Search results

Change management policy

ISO does not have a definition for change, but from ITIL, a world-recognized framework for managing IT services, you can have this one: "The addition, modification or removal of anything that could have an effect on IT Services.”

Considering ISO 27001, examples of change can be:

• Replacement of a server
• Adding a new technology (e.g., VPN for remote access)
• Updating a document (e.g., policy or procedure)

To see how a change management policy look like, see this free demo: Change Management Policy https://advisera.com/27001academy/documentation/change-management-policy/

This article will provide you a further explanation about the change management:

• How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

ISO 13485:2016/21 CFR 820 requirement question

In the ISO 13485:2016, requirement 6.2 Human resources, it is stated that the organization must ensure that all employees are aware of the relevance and importance of their activities. The auditor will ask for the proof that employees are familiar with this. Usually, the best way to prove that manufacturer has fulfilled this requirement is to show the signed job description. However, if there is another way that manufacture can prove that employee knows exactly their activities and responsibilities covered in the job description, it can also be acceptable.

For more details regarding roles and responsibilities, please see in the following article: 

How to define roles and responsibilities within an ISO 13485-based QMS - https://advisera.com/13485academy/blog/2017/11/16/how-to-define-roles-and-responsibilities-within-an-iso-13485-based-qms/

Cross-border Transfer of Personal Data

Cross-border transfer of personal data under GDPR happens when personal data based in the EU are transferred towards third countries (i.e. US, Canada). Those transfers can be based on:

• An adequacy decision by the European Commission. It means that the European Commission analyzed the data protection rules of the third country and estimated it gives an adequate level of protection for the freedom and rights of individuals. The Commission adopted adequacy decisions for the following countries:  Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the United States (Privacy Shield).
• Standard data protection clauses adopted by the Commission. Are contractual clauses that grant some protection rights to parties.
• Standard data protection clauses adopted by a supervisory authority.
• An approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights or an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

In the above-mentioned cases, you do not need to notify to DPA cross-border transfer of data because it is considered compliant to the GDPR.  

Consider that, you will need to consider the impact of Brexit from January 2021 when UK will no longer be part of European Union.

Here you can find some useful material about data transfer:

• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/Standard Contractual Clauses for the Transfer to Processors and Standard Contractual Clauses for the Transfer to Controllers.: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes
• EU GDPR Article 44 – General principle for transfers: https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/
• EU GDPR Article 45 – Transfers on the basis of an adequacy decision: https://advisera.com/gdpr/transfers-on-the-basis-of-an-adequacy-decision/
• EU GDPR Article 46 – Transfers subject to appropriate safeguards: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
• Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

You can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

The project management audit

By auditing a project manager, you want to determine the true status of work performed on a project and its compliance with the project statement of work, including schedule and budget constraints. What work is required to meet project objectives and the adequacy of the schedule and budget to do so.

You can ask for the project plan and check topics like:

• Is it approved and updated?
• Are monitoring and control procedures implemented?
• Were risks determined and countermeasures developed?
• Are staffing needs considered?
• Are reports being made?
• What about customer feedback?
• What about subcontractor relations?
• What about cost versus budget?

These materials will also help you regarding internal audit:

• What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
• Free online training ISO 9001 Internal Auditor - https://advisera.com/training/iso-9001-internal-auditor-course/
• Book ISO Internal Audit: A Plain English Guide - https: //advisera.com/books/iso-internal-audit-plain-english-guide/

Corrective action process

I would use a lot of diplomacy and tact, and politely would tell them that my audit has nothing to do with an internal audit. As an external auditor, I would like to do my own audit, collect my own evidence and arrive at my own findings. So, I could not delete that department from the audit plan.

The following material will provide you information about audits:

• What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
• Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
• Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

Internal Audit Frequency

Let us start with a flow diagram:

ISO 9001 allows you to set your own frequency and audit scope, however you need to perform at least one internal audit per year to the whole quality management system (QMS) because of the certification body surveillance visits.

