Search results

Sterilization need

No, these products do not need to be sterile, nor the packaging material. What you can take into account is to make the production space a clean room area to ensure that the area for production is completely clean and safe for the product.

More about clean room standards you can find here: https://www.iso.org/standard/53394.html

ISO 9001 - Rules for hiring and onboarding new staff

When hiring and onboarding staff for a role relevant to the QMS (please check ISO 9001:2015 clause 5.3) an organization must ensure that this person is or will become competent to perform the role. For example, in this webinar, Free webinar on demand - The Process Approach - What It Is, Why It Is Important, and How to Do It - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/, after the 29th minute, I show how the process approach helps to respond to clause 7.1.6 of ISO 9001:2015, to determine the competence requirements of each role. So, when onboarding a particular person you have to compare her actual experience, education and training, with the competence requirements for that role, you follow clause 7.2 of ISO 9001:2015. From that comparison a training plan can be developed to work on that person’s competence.

Other sources that you can use are:

• How to ensure competence and awareness in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
• How to measure training effectiveness according to ISO 9001 - https://advisera.com/9001academy/blog/2016/03/29/how-to-measure-training-effectiveness-according-to-iso-9001/

Shift handover report

According to IATF 16949 standard, 9.2.2.3, while the production process is being audited, each shift should be audited and the shift change should be sampled and the relevant evidence should be written in the audit report.

The main issues to be looked at and recorded during the shift change may be the following.

• Communication with the new shift, transfer of problems
• How the new shift commissioned the product and production process
• How to do the checks at the beginning of the shift
• Ongoing production plan
• General cleanliness status, etc...

It would be better if the above-mentioned issues were written in the audit report as evidence.

Is shift change confirmation report required?

According to IATF 16949 standard, 9.2.2.3; While the production process is being audited, each shift should be audited and the shift change should be sampled and the relevant evidence should be written in the audit report. 

Certification Requirements

We have prepared the template for Technical documentation that is requested in Annex II of the MDR 2017/745. This document is much broader than is requested by ISO 13485:2016 but can be a guide if necessary.

The question here is are you a manufacturer, distributor, or some other business entity? If you are a manufacturer, for the EU market, your medical device file must be totally in compliance with the Annex II and Annex III of the MDR 2017/745. If you are a distributor or some other business entity then it is enough to have in the Medical device file what is written in the standard.

Company Acquisition and Integration ISO27001

Company Y can be included in the scope of company X. You can think that as an addition in the company X ISMS scope, and for that company X needs performing all sequential steps after a scope update with some adjustments:

1. reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the organizational context of both companies and requirements of interested parties;
2. review of risk assessment and treatment methodologies, to see which elements can be handled together and which ones need to be kept separate;
3. review the risk assessment and define the updated risk treatment plan;
4. adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new context;
5. people training and awareness;
6. controls operation;
7. performance monitoring and measurement;
8. perform an internal audit.
9. perform management critical review; and
10.  address nonconformities, corrective actions, and opportunities for improvement.

These articles will provide you with additional information:

• Three strategies for ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#options 
• ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Regarding how to audit this new scope, you may have these options:

• perform a single audit covering both companies
• perform separate audits for each company
• perform separate audits covering similar areas in both companies (e.g., one audit covering HR of both companies X and Y) and audits related to specificities of each company (e.g., one audit for R&D of company X and one audit for R&D of company Y)

Examples of criteria you can use to decide how to define the audits are the complexity of execution, availability of auditors, size of organizations, and number of employees.

For further information, see:

• ISO 27001 internal audit: The complete guide https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

Question related to Antivirus

1. In the section titled "Managing records kept on the basis of this document" of the SECURITY PROCEDURES FOR IT DEPARTMENT document, it is stated under Controls for record protection that "Once the record is created, the record cannot be changed." Given that the record cannot be changed, what will be the record name that we can provide? This information has not been included in the documents, so I believe they should be erased because they are not applicable. Please let me know if you have any ideas or suggestions that we might write down or if we need to prepare any additional documents for this since records cannot be modified once they have been produced.

For the change record name you can use the name of the current documentation you use to handle changes. In case you are implementing this record for the first time, you can use any name you want.

The information about change record name is not included because ISO 27001 does prescribe it, and organizations normally already have their own named records (e.g., change plan, change order, change ticket, etc.)

2. "There are 12 team members total, so I believe we will initially go for 3 team members as of now. I hope that will be fine to achieve the ISO 27001 certification or will there be any blockers for that? Yesterday we discussed antivirus, and I told you that we don't have any antivirus in our company. So as per your suggestion, we will run a pilot run for 3 employees basically with the IT administrator handling all the server data so we will install it first. How would you advise in this situation?

In the Risk Treatment Plan, you can specify that you will start implementing a control gradually - as you suggested only for 3 employees initially, and afterward for the rest of the company.

Queries ISO 27001

Hello, I did a translation of a documentation that I found from English to Spanish and there are things that I do not understand what they refer to, for example:

Information security risk assessment does not require...

What would not be required in this case, define risk acceptance criteria, define sanctions for non-compliance in information security, identification of security risks or identification of risk owners?

Taking into account ISO 27001, the following is required for risk assessment:

• Define a risk assessment process (risk identification, risk analysis, and risk evaluation)
• Define risk acceptance criteria
• Define criteria for performing risk assessment
• Identify risk owners
• Retain documented information about the risk assessment process

Considering that, from your examples, defining sanctions for non-compliance in information security is not required.

For further information, see:

• 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
• Risk assessment methodology https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section3
• Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

Query on ISO 27001:2022 SOA

ISO 27001 does not prescribe that information about how a control is implemented needs to be included in the SoA (the four items you listed are the only ones mandatory to be included in the SoA).

However, we highly recommend including in SoA this information, because since SoA is a document that summarizes security practices adopted by an organization, this additional information makes the SoA a more useful document.