Search results

Integrating ISO 27001 and ISO 13485

Unfortunately, we do not have this specific mapping available.

However, you can combine the information provided in ISO 13485 Annex B (which maps ISO 13485:2016 clauses to ISO 9001:2015 clauses) with the information provided in this free downloadable material to have a link between ISO 13485 and ISO 27001:

• ISO 27001 vs. ISO 9001 matrix (PDF) https://info.advisera.com/9001academy/free-download/iso-9001-2015-vs-iso-27001-2013-matrix

ISO 14001 and EIA

Yes, there is a relationship. EIA is used to determine and evaluate environmental impacts of products, processes, investments still in the project phase. So, an organization with an environmental management system when facing new products, new machines, new installations, as a good preventive practice should perform an EIA. It is another way of considering the life-cycle topic.

Please consider the following documentation about environmental aspects and impacts to go deeper in the topic:
Article - environmental aspects identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/knowledgebase/environmental-aspect-identification-and-classification/ 
Article - 4 steps in identification and evaluation of environmental aspects -https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/ 
Free webinar on demand - ISO 14001:2015 Identification and evaluation of environmental aspects -https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar/ 
Enroll for free in the course - ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/ 
Book - The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Enforcing GDPR in the United States

The Supervisory Authorities in Europe cannot enforce the GDPR outside EU borders. However, if that entity has a representative in the EU, that representative will be responsible for any infringement of the GDPR by the US company.

If you want to find out more about the extraterritorial reach of the EU GDPR check out this EU GDPR Foundations course (https://advisera.com/training/eu-gdpr-foundations-course//)

Changes in kit manual or kit inset

Instruction for Use (IFU) for In-vitro medical devices (IVD) must have unique reference to identify the right version of the IFU. This reference should allow the user to retrieve the applicable IFU. Usually, this unique reference mark is in small letter size put somewhere in the corner of the IFU. Each time you change something in the IFU, you need to mark the new revision of the IFU. Changes are best to be documented through the change control process. According to the ISO 13485 4.2.4 c) you need to ensure to differentiate different versions of the documents, and h) to prevent unintended use of obsolete documents.

On the following link you can find information on what information must be in the IFU and what is the purpose of Unique reference number: https://ec.europa.eu/docsroom/documents/10293/attachments/1/translations

For more about what are common mistakes in ISO 13485 documentation control please read the following article: 

Common mistakes with ISO 13485:2016 documentation control and how to avoid them  https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/

Label printing validation

Following things need to be considered for label printing validation:

1. Print quality and durability (Printability of the design, Computer printer selection, Abrasion resistance; preprint and imprint, Chemical and solvent resistance)

1. Adhere samples to appropriate substrates at accepted sample size.

- ASTM D3330, Peel adhesion of PS material

- ASTM D5264, Sutherland abrasion and smudge resistance test

- ASTM F1319, Crockmeter abrasion and smudge resistance test

- ASTM F2252, Ink adhesion tape test

- ASTM F 2250, Chemical exposure, inks & coatings

- ASTM D4169, Distribution testing, “Shake, rattle, & roll”.

- ASTM F1980, Accelerated aging

However, with regard to the need for process validation, the label printing operation can be rendered "non-special" since the process output is fully verifiable through subsequent inspection. 

ISO 45001 Certification

When you ask about the need to certify to ISO 45001 you could mean one of two things, so I will answer both questions:

First, the ISO 45001:2018 standard has the option to either certify your OHSMS with an external organization, or to self-determine and self-declare conformance to the standard by the company. This could then be confirmed by interested parties or others; this is all captured in section 0.5, Contents of this document. What this means is that you can use the ISO 45001 requirements to implement an OHSMS at your organization, and then declare that you meet the requirements without having a third-party certification body audit your organization; you could not use the term certified though with self-declaration.

Second, if you are asking if there is a requirement to implement the ISO 45001 standard and create an OHSMS at your company, then this is something that you need to verify with your customer and legal requirements. If you have a customer or legal entity demanding this, then implementation is something you will need to do. ISO itself has no legal authority to impose these requirements on an organization, so you will need to verify your own industry, customer and legal requirements.

