Search results

Writing quality manual and nominating quality manager when we implement ISO 17025:2017

Indeed, although ISO 17025:2017 does not specifically require an appointment of a Quality Manager, nor a documented Quality Manual; it does not imply you cannot do so. You can include a quality manual as part of your documented management system and you can nominate a quality manager.

ISO 17025 specifies general requirements, to ensure competency. Your laboratory must establish a management system that suites your needs, to meet your objectives. In identifying suitable management, authorities and responsibilities, you can have one or more personnel performing the Quality Management functions. Likewise, when you establish processes and documents to meet ISO 17025 mandatory requirements, you could also include information in a quality manual, to describing the organization’s structure, the general requirements of impartiality and confidentiality and other processes that do not specifically require documented procedures. It is also a central place to reference mandatory documented procedures. A Quality Manual is included in the ISO 17025 toolkit. Have a look at the ISO 17025 document template: Quality Manual at https://advisera.com/17025academy/documentation/quality-manual/

It is important to understand the intent behind the revision, to help you implement ISO 17025 effectively. Have a look at the article ISO/IEC 17025:2005 vs. ISO/IEC 17025:2017 revision: What has changed? at https://advisera.com/17025academy/blog/2019/11/13/iso-17025-2017-vs-iso-17025-2005-key-changes-infographic/

Minimum time frame to implement ISO 13485 to Stage 1

The time necessary for the implementation of ISO 13485:2016 depends on the number of the employees, how many and how complex your processes are; and what your medical device is (is it low-risk medical device, do you have sterilization process, is it software). Usually, for the company with 10 employees, it is necessary some 2-3 months for companies, and for companies with up to 50 employees, it takes some 6-8 months. 

Here you can find a Checklist of ISO 13485 implementation and certification steps:

• Checklist of ISO 13485 implementation and certification steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

Although this article is written for ISO 27001, the content is universal, so maybe you will find it useful:

• The documentation myth – Why the templates are not enough? https://advisera.com/27001academy/blog/2012/04/24/the-documentation-myth-why-the-templates-are-not-enough/

• ISO 9001 vs ISO 22000

  I’m not an expert on ISO 22000 and Advisera does not provide services about ISO 22000. However, I invite you to check that both standards have a common structure (the so-called High Level Structure) and it is straightforward to integrate clauses 4, 5, 6, 7, 9 and 10.

  Major differences are around clause 8 in both standards.

  With ISO 9001:2015 you are working with:

  8.2 – handling customers’ orders
  8.3 – developing new products
  8.4 – purchasing materials, services and processes
  8.5 – manufacturing the products
  8.6 – controlling quality
  8.7 – treating non-conforming product
   

  With ISO 22000:2018 you are working with food safety:

  8.1 Operational planning and control
  8.2 Prerequisite programmes (PRPs)
  8.3 Traceability system
  8.4 Emergency preparedness and response
  8.5 Hazard control
  8.6 Updating the information specifying the PRPs and the hazard control plan
  8.7 Control of monitoring and measuring
  8.8 Verification related to PRPs and the hazard control plan
  8.9 Control of product and process
   

  Please check this article - Similarities and differences between ISO 9001 and ISO 22000 - https://advisera.com/9001academy/blog/2018/11/20/similarities-and-differences-between-iso-9001-and-iso-22000/

• ISMS roles and responsibilities

  This is not sufficient, because not only the ISMS champions must know about their information security responsibilities, but also all personnel included in the ISMS scope, so they can know who to look for in case of a situation related to information security.

  In  this case, you must also consider:

  • Document information security roles and responsibilities in the policies and procedures used by the organization.
  • Provide awareness and training sessions for all personnel included in the ISMS scope.

  This article will provide you a further explanation about documenting roles and responsibilities:

  • How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

  These materials will also help you regarding roles and responsibilities:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• ISO 22301 gap analysis

  Please note that ISO 22031 does not require a gap analysis to be performed, and it is not recommended for smaller companies, because, in general, it is not worth the effort due to their size and complexity. As an alternative, you can use the internal audit checklist, located on folder 10 Internal Audit, to make a quick assessment of your situation.

• Ecosystem degradation cause

  Environmental changes that cause ecosystem degradation are based on many factors including:

  • Urbanization
  • Population growth
  • Economic growth
  • Intensification of agriculture
  • Increase in energy use
  • Increase in transportation

  
  You can find more information about ISO 14001 below:

  • Protect and improve biodiversity performance by implementing ISO 14001 - https://advisera.com/14001academy/blog/2019/09/09/iso-14001-and-biodiversity-how-to-improve-performance/
  • Enroll for free online training - ISO 14001:2015 Foundations Course: https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/

• Internet Access

  Although ISO 27001 does not prescribe access to the Internet only through the organization as mandatory, what happens in real life is that this is more a common sense for business practice, as survival and competitive question than a standard's requirement (most of the businesses and their relations go through the Internet).

