Search results

Responsibilities of Distributors for collection of Medical Devices and incident reporting

The obligation of the distributors regarding the collection of Medical devices and incident reporting is described in Article 14 - General obligations of distributors points 4, 5, and 6. First of all, this means that the distributor must be available to the manufacturer for any instructions given by the manufacturer regarding a recall or incident. Next, the distributor must be ready to communicate with the competent authority and provide a sample of the product when necessary. Furthermore, if the distributor himself receives a complaint, he must immediately inform the manufacturer about it, and further act in accordance with the manufacturer's instructions.  

For more information see:

• EU MDR Article 14 - General obligations of distributors https://advisera.com/13485academy/mdr/general-obligations-of-distributors/

• Do medical device distributors and 3rd party logistics providers benefit from implementing ISO 13485 and MRD?

  Yes, 3rd party logistics can be certified under ISO 13485. In the standard, in the Scope section is stated that this International Standard specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services. Such organizations can be involved in one or more life cycle stages, including design and development, production, storage and distribution, installation, or servicing of a medical device, and design and development or provision of associated activities (e.g. technical support). Therefore, 3PL can implement ISO 13485.   

• SoA 2022 version

  Several certification bodies are already accredited for the 2022 revision of ISO 27001.

  Please note that all ISO 27001 certification bodies need to be qualified to be certified against ISO 27001:2022 by the end of October 2023.

• Contractual obligations

  1 - I hope you are well and don’t mind me reaching out. I am in the process of drafting legal and contractual obligations for the company ISMS and wanted to ask if you would kindly be able to share an example of each?

  I’m struggling to find examples online, particularly for contractual requirements and how this should be documented.

  I’m assuming that the question is about legal and contractual obligations for suppliers.

  Considering that, we are not legal experts, so what we can provide you are statements about what needs to be considered for the drafting of legal and contractual obligations. You should consult a legal expert for him to draft the legal clauses properly.

  Here are some examples related to suppliers:

  • Right to audit: the organization has the right to audit and test the security controls periodically, or upon significant changes to the relationship.
  • Response time to vulnerabilities: provide, in a timely manner, proper treatment for known vulnerabilities that may impact the organization’s business.

  Here are some examples related to contracts with employees:

  • responsibilities regarding the classification and handling of information and information-related assets
  • actions to be taken if security requirements are violated by the involved parties

  For further information, see:

  • Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
  • What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

  This material can also help you:

  • Security Clauses for Suppliers and Partners https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/

  2 - It would also be good to know in your experience, the average number of legal and contractual obligations a medium sized organisation would usually need to have.

  Any help would be greatly appreciated.

  Please note that there is no number or range to be considered as a reference. The number of legal and contractual obligations to be considered by an organization will depend on the results of risk assessment and applicable legal requirements (i.e., the laws, regulations, and contracts an organization must fulfill).

• ISO 27001 applicable legislation

  The list in the article:

  Laws and regulations on information security and business continuity by country https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

  will show you laws and regulations related to information security and business continuity in the UK, as well as in other countries, but it does not cover all laws and regulations nor is fully up-to-date because it depends on voluntary contributions from our readers.

  To make sure you have the latest list of laws and regulations related to these issues,  it would be best to hire a local legal adviser.

• Change Management in Conformio

  Rules to manage documents within Confomio are defined in the Procedure for Document and Record Control, section 3.4 Document Updates.

  Information about performed changes is recorded in the Change History table included in each document.

• Residual risk

  1 - In your experience what would you say about multiple risk assessments for in-scope Business units as opposed to one asset-based risk assessment for the company? I ask because I work for a large company with over 3000 employees and it’s hard to do one risk assessment for the entire company as different assets are owned and managed by different teams/Business units, and these even overlap sometimes, e.g. an asset may have multiple owners.

  ISO 27001 requires that the risk assessment results are comparable, which means that you need to use the same risk assessment methodology in your whole company (no matter if the company is large or small). Of course, a larger company could perform the risk assessment in several iterations (or sub-projects), but it is important that this is done using a company-wide risk assessment methodology.

  2 - How would you determine the residual risk scores after you have implemented the controls to manage risks identified? Do you create another 2 columns for impact and likelihood after the initial impact and likelihood assessment that resulted in the inherent risk scores?

  Your assumption is correct. The residual risk must be recorded in different columns, so it can be possible to compare the values before and after control implementation.

  For further information, see:

  • Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/

  3 - In terms of scoping the risk assessment you mentioned using our ISMS scope statement, but our scope isn't based on assets but on processes?

  Please note that while the proposed risk assessment is based on assets, these assets need to be related to the processes included in the ISMS scope statement, so the risk assessment makes sense to the ISMS.

• Non-conforming products

  1. who make the "UAI" ?

  Please, kindly advise, what is a UAI?

  Is it always necessary to contact the Customer to approve the out-of-spec "dimensions"?

  Yes, if you want to send out-the-spec products to the customer, you need to get customer approval. Please check ISO 9001:2015 clause 8.7.1 d)