There are good reasons to implement the OHSMS even if not required, and you can read more about these benefit in the article: 4 key benefits of ISO 45001 for your business, https://advisera.com/45001academy/blog/2015/09/30/4-key-benefits-of-iso-45001-for-your-business/

Questions about certification

1. How many organizations implemented ISO 27001 and got certificated?

There is no way to rise information about how many organizations implemented ISO 27001 since it is not mandatory for organizations to publicize that they adopted practices of this standard.

Regarding information about ISO 27001 certified organizations, unfortunately, there is no central list of certified organizations (you must consult each certification body to track which companies are certified by them).

However, the ISO site provides an ISO survey where you can find general information about certifications, like total quantity, quantity per country, quantity industry, etc. It does not nominate organizations.

You can find this survey at this link: https://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objAction=browse&viewType=1

According to this survey, in 2018 we had a total of 31910 ISO 27001 certified organizations around the world.

2. How long to get ISO 27001 certification?

The duration of the implementation project varies according to many variables (e.g., available resources, experience with standard's requirements, top management involvement, etc.), but for small and medium-size organizations the implementation generally varies from 3 to 12 months.

To get an insight into the time duration for your organization, please access our ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/

This article will provide you a further explanation about the implementation process:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

3. How much cost for ISO 27001 certification?

There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information, it's not possible to precise a value. What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated/implemented
- Employee's effort and time
- The certification process

Regarding ISMS maintenance costs, the above-mentioned costs also have to be considered, but at different levels, and you have to add the surveillance audit costs for certification maintenance.

These articles can provide you more information:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/

Business continuity and ISO 27001

ISO 27001 requirements regarding business continuity are covered by section A.17 of its Annex A (Information security aspects of business continuity management), and they are mostly related to IT disaster recovery.

ISO 27001, like other management standards, does not prescribe how to implement solutions, only what must be implemented, and this approach makes it easier to integrate these controls with practices of other standards, like BIR 31111 & ISO 22301.

These articles will provide you a further explanation about business continuity and ISO 27001:
- How can ISO 27001 and ISO 22301 help with critical infrastructure protection? https://advisera.com/27001academy/blog/2017/09/25/how-can-iso-27001-and-iso-22301-help-with-critical-infrastructure-protection/
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/

Template content

We have received an additional question: 

Let me rephrase the question. We created/developed our BCP. Now what?

For parts of your BCP that requires the availability of previous infrastructure, equipment or services to support the plan (e.g. you may need a secondary site with servers and software already deployed, with available communication link), you should treat this arrangements as a project, and for that, you can use as a model for guidance the Project Plan located on this link: https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation

Additionally,  after making all the arrangements that are the basis for executing the BCP, you need to do exercising and testing, and for that, I suggest you take a look at the demo of our Exercising and Testing Report at this link: https://advisera.com/27001academy/documentation/form-exercising-and-testing-report/

For further information,  please read:
- How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/

ISO 9001 and inspection

ISO 9001:2015 does not require 100% inspection. Unless that is an explicit or contracted customer requirement it is not usual to perform 100% inspection.

First, analyze your current performance: What is the level of defects? Can you identify trends? Are there any defect-types more common than others? Are there any day of the week, line of production, type of product, shift, … more prone to defects? Does your organization follow statistical process control to monitor process performance?

If your organization cannot accept present level of defects it must engage in one or more quality improvement project(s).

Some organizations use sampling plans based on an ISO standard (ISO 2859-1) to conclude with a certain level of certainty the quality of a lot based on a sample. So, instead of 100% inspection, your organization will design a quality control and/or a process control plan(s) in order to monitor performance and act when needed.

Some organizations with very low defects level instead of inspection do what they call a product audit. For example, they go to the warehouse, pick a package ready to go and they start with the box, the labels, the way the product was put in the box, then analyze the product. Of course they inspect the product but if they find any non-conformity their main concern is with what is not working in their process that allows this to happen.

The following material will provide you more information about inspection:

- Article - