Search results

How to know if the clause 8.3 is applicable to an organisation?

Does your organization design products or services?If your organization has a brand and sells products or services designed by it, then clause 8.3 is applicable. Also relevant for a decision is the scope of the QMS. Consider the case of an organization that designs products and also manufactures products designed by customers. The organization may decide that the QMS scope includes only the manufacturing products designed by the customers, and in that case, clause 8.3 is not applicable. The following material will provide you with more information about the non-applicability of a clause:

• What clauses can be excluded from ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
• Free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
• Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Supplier to a medical device company

Yes, this requirement is mandatory for all companies that have implemented ISO 13485. But, of course, you will adapt it to your situation. This means that you will have as a part of the medical device file:

a) a general description of the medical device, what is its purpose - how it is a part of the final medical device, how you label that device, and how it is implemented in the final medical device (if you know it)

b) specifications for the product

c) specifications or procedures for manufacturing, packaging, storage, handling, and distribution

d) procedures for measuring and monitoring

e) as appropriate, requirements for installation

f) as appropriate, procedures for servicing.

So, you will be concentrating only on your device, not the final medical device.

Question about eBook

Most changes in ISO 27001:2022 are related to Annex A, reorganizing controls from the 2013 version and adding 11 new controls. Contents of the ebook are still valid to help implement an ISMS ISO 27001 compliant.

These materials will give you an understanding of the changes:

• ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/
• List of mandatory documents according to the ISO 27001 2022 revision https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-revision
• Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/knowledgebase-category/iso-27001-implementation/
• ISO 27001:2022 Transition Course https://advisera.com/training/iso-27001-transition-course/

• How to implement ITIL in an organisation on a low maturity scale?

  Start with an initial assessment followed by a GAP analysis. That will give you the answer – what needs to be done.

  Once you have a scope of work, prioritize like explained in the articles

  • Considerations before ITIL implementation https://advisera.com/20000academy/blog/2014/05/21/considerations-itil-implementation/
  • Ready, steady… go – Starting ITIL implementation https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/

  Also consider implementing ITSM tool, because it will improve efficiency of the implementation, automate tasks and provide you with more control of the activities, tasks and teams/people.

• Register of external correspondence

  Please note that the section regarding external correspondence refers to electronic and physical documents you need for your ISMS that come from external parts like customers, suppliers, regulatory agencies, etc. If an external document is irrelevant to the ISMS, you do not need to control it as an external correspondence.  

  For example, specifications sent from a customer contracts from a supplier and a law from a government agency. The ISO 27001 standard is an example of an external document required by the ISMS.

  For further information, see:

  • How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

• How to implement ITIL into an environment that doesn't react to change well?

  We are talking here about people aspect of change. One of ITIL4 practices „Organizational change management“ is covering that topic, so I suggest you look in that practice.

   

• Is ISO 13485 for fertility company?

  Yes, ISO 13485 will be the right option since it includes Research and development part. There are some specialties within ISO 13485 that are requested for the design and development of in vitro medical devices that are not covered in other standards or norms. We have developed Desing and development toolkit that is in compliance with  both ISO 13485 and EU MDR 2017/745.

  Preview of the some of documents you can find on the following links:

  • Procedure for Design and Development https://advisera.com/13485academy/documentation/procedure-for-design-and-development-iso-13485-2016/
  • Design and Development File https://advisera.com/13485academy/documentation/design-and-development-file-iso-13485-2016/
  • Project Plan and Review https://advisera.com/13485academy/documentation/project-plan-and-review-iso-13485-2016/
  • Change Review Record https://advisera.com/13485academy/documentation/change-review-record-iso-13485-2016/

  • Annual Audit Program

    I’m assuming you are referring to a certification audit perspective.

    Considering that, your assumptions are correct. The standard, internal policies and procedures, and applicable legal requirements (e.g., laws, procedures, and contracts) related to the ISMS are mandatory criteria for the internal audit.

    The point about the audit criteria definition in the standard is that you can decide how to perform the audit to cover the ISMS scope (several small audits or a single one). You can use the audit criteria to set groups of elements to be audited. For example, you can decide to audit first IT processes then SW development processes, and then HR processes. Or you can decide to audit first processes related to the higher risks. Or you can perform more than one audit in areas with a history of a high quantity of incidents or non-conformities.

    Additionally, you can decide to include references, like ISO 27002 or NIST Special Publications, if they were used by the organization to implement their controls.