Search results

Which aspects of MDR compliance should be main priority?

If your medical devices are already certified according to the MDD 93/42/EEC, first you need to check is there a change in the classification of your medical devices. In MDD there were 18 rules, in MDR 2017/745 there are 22 rules, so some medical devices have been changed to a higher class.

You can find Classification rules in EU MDR Annex 8 Classification rules: https://advisera.com/13485academy/mdr/classification-rules/

The next requirement that needs to be fulfilled is the requirement for the Post-market surveillance system.

This system is in detail explained in following MDR chapters:

• EU MDR Chapter 7 - Post-market surveillance, vigilance, and market surveillance: https://advisera.com/13485academy/mdr-heading/post-market-surveillance-vigilance-and-market-surveillance/
• EU MDR Annex 1 - General safety and performance requirements for each medical device or medical device family - https://advisera.com/13485academy/mdr/general-requirements

For more information about MDR, please see the following articles:

• EU MDR - Easy-to-understand basics: https://advisera.com/13485academy/what-is-eu-mdr/
• How can ISO 13485 help with MDR compliance?: https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/

• Executives involved in ISO 27001

  1. How and which Executives need to get involved in ISO 27001.

  The executives to be involved will depend on the ISMS scope. In case all the organization is in the ISMS scope, then the CEO is the top executive to be involved, as well as the other executives, representing their areas. In case the ISMS scope is limited to part of the organization, then the highest executives in the defined scope must be involved.

  The executives' involvement basically covers:

  • ensure that information security supports the company strategy;
  • definition of objectives to be achieved;
  • definition of specific related responsibilities and authorities to information security;
  • provision of resources;
  • general performance review.

  For more information about the roles and responsibilities of executives in information security I suggest these materials:

  • Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
  • Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
  • How to document roles and responsibilities according to ISO 27001 https://advisera.c om/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
  • ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  2. Which documents need to be overseen by them specifically?

  Considering the mentioned responsibilities, the most common documents you will find are:

  • Information security policy
  • Management review

  To see how these documents look like, please access these links:

  • Information Security Policy https://advisera.com/27001academy/documentation/information-security-policy/
  • Management Review Minutes https://advisera.com/27001academy/documentation/management-review-minutes/

• Need of keeping data beyond each specific project

  No, you need to know what data you will keep (maybe personal details in suppliers/customers invoices), how long you will keep them (usually bookkeeping periods are defined by law) and how you will protect and then you need to develop your own privacy notice to inform in a transparent manner how you will process personal data. If you do not keep projects data, you will write so to inform individuals about it. You need also to protect data with some security measures. 

  Here you can find some information:

  • GDPR challenges for small companies: https://advisera.com/articles/gdpr-for-small-businesses-the-most-common-challenges/
  • Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
  • First steps to take to reach GDPR compliance: https://advisera.com/eugdpracademy/blog/2018/10/08/first-steps-to-take-to-reach-gdpr-compliance/

  You may also consider enrolling in this online EU GDPR Foundations Course: EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

   

• Shipment rating systems

  You can draw the process flow where those companies interact with your organization and then determine possible risks. Evaluate those risks and for the most significant include the topics in your rating scheme.

  Please find below more detailed information:

  • How to evaluate supplier perfor mance according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• External or Supplier Audits

  You can follow exactly the same procedure as for internal audits. Where you should invest more time is in the audit scope definition and in the audit objective definition. Please check Annex “A.12 Audit of supply chain” in ISO 19011:2018.

  Please find below more detailed information:

  • First-, Second- & Third-Party Audits, what are the differences? - https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/
  • Why should companies perform a second-party audit of their supplier’s QMS? - https://advisera.com/9001academy/blog/2017/09/12/why-should-companies-perform-a-second-party-audit-of-their-suppliers-qms/
  • ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
  • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

• ISO 22301 certification

  1. When looking for certification in *** I realize that there are not really a lot of people with experience in 22301. I talked to *** and they all struggle to find a proper contact to talk to. On the ISO Website, I saw the 2018 survey than resulted in a total of 1128 certifications worldwide and only 7 in ***. Do these numbers seem correct to you? Do you know German companies with a 22301 certification?

  We do not know this country ISO 22301 environment well enough to provide an objective answer, but we can suggest you contact certification bodies in this country and ask for the number of companies they certified in this country.

