Search results

Impartiality

You asked

How will what they are doing affect impartiality?

In this case impartiality relates specifically to fairness. As long as a documented specification is agreed to by the customer, and you are testing in comparison to this, you are safeguarding impartiality - there will be no unfair bias decision.

You also asked

As the testing will only be for one type of test, is it likely that all 58 forms are needed"

If you seek accreditation to ISO 17025 then yes, the toolkit covers the mandatory documents and forms. OF course, depending on the size and activity of the laboratory, many of these will be used to describe a simple process, so should be short documents.

For more information on Impartiality, have a look at the article How to ensure impartiality in an ISO 17025 laboratory at https://advisera.com/17025academy/blog/2020/10/12/ensuring-impartiality-in-an-iso-17025-laboratory/ and the ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

AWS

Please note that the ISMS scope can cover all organizations, or only specific locations, processes, or information.

Considering that, it is not possible to define the ISMS scope in terms of cloud instances in AWS. What you can do is to define specific processes or information that are related to the environment dedicated to individual customers (e.g., customer service support).

The main point when considering this approach is the effort required to keep the ISMS scope separated from the rest of the organization's elements (for small and mid-sized organizations many times the effort is not worthy, and it is better to include all the organization in the ISMS scope).

These materials will provide you a further explanation about scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
• ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Importer and Distributor obligations under MDR

Considering Article 120, Paragraph 3 from the MDR, requirements that will be applied to MDD CE marked medical devices after May 2021 are: post-market surveillance, market surveillance, vigilance, registration of economic operators. Therefore, verification obligations apply to devices that are marked under MDR, and not to ones under the MDD certificate.

For more information, see:

EU MDR Article 120 – Transitional provision - https://advisera.com/13485academy/mdr/transitional-provisions/

Implementación de ISO 9001-2015

Para iniciar la implementación de un sistema de gestión de calidad debe de contar con el apoyo de la alta dirección de su organización, que va a ser crucial durante la implementación de ISO 9001:2015, porque que proporciona los recursos tanto económicos como de personal.

Luego puede llevar a cabo un análisis GAP o de brecha, que le va a ayudar a identificar aquellos requisitos con los que ya cumple y aquellos con los que aún debe aún cumplir. Aquí puede llevar a cabo el análisis de forma gratuita: https://advisera.com/9001academy/iso-9001-gap-analysis-tool/ Esta herramienta también le va a facilitar la posibilidad de saber si tiene la información necesaria para lllevar a cabo la implementación del sistema de gestión de calidad, o por el contrario debe de recabar más información sobre sus procesos. 

Es importante que antes de la implementación de la norma conozca cada una de las cláusulas con las que tiene que cumplir para poder llevar a cabo el proyecto de implementación de ISO 9001. En este white paper puede encontrar información resumida sobre cada una de ellas - Clause by clause explanation of ISO 9001: https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015

Posteriormente puede escribir un plan de proyecto en el que determine responsabilidades, defina la documentación que va a escribirse, los plazos de implementación, etc. En este enlace puede descargarse una plantilla - Plan de Proyecto para la implementación de ISO 9001:https://info.advisera.com/9001academy/es/descarga-gratuita/plan-de-proyecto-para-la-implementacion-de-iso-9001-ms-word

Luego ya podría empezar con la implementación de la norma: la definición de la política de calidad, los objetivos de calidad y planes para llevarlos a cabo, el contexto de la organización y sus partes interesadas, el alcance del SGC, etc...hasta llegar a la auditoría interna y la revisión por la dirección, que sería el paso previo para certificarse. En este enlace puede descargarse un checklist para la implementación de la norma - Porject checklist for ISO 9001:2015: https://info.advisera.com/9001academy/free-download/project-checklist-for-iso-9001-2015-implementation

Estos materiales pueden ayudarle con la implementación de ISO 9001:2015:
- Libro – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Formación gratuita en línea – Fundamentos de ISO 9001:2015 : https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

Understanding requirements for company providing technical services

A company that provides only technical service has to prepare the ISO 13485 quality management system as follows:

First of all, your „medical device“ is technical services and technical writing. So, everywhere in the standard where it is written medical device, this is your service.

