Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk Management Question

    You need to include all processes that are involved in the lifetime of medical devices, from the design and development of the medical device until use and disposal.

  • Questions about implementation

    1 - What documents should we be including under the ISMS? Should the scope mainly include policies and procedures or should we be including all client/supplier contracts, day to day project documents eg. cost estimates / statement of works etc.

    The documents to be included in your ISMS will depend on your defined scope, i.e., the processes or locations where the information you want to protect flows.

    For example, if your ISMS scope covers only a software development and maintenance process, then the source codes, customer specifications, and policies and procedures related to that process should be included in the ISMS.

    In case all your organization is included in the ISMS scope, then all information you mentioned should be included.

    For further information, see:

    2 - Double check internal annual audit - does this need to happen every year? if so, when does this happen e.g., every year from certification? (in our case, we're looking to be certified Sept 2023, so Sept 2024 would be the next internal audit). Is there any leniency on it being 12 months versus 18 months for example?

    An internal audit needs to be performed before each planned audit scheduled by your certification body (i.e., the certification and surveillance audits), so you need to consider the certification body’s audit schedule to check when to perform the audits. In general, certification bodies define a one-year cycle for their surveillance audits, so in this situation, you need to perform at least one internal audit per year.

    Regarding when to perform the internal audits prior to the certification’s body audits, there is no prescribed prior period to perform an internal audit, so organizations can perform them according to their needs, provided the internal audits are performed before a scheduled certification/surveillance audit.

    Since the internal audit is a mandatory requirement, not performing an internal audit before a scheduled certification body’s audit would be a major non-conformity, which can compromise your certification.

    For further information, see:

    This material can also help you:

    3 - Remote working policy - this is more general advice, but do we need to add how we manage people working abroad, as they need to be able to work from wherever they can on business which can sometimes mean in a coffee shop or workspace, which we advise against when working in London for security reasons. What do others usually suggest here?

    Please note that common practices are already covered in the Mobile Device, Teleworking and Work from Home Policy, such as:

    • Access control
    • Backup
    • Storage of device when not in use

    This template is located in folder 09 – Annex A Security Controls.

    For additional practices to be considered, you need to check the results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts).

    4 - Again, this is more seeking advice, but should client infrastructure be covered under our ISMS scope? We currently are excluding them as we feel we would be covered under their own security policies but just wanted to double check that's accurate/ what the standard is?

    Answer: You should consider in your ISMS scope only the infrastructure you can control, so you should leave the client infrastructure out of your ISMS scope.

  • Writing objectives

    I would have to assume the finding was that there was no evidence of review of objectives during Management Review, with the criteria being ISO 17025:2017 clause 8.9.2b. My first comment is that your laboratory system should include a procedure and guidelines on how to address such non-conformances.

    When doing root cause analysis start by stating what should have been in place (requirement) and what is the real problem (issue) clearly based on the context of having an ISO 17025 management system in place.  Evaluate the impact and why this needs addressing to fix and prevent it or a similar incident from happening again. The depth you go to, in each case, should be decided based on risk.
    Using tools like brainstorming and asking questions like why and what will assist you develop your report and get to the root causes. In this case, the requirement is that information regarding the fulfillment of objectives should have been input for an effective management review activity; and the outcome of discussions recorded. Determine, for example, if the requirement is documented in your QMS. Determine whether the objectives were discussed and reviewed but not recorded. It may be caused by a lack of understanding of ISO 17025 requirements, no assigned responsibility, rushed management review, or poorly documented processes. Have a look to see which causes are most likely and then address them through corrective actions.

    For more information, have a look at these articles

    How to perform management review in ISO 17025 at https://advisera.com/17025academy/blog/2021/05/03/how-to-perform-management-review-in-iso-17025/

    Corrective actions principles and root cause analysis in ISO 17025 at https://advisera.com/17025academy/blog/2020/11/04/corrective-actions-principles-and-root-cause-analysis-in-iso-17025/

    These ISO 17025 templates could also be of interest:

    Complaint, Nonconformity and Corrective Action Procedure at  https://advisera.com/17025academy/documentation/complaint-nonconformity-and-corrective-action-procedure/

    Corrective Action Report (CAR) at https://advisera.com/17025academy/documentation/corrective-action-report-car/

  • Clause 7.4 Communication Register

    First is important to note that we do not recommend creating such a register.

