Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Guest
Nice
The identification of such times will depend on the results of risk assessment and applicable legal requirements (i.e., laws, regulations, and contracts), considering each country you want to cover.
As a tip, you could define an initial time retention period (e.g., 1 year) and see if this would fit your business and legal needs, and adjust it in a case by case basis.
For further information, see:
Unfortunately, such a template is not available. ISO 27001 does not require a specific document for data loss prevention, and it is not a commonly used document.
For the development of such a document, we suggest you consider the following topics:
Considering this suggestion, you can use the highlighted sections mentioned in the documents in the first answer to start your document.
It means that you can hire an external auditor. But also, it means that no matter that you are a small company, you can audit each other. So, you do not need to have one internal auditor, but all of you can audit each other's work.
For the classification rules and help with the classification please see the following guidance:
Each manufacturer of medical devices must be in compliance with ISO 13485 no matter the type and class of medical device. But, since MDR 2017/745 has additional requirements for quality management system, please look into the ISO 13485:2016/A11:2021.
Please note that the standard does not require a gap analysis between two versions of the standard to be performed.
For analysis between these two versions, we suggest you these documents:
This tool can also help you:
You can continue with the surveillance audit according to the ISO 27001:2013 standard by 10 August 2023.
But please note that you need to make the transition to the 2022 revision of the standard by October 31, 2025.
For further information, see:
According to ISO 27001, the following controls are related to incident management:
Please note that ISO 27001 does not prescribe details on how to manage incidents, only objectives that need to be achieved. For detailed guidance, you should look for ISO 27002, a non-mandatory supporting standard that provides explanations on the implementation of ISO 27001 Annex A controls.
To see how a document describing incident handling compliant with ISO 27001 looks like, please take a look at this demo: https://advisera.com/27001academy/documentation/incident-management-procedure/
For further information, see:
Please note that, even though this article is about old 2013 revision of ISO 27001, the principles in the article are still valid.
You need to include all processes that are involved in the lifetime of medical devices, from the design and development of the medical device until use and disposal.