Search results

Personnel training

As with all requirements, the objective is to ensure competency for the tasks personnel are responsible for, and the provision of resources and authority to contribute positively to the overall compliance and objectives of the laboratory. This means that that the training procedure and records must include actions, controls, monitoring and evidence that the training is fit (appropriate and effective) for the work being performed. All personnel must be sufficiently skilled, trained and deemed competent for the specific task they are responsible for. Personnel should have suitable ISO 17025 awareness training, as they need to know how their role and actions can positively or negatively impact the consistent valid results of the laboratory. The training would typically cover administrative, operational, technical and general management activities; including a good understanding of the risks, controls and monitoring activities that are associated with their work. Personnel training records must include identification of competence requirements, evidence of supervision, authorization (deemed competent for an activity) and monitoring of competence.

ISO 17025 has mandatory requirements for documenting the competency requirements and retaining records. As personnel training and competency is a critical activity, the Advisera ISO 17025 toolkit includes the mandatory procedure as ISO 17025 document template: Competence, Training and Awareness Procedure along with 4 appendices: Training Program, Training Record and Performance Monitoring, Record of Attendance and Competence Approval and Authorization Record. You can preview the template at https://advisera.com/17025academy/documentation/competence-training-and-awareness-procedure/

The Whitepaper Clause-by-clause explanation of ISO 17025:2017 will assist you with ISO 17025 awareness, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

Also have a look at the Advisera Expert Advice Community question and answer in deeming someone competent for more information. Available at https://community.advisera.com/topic/how-training-should-someone-have-before-they-are-deemed-competent-for-a-specific-task/

udi for Legacy devices

No, you do not need to put the UDI number until you will go to the certification under MDR (end of 2023). If you go through Article 120 Transition provisions of the MDR, there you will see which elements from MDR must be prepared for periodic MDD audit after May 2021:post-market surveillance, market surveillance, vigilance, and registration of economic operators.

For more information, see:

• EU MDR Article 120 Transition provisions - https://advisera.com/13485academy/mdr/transitional-provisions/

• Appendix for Design and Development

  It was our opinion that transparency is better this way. Appendix corresponds to the sequence required by requirement 7.3 Design and development. If you put all Appendix together, start from Appendix 1 to Appendix 8, then you will have documented the whole process for the Desing and development.

  You can find more information about Desing and development on the following link:

  • How to manage design and development of medical devices according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/08/24/how-to-manage-design-and-development-of-medical-devices-according-to-iso-134852016/

  • Confirmation for Erasure of Data

    Yes, it is correct.

  • Guideline on oxygen tank calibration

    This depends on which market you are in.

    On the US market, all necessary information you can find in the document

    7356-002E Compressed Medical Gases – FDA. This is the Compliance program guidance manual issued March 15, 2015, talking about Compressed medical gases (CMG or medical gases) include gaseous and liquid (cryogenic) forms stored in high-pressure cylinders that are administered as a gas. Another important document is Current Good Manufacturing Practice for Medical Gases – FDA, issued June 2017. On the EU market, the main source of information is European Industrial Gases Association, https://eiga.eu/

    The most important element of the tanks is pressure regulators. Technical aspects are covered in the following standards:

    • ISO 10524-1:2018 Pressure regulators for use with medical gases — Part 1: Pressure regulators and pressure regulators with flow-metering devices
    • ISO 10524-2:2018 Pressure regulators for use with medical gases — Part 2: Manifold and line pressure regulators
    • ISO 10524-3:2019 Pressure regulators for use with medical gases — Part 3: Pressure regulators integrated with cylinder valves (VIPRs)
    • ISO 10524-4:2008 Pressure regulators for use with medical gases — Part 4: Low-pressure regulators

    • ISO for forensic sciences labs

      Forensic chemical testing, including toxicology (for example ethanol in blood or a toxic substances in urine), would be accredited to the ISO 17025 standard for testing laboratories; under a Forensic accreditation program. Note that countries may also have specific requirements for Legal forensics testing, besides ISO 17025.