These materials will also help you regarding internal audit:

• What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
• Free online training ISO 9001 Internal Auditor - https://advisera.com/training/iso-9001-internal-auditor-course/
• Book ISO Internal Audit: A Plain English Guide https: //advisera.com/books/iso-internal-audit-plain-english-guide/

ISO 13485 or ISO 9001

It is not a question of preference, but what the legal regulations are and what requirements must be met in order for a medical device to comply with its regulations. ISO 13485:2016 is a standard that is specific for Manufacturers of medical devices (Medical devices — Quality management systems — Requirements for regulatory purposes). Besides that, on the web pages of the European Commission (https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/medical-devices_en) are stated which standards are applicable for all types of medical devices. On that list, which has around 300 standards, only ISO 13485:2015 is the standard for the quality management system.

For more information, see following articles:

• How can ISO 13485 help with MDR compliance? - https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/

• EU MDR – Easy-to-understand basics - https://advisera.com/13485academy/what-is-eu-mdr/

• ISO 9001 certification for tobacco factories

  I’m not working with the tobacco sector. Normally, there are no legal obligation to be certified. Certification is supposed to be a voluntary decision.

  Why do organizations decide to get certification? Normally, for two reasons:

  A customer demands it (in the Business to Business world);
  Improving credibility and image 

  An organization with a strong brand may decide that certification is not relevant once the brand power is what gives credibility and image.

  Just implementing a quality management system (QMS) can be very useful for an organization, like a tobacco factory, that processes millions of units, in terms of improving efficiency and reducing costs. After implementing, getting the certification is just a small step.

  Please check more information about ISO 9001 below:

  • Article – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
  • Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• ISO 13485 planning related query

  Yes, your understanding is correct. If you implement ISO 13485:2016 you can still label reagents as research use only. ISO 13485:2016 is applicable to the manufacturing of both medical devices and in-vitro devices.

  • For Similarities and differences between ISO 9001:2015 and ISO 13485:2016, please see following article: https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/

  • Here is a Checklist of ISO 13485 implementation and certification steps: https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

  ISO 13485:2016 is a process-oriented standard. Product-specific regulation for your type of the product is In vitro diagnostic directive (current valid IVDD 98/79/Eec, and new version IVDR 2017/746).

  For more details about ISO 13485 please read the following articles:

  • ISO 13485 structure and requirements https://advisera.com/13485academy/what-is-iso-13485/ What are the consequences of noncompliance with ISO 13485 for manufacturers of medical devices? https://advisera.com/13485academy/blog/2017/11/02/what-are-the-consequences-of-noncompliance-with-iso-13485-for-manufacturers-of-medical-devices/

  • How to use ISO 13485 to comply with In Vitro Diagnostic medical devices (IVD) requirements in UK https://advisera.com/13485academy/blog/2017/10/26/how-to-use-iso-13485-to-comply-with-in-vitro-diagnostic-medical-devices-ivd-requirements-in-uk/

• Risk assessment

  1. As I fill out the risk assessment table and do the risk assessment, we are finding that some risk should be owned by a third party connected to our ISO scope, is it ok to list them as the asset and risk owner, they would be responsible if the risk would surface.

  Risks related to elements outside the ISMS scope should be treated by controls of section A.15 - Supplier relationships. Through Service Level Agreements (SLAs), Operational Level Agreements (OLAs) or Terms and Conditions of Service, the organization makes clear and enforces the expected information security controls to be applied. In this scenario, someone in the organization still is the risk owner, but the treatment is delegated to the third party.

  For further information, see:

  • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  2. We have some SDLC (systems development life cycle) controls listed in 06 SOA, we stated in our scope document that software development is not in scope, however, if we know that controls are in place already should we document that in the SOA?

  

  The main purposes of the SoA are to identify which controls are applicable or not in the ISMS scope, the justifications for such decisions, and the implementation status of those controls deemed as applicable, but you can document implemented controls that are not part of the ISMS scope in the SoA as a good practice (ISO 27001 requirements do not prohibit this).

  This way you will have a centralized information source about all implemented controls you have, even if they are not implemented in the ISMS scope. This can be useful, for example, if in the future you need to include such controls in the ISMS scope (you will have quick information about what you already have).

  You only need to pay attention to ensure that the situation of the control as not part of the ISMS scope is perfectly clear in the justification. For example:
  "Program source code is not in the ISMS scope, however, this control is tracked in the SoA as a good practice, to keep a centralized database of the organization's applied controls."

  This article will provide you a further explanation about SoA:

  • The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/