Search results

8.5.5 Post - delivery activities

Consider the example of a small manufacturing company that want to sell their branded product through a big wholesaler chain. Most certainly, in this case, the relevant clause is 8.2. The wholesaler has all the power and they will pay a price for each order.

If the manufacturing company pays directly to the channel partner a kind of rent to “own” a shelf to display the product to consumers then the relevant clause is 8.4.

ISO 9001 and strategic direction

ISO 9001:2015 mentions "strategic direction" in clauses 4.1, 5.1.1b), 5.2.1 a) and 9.3.1.
ISO 9000:2015 defines strategy as "plan to achieve a long-term or overall objective".

Once an organization defines its strategy it actually establishes a set of rules about what to do and whom to serve, and about what not to do and whom not to serve. Adopting and following those rules sets a path, an orientation, a direction: the strategic direction. 

For example, if an organization decides to serve customers that value the lowest price above all, it has to concentrate on efficiency, on volume, on big orders, and look for process innovations that reinforce those topics. Another organization, in the same economic sector, may decide to serve customers that value innovation or design above all. These organizations are different, require different processes or are managed with different priorities in mind.

Please check these two free webinars on-demand where we relate quality policy and indicators

• The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
• Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/

Below, you can find more information about quality objectives:

• How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• What has changed with quality objectives in ISO 9001:2015? - https://advisera.com/9001academy/blog/2018/05/08/what-has-changed-with-quality-objectives-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

List of regulatory, contractual and other legal obligations

Regarding your template, we apologize for the inconvenience. The original template in English has the following links:

• https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
• https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
• https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

Regarding the other templates, we will check the links that need to be updated and send the correct links to you as soon as possible, without additional costs.

If you have any more urgent needs related to links, you can send us the specific links.

Regarding how to fill out the spreadsheet, here is an example:

A customer has a service level agreement with your company which defines, on clause 32-b, that in case of a disruptive incident, access to information system ABC must be restored to at least 30% of normal capacity in no more than 24 hours. In this case, the person responsible for system ABC is responsible to ensure compliance of the system to this requirement. Then your document would be like this:

Interested party: Customer Jon
Requirement: Clause 32-b (recovering access to system ABC to at least 30% of normal capacity in no more than 24 hours)
Document: Service level agreement
Person responsible for compliance: System ABC administrator
Deadline: 24 hours after the occurrence of disruptive incident which makes access to system ABC unavailable)

MATRIZ RACI ISO 27001

In order to establish the responsibilities of ICT and Information Security, I would like to know if perhaps you have already prepared this type of document, please. Thank you very much.

From your question is not clear the role of the ICT regarding information security (it leads the process or if it is an interested party). Anyway, you can use the template in this article:
- RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/

In case ICT leads the project, you can change the term "Project team" to "ICT" in the related Role Column. On the other hand, if ICT is one interested party, you do not need to do any adjustments regarding this.

SAR REQUEST UNDER GDPR

To perform the Subject Access Request (SAR), you may need Google Takeout which helps users to deal with their rights: https://takeout.google.com/Otherwise, if you need to ask for removing some information or content with your personal data, you can send a request to Google through this form: https://www.google.com/webmasters/tools/legal-removal-request?complaint_type=rtbf&hl=en&rd=1&pli=1

ICO (the UK Data Protection Authority) developed a guide on how to file a Subject Access Requesthttps://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/preparing-and-submitting-your-subject-access-request/

• Here you can find more information on data subjects rights:Data subject rights according to GDPR:  https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you need more information about GDPR in general, you may consider to follow our free Foundation course:EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Medical Device Family

According to both the MDD and MDR, you have a case of medical devices group or family. You can have one Technical documentation for the group of the medical devices with a description of a complete list of the various configurations/variants.

To see how to structure the Technical file according to MDR, see this Technical file template: https://advisera.com/13485academy/documentation/technical-file-template/

TPM implementation

Our Toolkit documents do not contain details about the TPM application. But according to my knowledge and experience, I can provide some details about TPM activities.

There are 16 types of loss in GEMBA (production area). These losses are:

Auditing Biomedical service providers

If I understand correctly, you are asking about biomedical equipment that are used in production and/or service of medical devices. If that is so, the minimum and mandatory criteria according to both Medical device directive (MDD 93/442/EEC) and Medical device regulation (MDR 2017/745) are that any laboratory used to prove compliance of the medical device to a certain requirement must be accredited. So, you need to ask for an accreditation certificate of that company and check is your equipment test is on the method list.

For more information what is EU MDR (EU MDR – Easy-to-understand basics), please read the following article: https://advisera.com/13485academy/what-is-eu-mdr/

According to the ISO 134985:2016, companies that provide service of medical devices also need to be certified according to the ISO 13485:2016.

On this link you can find Clause-by-clause explanation of ISO 13485:2016: https://info.advisera.com/13485academy/free-download/clause-by-clause-explanation-of-iso-13485

Qualification of the personel who performed and signed the calibration certificate is covered and reviewed during the accreditation audit.  Usually, companies that perform calibration services are accredited by ISO 17025:2017 for a particular method, so a Certificate of accreditation is also necessary as proof that the calibration process is done properly. 

What is ISO 17025? you can find on the following link: https://advisera.com/17025academy/what-is-iso-17025/

Each equipment has its own standard under which they should be calibrated. There are different standards for scales, for thermometers, for hygrometers, pressure and so on. Standard under which calibration equipment needs to be calibrated must be stated on the calibration certificate. Annex to each calibration certificate is a certificate of the standard gauge with which calibration is done.

For more information about calibration requirements in ISO 13485, please read the following article:
Calibration requirements in ISO 13485 https://advisera.com/13485academy/blog/2019/03/08/calibration-requirements-in-iso-13485/

Annex A

 It is not mandatory to implement all 114 controls of Annex A of ISO 27001:2013, you only need to implement those that you need to reduce risks identified during the risk assessment (or those that are related to law, contractual requirements, etc.).

This article will provide you further explanation about the selection of controls:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding ISO 27001:

• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Internal Audit

I'm assuming that by AVP you mean "Assitant Vice President".

Considering that, the person to approve the Internal audit must be the one in the highest position in the ISMS scope (i.e., the person most interested in the ISMS results). It should not be the person with responsibilities for the operation of information security (e.g., CSO or CISO) because this would be a situation of conflict of interest.