Search results

ISO 9001 Question

Existen multitudes ventajas a la hora de implementar la norma ISO 9001:2015 en una organización, entre ellas podemos encontrar las siguientes:

- Una mayor satisfacción del cliente 

- Una mejora de los procesos de la organización

- Un mayor prestigio de la compañía

- Una cultura de mejora continua

Para más información sobre los beneficios de implementar ISO 9001:2015, puede ver los siguientes materiales:

- Seis beneficios clave de la implementación de ISO 9001: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/seis-beneficios-clave-de-la-implementacion-de-iso-9001/

- Curso gratuito en línea - Fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

- Libro - ISO 9001:2015 through practical examples:https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 Re-evaluation of suppliers

ISO 9001:2015 does not set a period evaluation or re-evaluation of suppliers. The last paragraph of clause 8.4.1 sets the need for determining when to re-evaluate external providers and to retain records of these activities. It is up to each organization to define the most suitable frequency. For example, when working with the fashion industry I normally recommend suppliers to evaluate every six months because winter and summer requirements and suppliers can differ a lot.

You can find more information below:

• How to evaluate supplier performance according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
• How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
• You can also take a look at a free preview of our Procedure for Purchasing and Evaluation of Suppliers https://advisera.com/9001academy/documentation/procedure-purchasing-evaluation-suppliers/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 14001 Auditee questions

Performing an audit is about collecting evidence from the contrast between reality and audit criteria.

You should start by collecting the audit criteria. What documents in your quality and environmental management system mention suppliers or environmental aspects related to suppliers?

For example, concerning the environment:

• Which significant environmental aspects are related to suppliers?
• What action plans and controls were designed and implemented to improve those environmental aspects?
• Are they implemented? Are they being followed? Are they effective? Ask for evidence!
• Any environmental nonconformity received? Evidence of treatment? Corrective action needed? If yes, implemented? Effective?
• Any evidence of supplier performance review? Decisions about system effectiveness and suitability?

For example, concerning quality:

• Which suppliers are considered relevant for the quality management system?
• What control plans were designed and implemented to minimize importing problems from suppliers?
• What action plans were designed and implemented to improve supplier performance?
• Are they implemented? Are they being followed? Are they effective? Ask for evidence!
• Any product nonconformity received? Evidence of treatment? Corrective action needed? If yes, implemented? Effective?
• Any evidence of supplier performance review? Decisions about system effectiveness and suitability?

Please check this information below with more detailed answer:

• Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
• Enroll for free in ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

ISO 13485 Documentation & implementation

If I understand the question correctly, you are asking is ISO 13485:2016 quality management system documentation the same for disposable medical devices and IVD devices. Yes, basic documentation is the same, the only difference is the procedures and work instructions for the production process (what kind of the production it is, is it necessary to produce them in the cleanroom or not, is there a sterilization process involved and similar).

For more details which documents are mandatory for ISO 13485:2016, please see the following links:

• List of mandatory documents required by ISO 13485:2016 - https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/
• Checklist of Mandatory Documentation Required by ISO 13485:2016 - https://info.advisera.com/13485academy/free-download/checklist-of-mandatory-documentation-required-by-iso-134852016
• How to structure Quality Management System documentation according to ISO 13485 - https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

On the following link, you can see how our ISO 13485:2016 documentation toolkit looks like - https://advisera.com/13485academy/iso-13485-documentation-toolkit/

Conducting an internal audit

I invite you to watch this free webinar on demand about “How to perform an ISO 14001:2015 internal audit” - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar-on-demand/ where this process

is presented and several tips are shared.

Please check this information below with more detailed answer:

• Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
• Enroll for free in ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

How to use ISO 27001 in the hospital

ISO 27001 was designed to be implemented in organizations of any size and industry, and broadly speaking, these are the general steps to implement it on any organization:

1. get support for your project (through approval of the ISMS project plan);
2. develop the Procedure for Document and Record Control:
3. define the ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties;
4. develop risk assessment and treatment methodology;
5. perform a risk assessment and define the risk treatment plan;
6. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
7. people training and awareness;
8. controls operation;
9. performance monitoring and measurement;
10. perform an internal audit;
11. perform management critical review; and
12. address nonconformities, corrective actions, and opportunities for improvement.