      ISO 15189 Medical laboratories - Requirements for quality and competence is the international standard for medical laboratories. i.e. if the testing is a human medical pathology test, for example blood chemistry or microbiology, then ISO 17025 is typically not applicable. It is worth noting that ISO 15189 was developed based on ISO 9001 and ISO 17025. The requirements are similar, in the context of the type of testing and medical diagnostic risk. I suggest you look at the requirements of the accreditation programme provided by your accreditation body.

      For more information to meet ISO 17025 requirements, see the complimentary white paper (PDF) Clause-by-clause explanation of ISO 17025:2017 available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ and the ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

    • ISO 27001: DevOps toolchains

      Please note that legal operational responsibility may be only one of the requirements that you need to fulfill. To make your change management process legally secure you need to identify all legal requirements (e.g., laws, regulations, and contracts) that you must fulfill. For example, you may have a legal requirement demanding the use of a specific change approach, or technology.

      In this case, the recommendation is to hire a local legal expert advisor to help you identify the requirements you need to fulfill.

      An online search can help at the beginning of your work (for an overview), but local expert advice is highly recommended.

      This article can provide a start: https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
      
      But please note that the list in this article is not fully up-to-date because it depends on voluntary contributions from our readers – therefore, it is likely that not all regulations for each country are listed (some even may have been withdrawn).

      This article will provide you a further explanation about the identification of requirements:

      • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

    • BCP/DRP

      Considering specifically the threat of hackers and cybersecurity, the first thing you should consider is performing a business impact analysis (BIA), to identify how business services and processes would be impacted by disruptions caused by such threats.

      After identifying how business services and processes would be affected, then you can start planning your BCP/DRP, considering the most impacted services and processes. According to ISO 22301, a Business Continuity Plan must contain:

      • Purpose, scope, and users
      • Reference documents
      • Assumptions
      • Roles and responsibilities
      • Key contacts
      • Plan activation and deactivation
      • Communication plan
      • Incident response
      • Physical sites and transportation
      • Order of recovery for activities
      • Recovery plans for activities
      • Disaster recovery plan
      • Required resources
      • Restoring and resuming activities from temporary measures

      To see how a BCP compliant with ISO 22301 looks like, please access the free demo at this link: https://advisera.com/27001academy/documentation/business-continuity-plan/

      This article will provide you a further explanation about BCP content:
      - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

      This material will also help you regarding BCP content:
      - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
      - How to use ISO 22301 to continue operations during the pandemic [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-iso-22301-to-continue-operations-during-the-pandemic-free-webinar-on-demand/

    • FCS security governance critical success factor

      ISO 27001 requires risk assessment only to identify risks, risk owners, and determine the levels of risk. Other information can be added in case an organization identifies them as relevant.

      Some of the elements you mentioned (asset category, CWE, vulnerability) are related to an asset-based risk assessment, which is acceptable by the standard.

      To see how a risk assessment table, based on the asset-based approach, looks like, please access the free demo of our Risk Assessment Table at this link: https://advisera.com/27001academy/documentation/risk-assessment-table/

      This article will provide you a further explanation about risk assessment:
      - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

      These materials will also help you regarding risk assessment:
      - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
      - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
      - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    • ISO 27001 Certification

      The first step is for you to decide which path you want to follow considering security management or security assurance (i.e., security audit), and for these areas, you have the following ISO 27001 certifications you can follow:

      • ISO 27001 Lead Implementer – this certification recognizes people who have competency in the ISO 27001 implementation process.
      • ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISM S against ISO 27001 requirements and want to become certification auditors (and with this provides more confidence to an organization for being certified).

      These articles will provide you a further explanation about ISO 27001 personnel certifications:

      • What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
      • What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
      • Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

      For courses related to these certifications, please see:

      • ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
      • ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/