    Please note that ISO 27001 requires you to define a communication process, although there is no requirement that such a process must be documented.

    Considering that, communication is an activity that is performed by many processes in information security according to ISO 27001, with different purposes. So, to have a centralized communication procedure would create an overhead for people responsible for communication with activities that may not be a part of their regular tasks.

    That’s the reason there isn’t a specific template for clause 7.4.

    The main documents in Conformio that define how communication needs to be done are:

    • the Information Security Policy
    • the Training Module
    • the Incident Management Procedure
    • the Disaster Recovery Plan

    Additionally, most of the communication an organization performs is already registered through emails, Slack messages, etc. - so those can act as “registers”.

    If you do want to create a separate Communication plan, then this article will provide you with further explanation about communication plan:

    • How to create a Communication Plan according to ISO 27001 https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/

    • How to efficiently plan the audit

      Thank you so much for your response. It is very helpful.

    • ISO 17025 Audit requirements

      You asked

      "1. We are QC testing laboratory for lubricant oil & samples are inhouse only as we have our manufacturing plant now we are planning to get 17025 certification. I want to know what all documents are needed

      The mandatory processes and procedures apply to all laboratories implementing ISO 1705. Then depending on your scope (for example is the laboratory responsible for sampling or not), you reduce and modify what is put into place and stated in your documents. For information, see the article Checklist List of mandatory documents required by ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/08/30/list-of-mandatory-documents-required-by-iso-170252017/ and download the complimentary checklist at https://info.advisera.com/17025academy/free-download/checklist-of-mandatory-documents-required-by-iso-17025?

      You also asked

      2. Also I need guidance to make the format of scope

      The laboratory will typically add this directly or as a linked record to the quality manual. Have a look at the Q&A post Scope of accreditation at https://community.advisera.com/topic/scope-of-accreditation/

      You also asked

      3. We already have quality manual & policy as per ISO 9001 45001 & 14001. Do we need to make new for ISO 17025

      You can integrate your manuals and ISO 17025 clause 8 requirements, however, if different people are responsible for the ISO 9001, 45001, and 14001 certifications, it would be beneficial to keep a separate manual for ISO 17025. Either way, for efficiency, ensure your approach to management system requirements, such as handling complaints and Noncorformances is common.

      For more information on integrating ISO 17025 with a certified management system, see the Q&A post and links from the Q&A post Merging ISO 9001 & ISO 17025 at https://community.advisera.com/topic/merging-iso-9001-iso-17025

      You also asked

      4. Also if you can guide regarding which documents should be in hard copy format or all documents in soft format is okay

      ISO 17025 requires the laboratory to document processes to the extent necessary. The operational need will determine whether hard or soft copy documents, forms, and records are most appropriate. ISO 17025 does not specify.

    • How long and how much for emdr 2a certification of software ai as medical device?

      If I understand your question properly, the certification process from the moment you submit the technical documentation to the notify body lasts 9 or 12 months.

    • Supporting documentation for training

      As training material about ISO 27001, we suggest you the following material:

      These materials will also help you:

    • Lab exchanging anonymized samples for studies

      What you are referring to relates to the requirement of ISO 17025 clause 7.7 to ensure the validity of results. Internal quality control can include, for example, the laboratory or quality manager submitting control samples as unknown test samples. This is listed as clause 7.7.1 g, retesting of retained items. Simply ensure the samples are processed as routine samples and monitor the results against expected results. When it comes to exchanging samples externally for quality control purposes, ensure best practices are followed and the approach to statistical evaluation and performance criteria are agreed to in advance. This is listed as clause 7.7.2b,  participation in interlaboratory comparisons other than proficiency testing. In both cases, clause 7.7.3 states the requirement to analyze data and if the results are not within the pre-defined criteria, the laboratory must take corrective action.

      For more information see the response to another question at https://community.advisera.com/topic/clause-7-7-7-7-1/ and the Advisera Toolkit  Quality Assurance Procedure at https://advisera.com/17025academy/documentation/quality-assurance-procedure/
Page 22-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +