisera.com/13485academy/blog/2017/11/09/how-to-perform-management-review-according-to-iso-13485/
• How to fulfill management responsibilities in ISO 13485:2016 https://advisera.com/13485academy/knowledgebase/how-to-fulfill-management-responsibilities-in-iso-13485/
• Five main steps in the ISO 13485:2016 internal audit https://advisera.com/13485academy/knowledgebase/five-main-steps-in-the-iso-134852016-internal-audit/
• How to create a checklist for an ISO 13485 internal audit for your QMS https://advisera.com/13485academy/knowledgebase/how-to-create-a-checklist-for-an-iso-13485-internal-audit-for-your-qms/

• The UK and GDPR commitments.

  The UK adopted the UK GDPR, an internal law that mirrors the EU GDPR with the aim to obtain the status of providing an adequate level of protection for freedoms and rights of individuals.

  It is an annex of the Data Protection Act adopted on December 18th 2020 before Brexit. 

  Here you can find more information on UK GDPR: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/

  And on the website of the UK Government you can find the text with the modification of the EU GDPR adopted ad domestic General Data Protection Regulation (UK GDPR) https://www.gov.uk/government/publications/data-protection-law-eu-exit

  Therefore, if your companies are located in the UK you will need to implement reference to the UK GDPR and the EU GDPR (i.e., in the privacy notice and in internal policies) and if any data transfer with EU happens, you need to indicate the Standard Contractual Clauses as a legal basis because actually UK is considered a third country and there is not an adequacy decision of the EU Commission.

  I can suggest you monitor the Information Commissioner’s Officer (https://ico.co.uk) that is the Surveillance Authority for Data Protection in the UK for any update.

  Here you can find more information about data transfer:

  • 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
  • Standard Contractual Clauses for the Transfer to Processors and Standard Contractual Clauses for the Transfer to Controllers.: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes
  • Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

  If you need to understand how to process personal data in the light of EU GDPR you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Can a process be ISO 17025 certified but the lab where the process was done is not ISO 17025 certified?

  As the accreditation is granted to a laboratory for their management system together with scope of tests, the simple answer is no - a process or test cannot be accredited as a standalone test, without the laboratory accreditation.

  For more information on 17025 requirements, have a look at the Whitepaper Clause-by-clause explanation of ISO 17025:2017 which will assist you with ISO 17025 awareness, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ and the ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

• EU-US Privacy Shield

  No, it has been invalidated by the European Court of Justice in July 2020. Since then, data transfer between the EU and the US need to be done under another legal basis, such as Standard Contractual Clauses.

  Here you can find more information about data transfer:

  • 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
  • Standard Contractual Clauses for the Transfer to Processors and Standard Contractual Clauses for the Transfer to Controllers: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes
  • Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

  If you need to understand how to process personal data in the light of EU GDPR you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• ISO 9001 Non-conformance justification

  Normally, auditors audit processes or departments, let us call it the physical audit scope. While auditing a process or a department they have to consider the audit criteria, and the audit criteria can be all clauses of the standard and internal procedures applicable within the scope of the audit.

  Let me imagine you are auditing process “Prevent breakdown time” or the Maintenance Department. Now, go to ISO 9001:2015 clause 4.4.1 c) – methods and criteria have to be determined. Then, go to ISO 9001:2015 clause 4.4.2 – organizations are free to design the required documented information structure, they have to comply with the mandatory documents and records of standard, but they can go beyond. Once included in the system’s design those documents and records have to be controlled according to ISO 9001:2015 clause 7.5.1 b).

  In the case of documentation being lacking or incomplete, as long as it is considered part of the QMS, you should raise a nonconformity. However, I think it is not about 7.5.1 b). Think, what is the problem with those records? Bad design? (clause 7.5.2). Lack of control? (clause 7.5.3). People not knowing how to fill a record? (clause 7.2). Not clear who has to fill the record? (clause 5.3)

  You can find more information about documentation below:

  • New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
  • Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
     

• ISO 27000: IT technical consultant

  To become an ISO 27001 consultant you do not need to have deep technical knowledge (although this knowledge, and related certifications like BCS, can provide a competitive edge).

