Search results

ISO 13485 Documentation & implementation

If I understand the question correctly, you are asking is ISO 13485:2016 quality management system documentation the same for disposable medical devices and IVD devices. Yes, basic documentation is the same, the only difference is the procedures and work instructions for the production process (what kind of the production it is, is it necessary to produce them in the cleanroom or not, is there a sterilization process involved and similar).

For more details which documents are mandatory for ISO 13485:2016, please see the following links:

• List of mandatory documents required by ISO 13485:2016 - https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/
• Checklist of Mandatory Documentation Required by ISO 13485:2016 - https://info.advisera.com/13485academy/free-download/checklist-of-mandatory-documentation-required-by-iso-134852016
• How to structure Quality Management System documentation according to ISO 13485 - https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

On the following link, you can see how our ISO 13485:2016 documentation toolkit looks like - https://advisera.com/13485academy/iso-13485-documentation-toolkit/

Conducting an internal audit

I invite you to watch this free webinar on demand about “How to perform an ISO 14001:2015 internal audit” - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar-on-demand/ where this process

is presented and several tips are shared.

Please check this information below with more detailed answer:

• Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
• Enroll for free in ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

How to use ISO 27001 in the hospital

ISO 27001 was designed to be implemented in organizations of any size and industry, and broadly speaking, these are the general steps to implement it on any organization:

1. get support for your project (through approval of the ISMS project plan);
2. develop the Procedure for Document and Record Control:
3. define the ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties;
4. develop risk assessment and treatment methodology;
5. perform a risk assessment and define the risk treatment plan;
6. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
7. people training and awareness;
8. controls operation;
9. performance monitoring and measurement;
10. perform an internal audit;
11. perform management critical review; and
12. address nonconformities, corrective actions, and opportunities for improvement.

Regarding ISO 27001 implementation approaches, you have three options:

• Implementing with your own employees (in general the cheapest and longest)
• Hiring a consultant (in general the costliest and fastest)
• Implementing by yourself with external support (a balanced solution)

Each one of them has its advantages and disadvantages, related to time, resources, and knowledge. For more information, I suggest the following materials:

• 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
• Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

Advisera is specialized in the third approach. We offer toolkits with templates and expert support, and also free material in the form of articles, papers, and webinars, to help you with your implementation project. Please see these materials for more information:

• ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/
• How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/

This article will provide you a further explanation about ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Where do you see ISO 27001 in the future?

I'm assuming that by the second reference you mean ISO 14001.

Considering that, with the increase in the attacks aiming private and corporate information, the increase in the dependence of information to provided services, and potential impacts due to realized risks, we see an increase in the adoption of ISO 27001 by organizations, but not to be the most important standard (since ISO 9001 is focused on customer satisfaction, it will remain the most popular ISO management system standard).

IVD Medical Devices for Infectious Diseases

For IVD Medical Devices for Infectious Diseases e.g. Covid-19 are these classified in IVDR as high-risk Class D?

In which class is some IVD for COVID-19 depends on what type of the test it is. There are three main types of detection assays relevant for COVID-19 diagnostic testing and screening:

1. Nucleic acid tests that detect the presence of viral RNA. 
2. Antigen tests that detect the presence of a viral antigen, typically part of a surface protein.
3. Antibody tests detect the presence of antibodies generated against SARS-CoV-2; like immunosorbent assays (ELISA), chemiluminescence assays (CLIA) and lateral flow assays (LFA).

According to IVD Directive 98/79/EC Article 9, on conformity assessment procedures, for COVID-19 diagnostic devices that are not intended for use as self-tests, the manufacturer shall, in order to affix the CE marking, draw up the EC declaration of conformity required before placing the devices on the market. This is a self-declaration procedure based on satisfying essential safety and performance requirements listed in the Directive and specifications of the device performance characteristics, stated by the manufacturer.  In case of self-tests, the involvement of a third-party conformity assessment body is necessary. 

European Commission has published a document which proposes a tentative definition of COVID-19 diagnostic test performance criteria (analytical sensitivity, analytical specificity, clinical sensitivity, and clinical specificity) - Current performance of COVID-19 test methods and devices and proposed performance criteria - Working document of Commission services https://ec.europa.eu/docsroom/documents/40805

European Commission also published a searchable database. The objective of the JRC COVID-19 In Vitro Diagnostic Devices and Test Methods Database is to collect in a single place all publicly available information on the performance of CE-marked in vitro diagnostic medical devices (IVDs) as well as in-house laboratory-developed devices and related test methods for COVID-19. - COVID-19 In Vitro Diagnostic Devices and Test Methods Database https://covid-19-diagnostics.jrc.ec.europa.eu/

And must the CE Mark have the NB 4 digit Number next to the CE Mark?

