Search results

Understanding requirements for company providing technical services

A company that provides only technical service has to prepare the ISO 13485 quality management system as follows:

First of all, your „medical device“ is technical services and technical writing. So, everywhere in the standard where it is written medical device, this is your service.

Second, requirement 7.5 Production and service provision, for you is only Service provision. Accordingly, the following requirements probably are not applicable for you: 7.5.5 Particular requirements for sterile medical devices, 7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier system. If you are not providing installation of equipment, then requirement 7.5.3 Installation activities are also not applicable for you. If your technical service does not require specific cleanliness conditions, then requirement 6.4.2 Contamination control and 7.5.2 Cleanliness of product, are also not applicable for you.

For more information on ISO 13485, please see the following articles:

• ISO 13485 structure and requirements - https://advisera.com/13485academy/what-is-iso-13485/
• How to structure Quality Management System documentation according to ISO 13485- https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/
• What is ISO 13485? - https://advisera.com/13485academy/what-is-iso-13485/
• List of mandatory documents required by ISO 13485:2016 - https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/

• Which clause should I refer for supplier qualification?

  Supplier qualification is mostly covered in the requirement 7.4.1 Purchasing process where is required that criteria for evaluation and selection of supplier must be defined and determined. 

  For more information on purchasing process please see the following articles:

  • How can ISO 13485 clause 7.4, Purchasing, enhance procurement?  - https://advisera.com/13485academy/blog/2018/04/18/how-can-iso-13485-clause-7-4-purchasing-enhance-procurement/
  • How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
  • Purchasing in QMS – The Process & the Information Needed to Make it Work https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/

  • Incorrect use of product keys

    The situation you reported would configure a control failure, leading to a nonconformity, that if not properly handled can impact your certification.

    Regardless of that, the use of unlicensed product keys or incorrect licenses is a legal offense in many countries, and even if the related software is not in your ISMS scope, your organization should seek legal advice on how to handle the situation.

    These materials will also help you regarding ISO 27001 controls:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • A.9.4.3 Password Management System

    What is a Password Management System, is it just a set of rules, as described in Access Control Policy?

    In the context of ISO 27001, a Password Management System is a software that enforces the generation, use, and maintenance of passwords by users, according to a defined set of rules (which may be written in the Access Control Policy).

    For example, the Windows operating system has a password management system where the administrator can define rules for creating passwords (e.g., a minimal number of characters, use of numbers, special characters, etc.), for periodically change of passwords, etc. Application software, as an ERP also can have its own Password Management System.

    For further information, see:

    • How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

    This material will also help you regarding password management system:

    • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    • ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/  

    But then, should we describe for which systems do these Password rules apply, and for which not? Or should they be general?
    Thank you!

    ISO 27001 does not prescribe which systems apply password rules, so both of your suggested approaches are acceptable.

    The main criteria you should consider are the results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts). By evaluating these issues, you can identify if your rules should be applied in a general way or only to specific systems.

    For example, your risk assessment may identify that there are relevant risks requiring this control only for Windows operational systems, but a contract with a customer requires that all software used by your organization to process the information of this customers adopts this control.

  • Configuration and Vulnerability Management

    Configuration management is related to you know which assets you have and how they are configured, while vulnerability management is related to the identification and handling of misconfigurations and threats that can exploit current configurations.

    Both configuration and vulnerability management are connected by the fact that by means of configuration management you can:

    • identify the impact of identified vulnerabilities (e.g., how many devices are vulnerable, which sets of configurations should be analyzed/changed.
    • prioritize which vulnerabilities to look for first (they would be related to the most critical configurations you have)

    This article will provide you a further explanation about vulnerability management:

    • How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

    These materials will also help you regarding vulnerability management:

    • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    • ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ 

  • Sub clause Explanation

    1. In which clause does the recording of FPA approval , Daily check sheets, Recording of clean room temperature comes under??

    In my opinion, FPA approval will be under the 7.5 productions and service provision, Daily checks sheets can be under:

    6.3 Infrastructure if it is daily checks of the machines and equipment6.4.1 Work environment if it is checked for the cleaning6.4.2 Contamination control - temperature or humidity  monitoring

    2. Under which clause does the naming (Document number, Rev no, Date) for a format comes ??

    Management of the documents comes under 4.2.4 Control of documents and 4.2.5 Control of records. 

    For more information regarding documentation control please see the following articles:

    • Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/
    • How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

    • Determining scope

      First is important to note that ISO 22301 does not require organizational context to be documented, only to be determined.

      Considering that, you can use the organizational context as criteria to see if the proposed BCMS scope is enough for your business. For example, if an external issue is a law or regulation, you need to verify if your proposed scope is enough to fulfill it, or if it does not violate it in some manner. The same is applied for an internal issue like a core activity or a process (is it covered by the proposed scope or not).

      As a way to get people thinking about organizational context when evaluating their own products and processes, you should consider developing a short customized presentation, linking internal and external issues to specific products and processes, and questions on how these issues can affect their products and processes.

      These articles will provide you a further explanation about scope definition (although they are about ISO 27001, the same concept applies to ISO 22301:

      • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
      • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
      • How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

      This material will also help you regarding Scope definition:

      • Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

    • Appendix 1 – List of Legal, Regulatory, Contractual and Other Requirements

      ISO 27001 does not prescribe the identification of contractual requirements to be made for every client, so you can use the approach that best fits your needs. One way is to define a list of requirements for a specific set of clients with specific characteristics:
      - are from the same country
      - have similar size
      - contracts the same service
      - the contracts have similar value.

      Of course, you can have a list of requirements for specific clients you value the most or wants to monitor closely.

    • Software SaaS company

      ISO 27001, ISO 9001, and ISO 20000 are management standards (for information security, quality, and IT service management, respectively), while ISO 90003 is a guideline for the application of ISO 9001 to computer software.

      Considering that, as management standards, ISO 27001, ISO 9001, ISO 90003, and ISO 20000 share many requirements that allow them to be integrated (the SDLC for agile development process would part of the scope to be defined for the integrated management systems). In the integration process you should consider two phases:

      1 – Integration of the common parts of ISO management systems, e.g., control of documents, internal audit, management review, etc. These have basically all the same requirements, requiring only minor adjustments to refer to all systems covered.
      2 – Integration of the specific parts of each system (basically sections 6 and 8 of each standard, covering planning, support and operation).

      Regarding ISO 27001, this means including in the organizational process the activities related to information security risk assessment and treatment processes.

      As for building a team with ITIL/ ISO 20000, you should map the competencies needed for such a team and define them as requirements for your integrated system.

      These articles will provide you a further explanation about integrating ISO management systems:
      - How to implement integrated management systems https://advisera.com/blog/2015/10/05/how-to-implement-integrated-management-systems/
      - Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
      - How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/

      This material will also help you regarding Integrating management systems:
      - ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/9001academy/webinar/iso-27001-implementation-how-to-make-it-easier-using-iso-9001-free-webinar-on-demand/
      - ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    • Risk treatment plan

      First is important to note that ISO 27001 does not prescribe the use of information assets for the definition of the Risk Treatment Plan. The RTP only defines the activities that are required to decrease the risks, which can be identified by different approaches, such as asset bases, process bases, and scenario based.

      Considering that, when using an asset-based approach, you should consider the ISMS documentation as an asset, because the information you want to protect can be compromised if a document or record fails to fulfill standard’s requirements or any other identified requirement.

      These articles will provide you a further explanation about risk assessment and risk treatment:
      - ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
      - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
      - Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

      These materials will also help you regarding risk treatment:
      - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
      - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/