  Considering that, when organizations resources, like email services, are available through direct access to the Internet (e.g., to allow remote work), a common practice is the usage of access through Virtual Private Networks (VPNs), where the organizations implement controls such as protected communication, and access control to limit external access to authorized users, only to needed information, and also can monitor activities and information flow.

  A third important point is awareness activities, so employees can understand the importance to access the Internet only through the organization, and the consequences on direct access.

  This article will provide you a further explanation about network controls:

  • How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/

  This material will provide you further information about employee awareness:

  • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

• Procedure for clinical trials

  Yes, you are right. Unfortunately, in our toolkit there is no procedure for clinical trials because, in MDR 2017/745, requirements for documents for clinical investigation are very detailed described in Article 63, Article 72, and in Annex XV (Chapter II and III). Further on, clinical trials must be performed according to harmonized standard ISO 14155:2011 Clinical investigation of medical devices for human subjects — Good clinical practice. In most cases, clinical trials are conducted by specialized companies. 

  Which documents are necessary for medical devices you can find in the following material: 

  • EU MDR Checklist of Mandatory Documents https://info.advisera.com/13485academy/free-download/eu-mdr-checklist-of-mandatory-documents

  • Risk assessment for GDPR

    "Hi Team,

    I do have a question as part of our toolkit plan.
    We have finished the risk assessment and treatment plan based on the 27001 approaches, which is asset-based.
    In the webinar "How to integrate GDPR with ISO 27001" it was mentioned that recommended is combined "Risk Assessment" for 27001 and GDPR.
    My question is in case you have template methodology that combines both approaches? 

     

    The webinar does not recommend the combined risk assessment for ISO 27001 and GDPR. On the contrary, the webinar recommends doing the risk assessment for ISO 27001, and DPIA for GDPR.  

    In fact, ISO 27001 is focused on information security and, as you said, is asset-based. GDPR focuses on the risks for freedom and rights of individuals arising from data processing, so the focus is on the data subject.

    ISO 27001 risk assessment helps to implement GDPR requirements but there is no template that combines both GDPR and ISO 27001 because they are different regulations and require different implementation. 

    In our EU GDPR & ISO 27001 Integrated Documentation Toolkit you can find a chart with the list of relevant documentation and with reference to mandatory requirements by both regulations. You bought ISO 27001 Documentation Toolkit so you can verify what documentation you need to implement in order to comply with GDPR requirements.

    You can find this chart in the free demo of the EU GDPR & ISO 27001 Integrated Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/

     

    How do we need to augment current 27001 methodologies & template to be GDPR compliant?Our current risk register includes assets of type "Processes/Services", which map with processing activities.To confirm I am not speaking about DPIA, which is unique to GDPR.

    As I said, the focus between the two regulations is slightly different so ISO 27001 can help you to implement GDPR, however, implementing GDPR will require specific documentation. To comply with GDPR requirements you have to perform DPIA, and there are templates in the GDPR Toolkit or in ISO 27001 & GDPR Integrated Toolkit for that purpose. 
     

    Is there anything specific in GDPR that would require to extend methodology that is included in your 27001 templates? 

    You need to implement the data protection policy, data retention policy, employee data protection policy, privacy policies, and documentation which is specific of GDPR and is not covered by ISO 27001, like the inventory of processing activity according to requirements of Article 30 GDPR, eventually appointing a Data Protection Officer.

    Here you can find our Toolkit to help you implement GDPR requirements.

    • EU GDPR Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
    • EU GDPR & ISO 27001 Integrated Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/

    Here you can find more information:

    • Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
    • What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help

    You may also consider enrolling in this online EU GDPR Foundations Course:
    EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • E-privacy laws compliance

    From your question, I understand that your company processes the personal data of your clients. Your company collects personal data in order to send newsletters and communication. This processing activity falls in the scope of GDPR (EU Regulation 2016/679) while e-privacy Directive applies to “the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices” (Article 3 ePrivacy Directive).

    In order to comply with GDPR you need to verify your process of data, have a privacy policy, inform data subjects about data processing, data retention periods, and be sure you are processing data under a legitimate ground and implement GDPR requirements.

    Here you can find some articles to guide you and we developed a toolkit to help data controller to comply with GDPR requirements.

    • GDPR vs e-Privacy regulation https://advisera.com/eugdpracademy/blog/2018/02/21/gdpr-vs-e-privacy-regulation/
    • First steps to take to reach GDPR compliance: https://advisera.com/eugdpracademy/blog/2018/10/08/first-steps-to-take-to-reach-gdpr-compliance/
    • 7 biggest priorities to comply with GDPR on time https://advisera.com/eugdpracademy/blog/2018/01/25/7-biggest-priorities-to-comply-with-gdpr-on-time/
    • Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/
    • Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

    You may also consider enrolling in this online EU GDPR Foundations Course:EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//