Second, requirement 7.5 Production and service provision, for you is only Service provision. Accordingly, the following requirements probably are not applicable for you: 7.5.5 Particular requirements for sterile medical devices, 7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier system. If you are not providing installation of equipment, then requirement 7.5.3 Installation activities are also not applicable for you. If your technical service does not require specific cleanliness conditions, then requirement 6.4.2 Contamination control and 7.5.2 Cleanliness of product, are also not applicable for you.

For more information on ISO 13485, please see the following articles:

• ISO 13485 structure and requirements - https://advisera.com/13485academy/what-is-iso-13485/
• How to structure Quality Management System documentation according to ISO 13485- https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/
• What is ISO 13485? - https://advisera.com/13485academy/what-is-iso-13485/
• List of mandatory documents required by ISO 13485:2016 - https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/

• Which clause should I refer for supplier qualification?

  Supplier qualification is mostly covered in the requirement 7.4.1 Purchasing process where is required that criteria for evaluation and selection of supplier must be defined and determined. 

  For more information on purchasing process please see the following articles:

  • How can ISO 13485 clause 7.4, Purchasing, enhance procurement?  - https://advisera.com/13485academy/blog/2018/04/18/how-can-iso-13485-clause-7-4-purchasing-enhance-procurement/
  • How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
  • Purchasing in QMS – The Process & the Information Needed to Make it Work https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/

  • Incorrect use of product keys

    The situation you reported would configure a control failure, leading to a nonconformity, that if not properly handled can impact your certification.

    Regardless of that, the use of unlicensed product keys or incorrect licenses is a legal offense in many countries, and even if the related software is not in your ISMS scope, your organization should seek legal advice on how to handle the situation.

    These materials will also help you regarding ISO 27001 controls:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • A.9.4.3 Password Management System

    What is a Password Management System, is it just a set of rules, as described in Access Control Policy?

    In the context of ISO 27001, a Password Management System is a software that enforces the generation, use, and maintenance of passwords by users, according to a defined set of rules (which may be written in the Access Control Policy).

    For example, the Windows operating system has a password management system where the administrator can define rules for creating passwords (e.g., a minimal number of characters, use of numbers, special characters, etc.), for periodically change of passwords, etc. Application software, as an ERP also can have its own Password Management System.

    For further information, see:

    • How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

    This material will also help you regarding password management system:

    • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    • ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/  

    But then, should we describe for which systems do these Password rules apply, and for which not? Or should they be general?
    Thank you!

    ISO 27001 does not prescribe which systems apply password rules, so both of your suggested approaches are acceptable.

    The main criteria you should consider are the results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts). By evaluating these issues, you can identify if your rules should be applied in a general way or only to specific systems.

    For example, your risk assessment may identify that there are relevant risks requiring this control only for Windows operational systems, but a contract with a customer requires that all software used by your organization to process the information of this customers adopts this control.

  • Configuration and Vulnerability Management

    Configuration management is related to you know which assets you have and how they are configured, while vulnerability management is related to the identification and handling of misconfigurations and threats that can exploit current configurations.

    Both configuration and vulnerability management are connected by the fact that by means of configuration management you can:

    • identify the impact of identified vulnerabilities (e.g., how many devices are vulnerable, which sets of configurations should be analyzed/changed.
    • prioritize which vulnerabilities to look for first (they would be related to the most critical configurations you have)

    This article will provide you a further explanation about vulnerability management:

    • How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

    These materials will also help you regarding vulnerability management:

    • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    • ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ 

  • Sub clause Explanation

    1. In which clause does the recording of FPA approval , Daily check sheets, Recording of clean room temperature comes under??

    In my opinion, FPA approval will be under the 7.5 productions and service provision, Daily checks sheets can be under:

    6.3 Infrastructure if it is daily checks of the machines and equipment6.4.1 Work environment if it is checked for the cleaning6.4.2 Contamination control - temperature or humidity  monitoring

    2. Under which clause does the naming (Document number, Rev no, Date) for a format comes ??

    Management of the documents comes under 4.2.4 Control of documents and 4.2.5 Control of records. 

    For more information regarding documentation control please see the following articles:

    • Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/
    • How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/