Regarding ISO 27001 implementation approaches, you have three options:

• Implementing with your own employees (in general the cheapest and longest)
• Hiring a consultant (in general the costliest and fastest)
• Implementing by yourself with external support (a balanced solution)

Each one of them has its advantages and disadvantages, related to time, resources, and knowledge. For more information, I suggest the following materials:

• 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
• Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

Advisera is specialized in the third approach. We offer toolkits with templates and expert support, and also free material in the form of articles, papers, and webinars, to help you with your implementation project. Please see these materials for more information:

• ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/
• How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/

This article will provide you a further explanation about ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Where do you see ISO 27001 in the future?

I'm assuming that by the second reference you mean ISO 14001.

Considering that, with the increase in the attacks aiming private and corporate information, the increase in the dependence of information to provided services, and potential impacts due to realized risks, we see an increase in the adoption of ISO 27001 by organizations, but not to be the most important standard (since ISO 9001 is focused on customer satisfaction, it will remain the most popular ISO management system standard).

IVD Medical Devices for Infectious Diseases

For IVD Medical Devices for Infectious Diseases e.g. Covid-19 are these classified in IVDR as high-risk Class D?

In which class is some IVD for COVID-19 depends on what type of the test it is. There are three main types of detection assays relevant for COVID-19 diagnostic testing and screening:

1. Nucleic acid tests that detect the presence of viral RNA. 
2. Antigen tests that detect the presence of a viral antigen, typically part of a surface protein.
3. Antibody tests detect the presence of antibodies generated against SARS-CoV-2; like immunosorbent assays (ELISA), chemiluminescence assays (CLIA) and lateral flow assays (LFA).

According to IVD Directive 98/79/EC Article 9, on conformity assessment procedures, for COVID-19 diagnostic devices that are not intended for use as self-tests, the manufacturer shall, in order to affix the CE marking, draw up the EC declaration of conformity required before placing the devices on the market. This is a self-declaration procedure based on satisfying essential safety and performance requirements listed in the Directive and specifications of the device performance characteristics, stated by the manufacturer.  In case of self-tests, the involvement of a third-party conformity assessment body is necessary. 

European Commission has published a document which proposes a tentative definition of COVID-19 diagnostic test performance criteria (analytical sensitivity, analytical specificity, clinical sensitivity, and clinical specificity) - Current performance of COVID-19 test methods and devices and proposed performance criteria - Working document of Commission services https://ec.europa.eu/docsroom/documents/40805

European Commission also published a searchable database. The objective of the JRC COVID-19 In Vitro Diagnostic Devices and Test Methods Database is to collect in a single place all publicly available information on the performance of CE-marked in vitro diagnostic medical devices (IVDs) as well as in-house laboratory-developed devices and related test methods for COVID-19. - COVID-19 In Vitro Diagnostic Devices and Test Methods Database https://covid-19-diagnostics.jrc.ec.europa.eu/

And must the CE Mark have the NB 4 digit Number next to the CE Mark?

This depends again on what kind of diagnostic test it is. If it is self-test than it needs NB 4 digit numbers, if it is not then there is a self-declaration and there is no need for the NB 4 digit numbers next tot he CE mark.

Interested Parties

First is important to note that ISO 27001 does not prescribe how to document interested parties, so documenting them by name or by category are acceptable approaches.

But please note that, to fulfill clause 7.4 - Communication, you need to determine with whom to communicate, and depending on the information to be communicated, maybe it will be necessary to identify clients individually in certain circumstances.

This article will provide you a further explanation about interested parties:

• How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

These materials will also help you regarding interested parties:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Annex A.17.1/2/3

I'm assuming you are referring only to controls from section A.17.1

Considering that, controls from ISO 27001 Annex A section A.17 (Information security aspects of business continuity management) aims to minimize risks that, in case of an event that disrupts business operations, the information will be kept protected, and operations that rely on them will be resumed as quickly as possible.

To show compliance with controls of this section an organization needs to:

• identify and include information security requirements in its reparations for business continuity
• ensure processes, procedures and controls required for information security are documented, implemented, and maintained
• regularly review its information security continuity elements to ensure its effectiveness and relevance to business

This article will provide you a further explanation about business continuity for ISO 27001:

• How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/

These materials will also help you regarding business continuity for ISO 27001:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/