Search results

Can ISO 9001 lead auditor audit ISO 13485?

Although basic things are the same between these two standards (like internal audit process, corrective actions, managing documents and records, managing non-conformances), there are certain specifications of the ISO 13485:2016 (mostly from points 6, 7, and 8 depending on the type of the medical device and type of production). If you are an auditor, then you know that auditors should dominate the audit criteria used. I suggest that you study the standard ISO 13485:2016, to specially check the Annex B of the standard where the correspondence between ISO 13485:2016 and ISO 9001:2015 is explained.

For more information on what ISO 13485 is, please see the article on the following link:

• What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/

For more information about Similarities and differences between ISO 9001:2015 and ISO 13485:2016, please see the article on the following link: https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/

GDPR Processor (Software Sturtup)

It is such a general question that the answer can be: it depends on your activity. If your software startup processes data determining means and purposes of processing it will be considered as a controller, while if your company will process data on behalf of someone else it will be considered as a processor.As a processor you will have to comply with the obligations listed in Article 28 GDPR and be liable for compliance with GDPR requirements.

Here you can find more information:

• Article 28 GDPR: https://advisera.com/eugdpracademy/gdpr/processor/
• EU GDPR controller vs. processor – What are the differences?https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
• 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
• First steps to take to reach GDPR compliance https://advisera.com/eugdpracademy/blog/2018/10/08/first-steps-to-take-to-reach-gdpr-compliance/
• A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
• Key roles defined in EU GDPR https://advisera.com/eugdpracademy/knowledgebase/key-roles-defined-in-eu-gdpr/ 

You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Other ISOs used by the medical devices

Aside from the ISO 13485:2016, all medical devices need to be in compliance with the applicable harmonized standard. The list of harmonized standards is published by the Official Jurnal of the European Union. According to Article 8 of MDR 2017/745 – use of harmonized standard, medical devices must be in compliance with relevant harmonized standards, or the relevant parts of those standards, the references of which have been published in the Official Journal of the European Union.

The following harmonized standards are applicable for all manufacturers of the medical devices:

• EN 1041:2008 Information supplied by the manufacturer of medical devices
• EN ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes
• EN ISO 14971:2012; medical devices - Medical devices — Application of risk management to medical devices
• EN ISO 15223-1:2016 Medical devices — Symbols to be used with medical device labels, labeling and information to be supplied — Part 1: General requirements (ISO 15223-1:2016, Corrected version 2017-03)

• EU MDR Article 8 – Use of harmonized standards https://advisera.com/13485academy/mdr/use-of-harmonised-standards/
• What are EU harmonized standards? https://advisera.com/13485academy/blog/2020/06/12/what-are-eu-harmonized-standards/
• Link to the harmonized standards published by EU https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2020:090I:TOC

• Information security in project management

  The application of information security in project management will depend on the results of risk assessment and on applicable legal requirements (e.g., laws, regulations, and contracts). For example, the results of risk assessment can show that you have relevant risks for information security in all your projects, or only to specific types

  Regarding legal requirements, you may not have any law or regulation you must comply with requiring information security for projects, but at the same time, you have a contract with a client requiring information security applied to all projects you have with him.

  This article will provide you a further explanation about security in projects: 

  • How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/

• ISO 27001 and ISO 27031

  ISO 27001 and ISO 27031

  We received this question:

  How do you see the practical interlock between 27001 and 27031?

  Answer: ISO 27031 is a supporting standard which provides specific guidance and recommendations for the implementation of controls from section A.17.1 of ISO 27001 Annex A (Information security continuity).
   
  Considering that, you can use ISO 27031 to make it easier to implement controls from this section, and achieve a more robust solution.   

  This article will provide you a further explanation about ISO 27031:
  - Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/

   

   

• Explanation of Annexure 18 of ISO 2017:2013

  Very detailed explanation. Thank you

• Enterprise Data Centre

  Understanding the physical and logical requirements is always important, regardless of the asset size or complexity, because this will allow you to identify the solutions that will properly support your need, without letting any gaps (if requirements are underestimated), or consuming unnecessary resources (if requirements are overestimated).

  Considering that, without knowing your context and risks it is not possible to define practical solutions. What can be done is mention common practices (which should be evaluated considering your context and risks):

  • physical segregation from other environments
  • logical segregation of servers, networks and services
  • redundancy of single points of failure (e.g., power cable, communication links, etc.)

  For further information see:

  • The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/
  • ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/
  • Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/

• SOC Reports

  1 - I would like to ask you if you have some resources for learning about SOC reports.

  I am sorry but our content is developed for ISO 27001. Anyway, this information (from the official site of the American Institute of CPAs) about SOC and ISO 27001 can be interesting for you (see the Excel “Trust Services Map to ISO 27001"): https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/soc2additionalsubjectmatter.html

  In Excel, there are some points in common between ISO 27001 and SOC, so for these points, you can use our toolkit “ISO 27001 Documentation Toolkit”: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  2 - Is it worth if a company works on ISO27001 controls and the SOC reports at the same time? Does ISO27001 cover the SOCs?

  SOC 1 deals with controls at a service organization’s Internal controls over financial reporting systems, while SOC II has several common points with ISO 27001:2013: risk management, internal audit, business continuity, access control, etc.

  Considering that, ISO 27001, which is an international standard for information security, can be used to implement some of the controls defined by SOC, but they do not have a direct relation, neither one is required to implement the other.

  These articles will provide you a further explanation about ISO 27001:

  • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
  • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
  • Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

  These materials will also help you regarding ISO 27001:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Corrective and preventative actions

  All non-conformities require treatment, which means that all non-conformities require a correction.

  Please check ISO 9001 clause 8.7 – you can read something like - “The organization shall take appropriate action based on the nature of the nonconformity and its effect on the conformity of products and services”. There is no mention of corrective or preventative actions.

  Please check ISO 9001 clause 10.2.1 a) – when a non-conformity occurs organizations have to react to control, correct, and deal with the consequences.

  Please check ISO 9001 clause 10.2.1 b) – you can read something like – “evaluate the need for action to eliminate the cause(s) of the nonconformity”. Evaluate the need means that organizations may decide to develop a corrective or preventative action after correcting a non-conformity or may decide otherwise.

  So, preventative actions are not mandatory to be taken on a non-conformity per ISO 9001 Standards. Organizations should evaluate each case and even trends.

• Determinaciòn de contexto interno y externo

  Puede simplemente organizar una reunión con las personas relevantes de la organización, como los gerentes de cada departamento y la alta dirección y realizar una tormenta de ideas para determinar las cuestiones internas y las cuestiones externas de la organziación.

  Otra forma de identificar el contexto de la organziación es mediante un análisis FODA, donde se consideren las fortalezas, oportunidades, debilidades y amenazas. Este análisis no sólo va a proporcionar información sobre el contexto de la organización sino que va a ayudarnos durante la posterior identificación de riesgos y oportunidadeds. 

  Por otro lado, el análisis PEST, que versa sobre el contexto político, económico, social y tecnológico, puede también ayudar a la organización a identificar las cuestiones externas del contexto de la organización. 

  Para más inofrmación sobre cómo determinar el contexto interno y externo de la organización puede ver los siguientes materiales:

  - Cómo identificar el contexto de la organización en ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/

  - ISO 9001:2015 case study: context of the organization as a success factor in a manufacturing company: https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/

  - Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  - Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/