  2. We realized that a cyber attack is a very likely threat. As Financial Services we rely heavily on our IT department (who is in the process of getting certified by 27001). How can we handle that in the scope of the BC Plan? Is it OK to delegate the responsibility to IT or do we have to come up with our own detailed plans? We need to come up with ideas and plans on what to do when such an incident occurs and how we e.g. bridge the first hours and days, but it is difficult to take ownership for fixing the IT part. How can that be handled?

  Please note that a BC Plan has to cover two major groups of activities: support activities and business activities. Considering that, although you can delegate the recovery of information systems to the IT department, there may be a need for other actions not related to IT to be executed. For example, in case of disruption of internal organization's communication services, an emergent alternative could be resuming activities through employees' cellphones, and such activity should be organized by the manager of each team until the IT can recover internal communications.

  This article will provide you a further explanation about elaborating a BCP:

  • Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

  This material can also help:

  • Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/

• ISO 9001 version 2008 vs version 2015

  Main differences are:

  • Introduced the risk-based approach;
  • There are no mandatory procedures;
  • Introduced clauses about the context and interested parties;
  • More commitment with the QMS and leadership is expected from top management;
  • No longer mandatory a management representative or a quality manual. 

  Please find below more detailed information:

  • Infographic: ISO 9001:2015 vs. 2008 revision – What has changed? - https://advisera.com/9001academy/knowledgebase/infographic-iso-90012015-vs-2008-revision-what-has-changed/
  • How to make the transition from ISO 9001:2008 revision to the 2015 revision - https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/
  • Free ISO 9001:2008 vs 2015 Conversion Tool for Clauses - https://advisera.com/9001academy/iso-90012008-vs-2015-conversion-tool/
  • ISO 9001:2015 Transition Toolkit - https://advisera.com/9001academy/iso-90012015-transition-toolkit/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• Clauses that mention continual improvement

  The following requirements clauses in ISO 45001 mention continual improvement (note that I am only including clauses within clause 4 – 10 as this is where the requirements are):

  4.4 – Continually improve the OHSMS

  5.1 - Leaders promote continual improvement

  5.2 – OH&S policy includes continual improvement commitment

  5.4 – Consultation of workers ensures continual improvement

  6.1.1 - Actions for risk and opportunity to achieve continual improvement

  6.2.1 - OH&S objectives to continually improve

  7.1 – Resources to ensure continual improvement of the OHSMS

  7.4.2 – Internal communication enables continual improvement

  9.2.2 – Internal audit program takes action for continual improvement

  9.3 – Management review looks at continual improvement

  10.3 – This is all about continual improvement

  You can learn more about corrective actions and their role in continual improvement of the OHSMS in the article: Using corrective actions to eliminate nonconformities and drive health & safety improvements, https://advisera.com/45001academy/blog/2017/02/15/using-corrective-actions-to-eliminate-nonconformities-and-drive-health-safety-improvements/

• Organizational success

  Thanks very much. I am ok. Following some links for more information on the need for ISO

• ISO 27001 implementation

  1. In addition to the kit I bought from you I purchased the standard from iso... I now realize I should have also bought 27002 so I can get more details on the controls. Is there a package you recommend that has everything I need in it? I'd prefer to get that instead of having to keep asking my cfo for permission for each thing.

  Please note that our toolkits were designed to consider all elements necessary for certification (e.g., recommendations from ISO 27002 are already included in the templates), and from our experience with our customers all around the world, the toolkit content is all you need to successfully implement the standard. No additional standards are required.

  2. Also, I've done the foundations course but I am still feeling a little overwhelmed with where to start... I think risk assessment methodology is the place, but not sure.

  The toolkit documents are ordered in the exact sequence you need to follow to implement the standard, so the first document you need to develop is the Procedure for Document and Record Control.

  There is a List of Documents file in your toolkit that can show your the order of the documents.

  For information, see:

  • ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

  3. I've started going through the docs and updating them with our company info etc and the roles I expect for certain things but not sure if that is the right thing to start with. Thanks in advance for any direction

  You need to follow the sequence of documents explained in the previous answer for easier implementation.

  It is also important that before working on the documents you see the video tutorials included with the toolkit. They will provide you guidance on filling in the most critical documents, using examples with real data. And the templates contain several comments with guidance and examples on how to fill the documents. You should read them first too.

  Additionally, you can count on our support, through email or scheduled meetings, to clarify your doubts regarding the ISO 27001 implementation, as well as to review some of your developed documents, where we will provide comments about how to improve them as necessary.