  Considering that, you have the following ISO 27001 career you can follow:

  • ISO 27001 Lead Implementer – this certification recognizes people who have competency in the ISO 27001 implementation process.
  • ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISM S against ISO 27001 requirements and want to become certification auditors (and with this provides more confidence to an organization for being certified).

  These articles will provide you a further explanation about ISO 27001 personnel certifications:

  • What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
  • What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
  • Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

  For courses related to these certifications, please see:

  • ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
  • ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

• Implementation of ISO 27001 Guidelines

  In a general manner, to determine the time needed to implement ISO 27001 you need to:

  1. Identify which deliveries you need to make (e.g., policies, procedures, training, assessment, audits, etc.)
  2. Identify which tasks are required to produce each result (e.g., interview top management, elaborate a policy draft, submit the draft for evaluation, update draft if needed, approve the final version, etc.)
  3. Identify how much time you need to perform each task
  4. Identify the sequence in which these tasks should be executed

  After the sequencing, you only have to sum the times of the longest sequence to know how much time you will spend to achieve that result. Of course, this is a great simplification of the method, but for small and medium implementations it works well.

  To see how a sequence of tasks for ISO 27001 implementation looks like, please take a look at this free material:

  • Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation?

  Regarding times, when you consider all the steps as a whole, you can roughly consider that the steps before the risk management will take you ca 10% of the time, risk assessment ca 30% of the time, implementation of controls ca 50% of the time, and final activities (internal audit, management review, corrective actions) ca 10% of the time.

  These articles will provide you further information:

  • ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
  • How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - you should also note that this is the timing that is needed for companies that use our toolkits (e.g., ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/)

  These materials will also help you regarding ISO 27001 schedule development:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ This Foundations course will give you the basics about the standard.

  For more advanced knowledge I also suggest the Lead Implementer course for details on how to run the project: https://advisera.com/training/iso-27001-lead-implementer-course/

• Risk register

  Common documents required by customers are the Information Security Policy, Statement of Applicability, and Audit Report. Other documents can be asked depending upon what customers need.

  To share such documents (some of them may have sensitive information about your organization, like your risk register) you first should evaluate if the risks are worthy (e.g., the audit report has very sensitive information about your ISMS status, but the requester is your biggest customer or a potential customer you want to include in your portfolio). If you consider that the risk of sharing this information is acceptable, then you should provide a Non-Disclosure Agreement with these customers to formalize the required conditions for the protection of this information.

  Regarding the information in the risk register, all vulnerabilities considered relevant should be included in the risk register.

• Risk assessment reference

  1. There is a question that the external auditor of ISO 27001 asked me, what is the reference or basis used for the risk assessment methodology that you have in your table? See point 3 of the attached document.

  First is important to note that ISO 27001 does not prescribe any risk assessment methodology, so organizations can adopt any methodology they see fit for their needs or create their own, provided it fulfills requirements from clause 6.1.2 – information security risk assessment.

  Considering that, the asset-threat-vulnerability approach used in our template follows the guidelines from ISO 27005, the ISO standard for information security risk management.

  This article will provide you a further explanation risk assessment:

  • ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  These materials will also help you regarding risk assessment:

  • The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  2. Another question, do you know where I can buy the ISO 27001: 2013 standard in Spanish?

  You can buy a Spanish version of ISO 27001 at Aenor site: https://www.aenor.com/normas-y-libros/buscador-de-normas/une/?c=N0058428

• QMS

  Yes, it is possible to exclude requirement 7.6 if you do not use any measuring equipment. You must state that in your Quality manual and put a justification why it is not applicable. 

  However, consider the following. If you have a server in your company and that server is located in a separate room, is it defined what the temperature must be in that room. If you have a defined temperature range and if you monitor the temperature in that room, then it is necessary that the thermometer be calibrated, and thus covered by this requirement 7.6. 

  For more information regarding the calibration, please see the following link:

  • Calibration requirements in ISO 13485 https://advisera.com/13485academy/blog/2019/03/08/calibration-requirements-in-iso-13485/