Search results

Can small start up be ISO 13485 certified?

According to the EU regulation, each manufacturer of medical devices needs to have implemented ISO 13485, no matter the size of the company. I know that sometimes is hard to implement a quality management system for only 3 people, but it is doable and mandatory for the EU market. 

In February this year, the FDA published the Quality System (QS) Regulation / Medical device good Manufacturing practice which has to align the requirements from the FDA to the requirements of ISO 13485:2016. For this reason, yes, our Documentation toolkit for ISO 13485 is in compliance with FDA. Considering the MDR technical documentation part of the toolkit, there are differences between FDA and EU MDR 2017/745 differences

Differences are described in the following article: https://www.fda.gov/medical-devices/postmarket-requirements-devices/quality-system-qs-regulationmedical-device-good-manufacturing-practices

For more information, see:

• FDA vs. EU MDR Technical Documentation Matrix https://info.advisera.com/13485academy/free-download/fda-vs-eu-mdr-technical-documentation-matrix

• Who should prepare the Quality System documentation?

  Thaznk you.

  Yes, that’s also a possible way of writing the quality system documentation. It is always recommend to involve practitioners because they have first hand experience about what is being done every day.
  
  

• Assets

  ISO 27001 is a cybersecurity standard that contains some controls (safeguards) for the cloud, so most companies do include cloud assets in the scope when implementing this standard. In other words, if you have sensitive data in the cloud, it makes sense to include your cloud environment in the scope even if you do not go for ISO 27017. 

  ISO 27017 provides you with some extra controls for the cloud environment, but this does not mean that the cloud environment should be excluded if you do not go for this standard. 

  See also: 

  • Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/ 
  • ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/ 

• ISO 27001 Auditor Question

  Your assumption is correct. Lack of internal audit is a major nonconformity because it is a mandatory requirement. 

  When a major nonconformity is found the auditor does not need to stop the audit, however, he needs to inform the customer that it will not be possible to recommend for certification.

  Regarding the suggestion of implementation training, although it is common to make such a suggestion, first you need to evaluate if the reason for failing to comply with a mandatory requirement was due to lack of knowledge about the implementation process, or other operational cause, such as lack of personnel or resources.

• ISO 270001 documentation format

  ISO 27001 does not prescribe a format for document creation, so you can use any format that fits your organization’s needs.

  For further information, see:

  • How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

• ISMS scope

  1. Should DC1 to be excluded from the scope and when?

  From your question I'm understanding that only physical space will be rented.

  Considering that, only physical space and its management should be excluded from the scope, by the time you move your assets to the rented space.

  2. How to include systems hosted at DC3 in the Scope and under proper security control?

  Since these systems (i.e., hardware and software) are already in the scope, as part of DC1, and DC3 is out of the scope, you need to state the systems in the scope, instead of the state of a data center.

  3. What will be the recommended scope statement due to the changes?

  An example of changed scope is:

  "Provision of IT services of the Data Centre Facilities at DC2 & remote managed systems at DC 3 to the customers of ***."

• Adoption of ITIL

  Selling the idea of implementing ITIL should emphasize the high-level as well as „low-level“ benefits.

  Here are a few articles that could give you an idea of how to explain potential benefits (please note, some are ISO 20000 related, but the content fits perfectly with ITIL implementation):

  • How to translate ITIL/ISO 20000 language into business language understandable by your management https://advisera.com/20000academy/blog/2016/03/01/how-to-translate-itiliso-20000-language-into-business-language-understandable-by-your-management/
  • How to make your investment in ISO 20000/ITIL profitable https://advisera.com/20000academy/blog/2017/05/18/how-to-make-your-investment-in-iso-20000-itil-profitable/
  • 4 Crucial Techniques for Convincing your top Management to Implement ISO 20000 https://advisera.com/20000academy/blog/2017/10/31/4-crucial-techniques-for-convincing-your-top-management-to-implement-iso-20000/
  • ITIL Incident Management benefits – Simple explanation for your top management https://advisera.com/20000academy/blog/2015/11/24/itil-incident-management-benefits-simple-explanation-for-your-top-management/
  • 5 benefits of ITIL Change Management implementation https://advisera.com/20000academy/blog/2016/06/21/5-benefits-of-itil-change-management-implementation/

  • Using HLS to combine 27001 with other standards

    I'm assuming that by HLS you mean High-Level Structure.

    Considering that, please note that all ISO management systems reviewed/released since 2012 have the same basic structure:

    • organizational context
    • leadership 
    • planning 
    • support
    • operation 
    • performance evaluation 
    • improvement 

    This allows the standards they make use of similar requirements, which makes requirements mapping integration easier.

    For further information, see:

    • How to implement integrated management systems https://advisera.com/blog/2015/10/05/how-to-implement-integrated-management-systems/

  • If 27001 was fully implemented and certified, would you pass a SOC 2 type 2 attestation?

    Being certified against ISO 27001 does not ensure full compliance with SOC 2 type 2.

    Please note that ISO 27001 can help implement some SOC 2 requirements, but SOC 2 has requirements of its own that are not covered by ISO 27001.

    For further information, see:

    • Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/2021/02/02/iso-27001-vs-soc-2/

  • ISO 27001 certification needed

    From your question I'm assuming you are referring to the following training: foundations, internal audit, lead auditor, and implementer.Considering that, you should consider at least the Foundations course, to have an understanding of the standard's requirements, and internal audit, to know how to audit the standard.

    The lead auditor and implementer courses are more related to those who want to have a career in ISO 27001.  

    For further information, see:

    • Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/2021/02/02/iso-27001-vs-soc-2/
    • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    • ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/