This depends again on what kind of diagnostic test it is. If it is self-test than it needs NB 4 digit numbers, if it is not then there is a self-declaration and there is no need for the NB 4 digit numbers next tot he CE mark.

Interested Parties

First is important to note that ISO 27001 does not prescribe how to document interested parties, so documenting them by name or by category are acceptable approaches.

But please note that, to fulfill clause 7.4 - Communication, you need to determine with whom to communicate, and depending on the information to be communicated, maybe it will be necessary to identify clients individually in certain circumstances.

This article will provide you a further explanation about interested parties:

• How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

These materials will also help you regarding interested parties:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Annex A.17.1/2/3

I'm assuming you are referring only to controls from section A.17.1

Considering that, controls from ISO 27001 Annex A section A.17 (Information security aspects of business continuity management) aims to minimize risks that, in case of an event that disrupts business operations, the information will be kept protected, and operations that rely on them will be resumed as quickly as possible.

To show compliance with controls of this section an organization needs to:

• identify and include information security requirements in its reparations for business continuity
• ensure processes, procedures and controls required for information security are documented, implemented, and maintained
• regularly review its information security continuity elements to ensure its effectiveness and relevance to business

This article will provide you a further explanation about business continuity for ISO 27001:

• How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/

These materials will also help you regarding business continuity for ISO 27001:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Data integrity

1. How can ISO 27001 ensure data integrity in a company that needs to create all its security policies from scratch

ISO 27001 Annex A has controls that can be applied to minimize risks that information is changed or destroyed without authorization (e.g., A.9.1.1 Access control policy, and A.12.1.2 Change management), and that changes performed can be tracked and undone if needed (e.g., A.12.4.1 Event logging, and A.12.3.1 Information backup), thus helping protect information integrity.

For further information, see:

• How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
• How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/
• Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
• Backup policy – How to determine backup frequency https://advisera.com/27001academy/documentation/backup-policy/

This material will also help you regarding ISO 27001 controls:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

2. is the return on investment of an ISO 27001 project feasible?

ISO 27001 was designed to help organizations apply controls based on relevant requirements and in levels related to their risk tolerance.

Considering that, provided that the ISO 27001 project is aligned to the business' and interested parties' (e.g., customers, regulation bodies, suppliers, etc.) needs and objectives, its return on investment is feasible.

This article will provide you a further explanation about ISO 27001 implementation:

• How to make your investment in ISO 27001 profitable https://advisera.com/27001academy/blog/2015/07/13/how-to-make-your-investment-in-iso-27001-profitable/
• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
• Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/

IS responsive culture

To develop a security culture you must consider these points:

• definition of clear objectives and targets
• definition of roles and responsibilities
• providing awareness about the importance of information security and the consequences of incidents and non-compliances
• providing training about how to perform required activities
• measure and analyze performance and provide feedback

For further information, see:

• What are the benefits of security awareness training for organizations? https://advisera.com/27001academy/blog/2019/03/27/what-are-the-benefits-of-security-awareness-training-for-organizations/
• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

This material will also help you regarding awareness and training:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

ISO 9001 - Management Representative Audit

You are going to audit the Management Representative. An audit is about collecting evidence from the contrast between reality and audit criteria. You should start by collecting the audit criteria. Which documents, in your QMS, mention the Management Representative and its authorities and responsibilities? Then, read that documentation and look for situations that you think you want to check, that you want to confirm. For example, you may read that the Management Representative is responsible for conducting quarterly performance reviews about processes and action plans. You can ask to see evidence that the performance review took place, what its decisions were, and if it has a positive impact on the organizations’ performance. For example, you may read that the Management Representative is responsible for ensuring that corrective actions are implemented, effective, and closed. You can ask to see evidence that shows if corrective actions are defined, implemented, evaluated as effective, and closed.

You can find more information below:

• What will be the destiny of the management representative in the new ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
• Choosing the best person for the job quality management representative: https://advisera.com/9001academy/blog/2014/06/03/choosing-best-person-job-quality-management-representative/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/