Search results

Expired reagents

Yes, Clause 6.4.9 does apply, as the expired reagents are “outside specified requirements”. The laboratory must assess whether they can be used without invalidating test method results. This is the performance risk assessment that must be done. Consider the risk. It is the Laboratory’s decision whether to spend resources on testing if the expired reagents can be used or not. It depends on the nature of the reagent and test method in terms of possible breakdown products and interferences, or perhaps the reagent will be ineffective due to other reasons.  Typically use a new batch of reagent (which is not expired) and do a comparison, running the usual QC samples plus test samples in the two batches. You will need to decide on what basis you will continue using the expired reagent as it may change with time. For example if the reagent blank, and control samples fall in the expected analytical range (pass QC) then continue using and run the batch.

Energy Management

Unless you have specific legal requirements (e.g., laws, regulations, or contracts) demanding implementation of ISO 27019 controls, you do not need to include them in the ISMS implementation.

Please note that ISO 27001 controls are comprehensive enough to be applied to any industry, and ISO 27019 only provides specific implementation guidance and controls for the energy utility industry.

In case you need to include ISO 27019 in your implementation, based on the results of risk assessment and applicable legal requirements, you include relevant additional recommendations to existent controls they refer to (e.g., in case there are specific recommendations for control A.9.1.1 – Access control policy, you included these specific recommendations in the way you implement it), or you include a new control specific of the standard (e.g., control 12.9.1 – Integrity and availability of safety functions).

How to treat risk with own control?

I'm assuming that this question is about Conformio.

Considering that, first of all, we are sorry for this situation.

At this moment it is not possible to include other sources of controls besides ISO 27001 Annex A in the risk register, because large majority of companies do not find it necessary to add controls not listed in Annex A.

ISO 27001 Annex A is a comprehensive set of controls, and if we know which control you are planning to use, we may be able to link to an equivalent control from ISO 27001 Annex A.

In case there is no possible relation to Annex A controls, a workaround would be for you to upload to Conformio document informing which risk (i.e., asset, vulnerability, threat, risk value) will be treated by controls not related to ISO 27001 Annex A, also stating the residual risk.

Responsibilities of Distributors for collection of Medical Devices and incident reporting

The obligation of the distributors regarding the collection of Medical devices and incident reporting is described in Article 14 - General obligations of distributors points 4, 5, and 6. First of all, this means that the distributor must be available to the manufacturer for any instructions given by the manufacturer regarding a recall or incident. Next, the distributor must be ready to communicate with the competent authority and provide a sample of the product when necessary. Furthermore, if the distributor himself receives a complaint, he must immediately inform the manufacturer about it, and further act in accordance with the manufacturer's instructions.  

For more information see:

• EU MDR Article 14 - General obligations of distributors https://advisera.com/13485academy/mdr/general-obligations-of-distributors/

• Do medical device distributors and 3rd party logistics providers benefit from implementing ISO 13485 and MRD?

  Yes, 3rd party logistics can be certified under ISO 13485. In the standard, in the Scope section is stated that this International Standard specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services. Such organizations can be involved in one or more life cycle stages, including design and development, production, storage and distribution, installation, or servicing of a medical device, and design and development or provision of associated activities (e.g. technical support). Therefore, 3PL can implement ISO 13485.   

• SoA 2022 version

  Several certification bodies are already accredited for the 2022 revision of ISO 27001.

  Please note that all ISO 27001 certification bodies need to be qualified to be certified against ISO 27001:2022 by the end of October 2023.

• Contractual obligations

  1 - I hope you are well and don’t mind me reaching out. I am in the process of drafting legal and contractual obligations for the company ISMS and wanted to ask if you would kindly be able to share an example of each?

  I’m struggling to find examples online, particularly for contractual requirements and how this should be documented.

  I’m assuming that the question is about legal and contractual obligations for suppliers.

  Considering that, we are not legal experts, so what we can provide you are statements about what needs to be considered for the drafting of legal and contractual obligations. You should consult a legal expert for him to draft the legal clauses properly.

  Here are some examples related to suppliers:

  • Right to audit: the organization has the right to audit and test the security controls periodically, or upon significant changes to the relationship.
  • Response time to vulnerabilities: provide, in a timely manner, proper treatment for known vulnerabilities that may impact the organization’s business.

  Here are some examples related to contracts with employees:

  • responsibilities regarding the classification and handling of information and information-related assets
  • actions to be taken if security requirements are violated by the involved parties

  For further information, see:

  • Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
  • What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

  This material can also help you:

  • Security Clauses for Suppliers and Partners https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/

  2 - It would also be good to know in your experience, the average number of legal and contractual obligations a medium sized organisation would usually need to have.

  Any help would be greatly appreciated.

  Please note that there is no number or range to be considered as a reference. The number of legal and contractual obligations to be considered by an organization will depend on the results of risk assessment and applicable legal requirements (i.e., the laws, regulations, and contracts an organization must fulfill).