Search results

Supplier qualification

I'm looking for information regarding supplier qualification to be compliant with ISO 13485

Application of integrated ISO 9001 and ISO 13485

While ISO 13485:2016 will give to the medical device manufacturer standard to be in complainace with necessary requirements to prove that medical device is produced in safe manner, ISO 9001 will give a more detailed view into management process, especially to business risks and defining the context and strategy of the organization.

Implementing both standards can affect to better management of the whole company. However, some customers are requiring explicitly ISO 9001. 

For more information what are ISO 13485 structure and requirements, please read the article on the following link:
ISO 13485 structure and requirements https://advisera.com/13485academy/what-is-iso-13485/

For more information, please read the following article: What is ISO 9001? https://advisera.com/9001academy/what-is-iso-9001/

Calibration Intervals

You need to prove that in that time from the calibration due date to the end of the month there is nothing wrong with your device. So in your rationale, you can state how often do you use the device in that time (is it daily, weekly), have the conditions of storage the equipment changed, did you remove the equipment or not (if it is applicable for your type calibration device). If you can prove that there are no risks in that time that can influence the accuracy of the calibration device, it will be a good rationale.

For more information on Calibration requirements in ISO 13485, please see the following article:
Calibration requirements in ISO 13485 https://advisera.com/13485academy/blog/2019/03/08/calibration-requirements-in-iso-13485/

A.9.4.4 Use of Privileged Utility Programs

If I understood you correctly, the perimeter of "Privileged Utility Programs" refers to where, or in which situations, you can use "Privileged Utility Programs" (programs that can change or bypass security features).

An example would be the use of Windows Update only in IT labs (where) during the hardening process (situation). This restriction will prevent that regular users install patches not homologated by the organization in their machines.

Advice on dividing workload

Please note that the toolkit approach for implementation is to work the documents in the order they are presented in the folders. You should not work documents and clauses separately, neither work some of the documents in parallel (this will only make things more complicated).

Since you will be working with a partner in the implementation, my suggestion for you is dividing workload only for documents from Annex A.

Conformio dashboard

1. What does " Determine required communication" mean and how do we show compliance

Answer: ISO 27001, clause 7.4, requires a definition of internal and external communications needs relevant to the ISMS (e.g., what to communicate, to whom, when, by whom, etc.), but since the standard does not prescribe how to implement that, organizations are free to chose the approach that better fits them.

Depending on the size of the organization and its security objectives, the communication needs may be fully documented as a separate document or simply stated in a few sentences within other policies, procedures, and plans (the last one is the approach adopted in our toolkits).

This article will provide you further explanation about communication plan:
- How to create a Communication Plan according to ISO 27001 https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/

2. How do we show compliance to the "introduce no-blame security culture"

Answer: Please note that "introduce no-blame security culture" is not a standard's requirement, but a good practice to support leadership and commitment  (e.g., to direct and support persons to contribute to the effectiveness of the ISMS); 

Ways to demonstrate that this culture is implemented is by evidencing nonconformities and security incidents reported by employees, because this will show that employees are not afraid to report those even if they are the once that have caused them.

This article will provide you further explanation about communication plan:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/

Control A7.1.1

By your question, it is not clear if the law you are referring to demands screening, or defines restrictions to screening.

Considering that, in case you identify a need to implement control A.7.1.1, but this implementation has legal limitations, you have to state in the SoA that this control is applicable with limitations, briefly explaining the exceptions. An example of a justification where you have a legal requirement demanding the control (e.g., a customer contract), but you also have another legal requirement defining limitations on its applicability would be "Control required by Customer contract ABC, limited by Brazilian Consolidation of Labor Laws (CLT)".

This article will provide you further explanation about applying security controls:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

ISO 22301 planning phase

I'm assuming you are asking for the elements to be considered when planning the implementation of ISO 22301.

Broadly speaking, you must consider:

• obtaining management support
• identification of legal requirements
• development of a business continuity policy and objectives
• development of basic document management system
• development of business impact analysis and risk assessment and treatment methodologies

With these implemented, you will have a solid foundation to implement ISO 22301.

This article will provide you further explanation about ISO 22301 implementation steps:

• 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

This material will also help you regarding ISO 22301 implementation:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
• ISO 22301 Documentation Toolkit https://advisera.com/27001academy/iso22301-documentation-toolkit/

Internal QMS Audit Checklist for IATF 16949

Yes, the Quality Management System Internal Audit Checklist in Advisera's link covers both of the ISO 9001: 2015 and IATF 16949: 2016 standards.

Please visit the address below for detailed information

Internal audit checklist: https://advisera.com/16949academy/documentation/internal-qms-audit-checklist/

ISO 14001 and COVID-19 emergency

COVID-19 in itself has nothing to do with ISO 14001. COVID-19 affects humans not the environment. What can happen is that due to COVID-19 new kinds of wastes can appear, and new waste segregation rules may be applied.

For example:

• Are there any recommendations or changes about rules for disposing existing wastes?
• How to treat new wastes like used masks and gloves?
• Use of disposable cups and other single use materials?

In any of these situations one may have to determine:

• New environmental aspects and impacts;
• New or revised procedures for sorting and identifying wastes;
• New waste operators for contaminated wastes.

Even if your organization does not provide documented procedures it must provide training in the new practices.