Search results

Questions about risk

Thank you

Product requirement Review record

It is absolutely OK not to make this record until you know that this is a more solid contact with potential customers. With this approach, you will fulfill the necessary requirement and be in compliance with ISO 13485:2016. 

For more details on complying with the latest changes in ISO 13485 clause 7.2.3 Communication, see the following link

Data Integrity

ISO 27001 makes use of a systematic management approach to help organizations:

• identify information security risks that can promise information confidentiality, integrity or availability (based on their context, objectives and interested parties needs)
• define proper controls to treat relevant risks (based on controls from Annex A, as well as from other sources of controls if needed), and expected information security performance results (i.e. information security objectives)
• periodically evaluate information security performance
• implement corrections and/or improvements based on achieved results

Regarding controls specifically related to protection of information integrity, these are some examples:

• A.10.1 Cryptographic controls
• A.12.5.1 Installation of software on operational systems
• A.9.4.4 Use of privileged utility programs 
• A.12.1.2 Change management

These articles will provide you further explanation about ISO 27001:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
•  Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Retaining personal information

I was trying to find the key stakeholders under GDPR. GDPR doesn't set a timeline on how long you must retain personal information of an employee, but what if we want to hold some of their information for auditing purposes, will this be allowed?

GDPR does not set any timeline about data retention because the needs may vary according to the kind of personal data are processed. You need to remember that any personal data must be processed under the principles listed in article 5 GDPR (data minimization, in particular). In some cases, Member States’ legislation may set obligation to keep documentation (i.e. bookkeeping records), so you need to verify first if any internal regulation requires you to retain your employees' personal data for a certain period of time. If you want to process data for auditing purposes you need to specify it in your employees’ privacy notice. 

Here you can find some information:

Who are the key stakeholders in a GDPR compliance project? https://advisera.com/eugdpracademy/blog/2018/09/24/who-are-the-key-stakeholders-in-a-gdpr-compliance-project/How the GDPR could impact your HR department https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/Contents of the Data Protection Policy according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/contents-of-the-data-protection-policy-according-to-gdpr/

You can also consider enrolling in our free EU GDPR Foundation course: EU GDPR Foundations Course

Configuration management process

Thanks for the clarification, it is informative.

Supplier qualification

I'm looking for information regarding supplier qualification to be compliant with ISO 13485

Application of integrated ISO 9001 and ISO 13485

While ISO 13485:2016 will give to the medical device manufacturer standard to be in complainace with necessary requirements to prove that medical device is produced in safe manner, ISO 9001 will give a more detailed view into management process, especially to business risks and defining the context and strategy of the organization.

Implementing both standards can affect to better management of the whole company. However, some customers are requiring explicitly ISO 9001. 

For more information what are ISO 13485 structure and requirements, please read the article on the following link:
ISO 13485 structure and requirements https://advisera.com/13485academy/what-is-iso-13485/

For more information, please read the following article: What is ISO 9001? https://advisera.com/9001academy/what-is-iso-9001/

Calibration Intervals

You need to prove that in that time from the calibration due date to the end of the month there is nothing wrong with your device. So in your rationale, you can state how often do you use the device in that time (is it daily, weekly), have the conditions of storage the equipment changed, did you remove the equipment or not (if it is applicable for your type calibration device). If you can prove that there are no risks in that time that can influence the accuracy of the calibration device, it will be a good rationale.

For more information on Calibration requirements in ISO 13485, please see the following article:
Calibration requirements in ISO 13485 https://advisera.com/13485academy/blog/2019/03/08/calibration-requirements-in-iso-13485/

A.9.4.4 Use of Privileged Utility Programs

If I understood you correctly, the perimeter of "Privileged Utility Programs" refers to where, or in which situations, you can use "Privileged Utility Programs" (programs that can change or bypass security features).

An example would be the use of Windows Update only in IT labs (where) during the hardening process (situation). This restriction will prevent that regular users install patches not homologated by the organization in their machines.

Advice on dividing workload

Please note that the toolkit approach for implementation is to work the documents in the order they are presented in the folders. You should not work documents and clauses separately, neither work some of the documents in parallel (this will only make things more complicated).

Since you will be working with a partner in the implementation, my suggestion for you is dividing workload only for documents from Annex A.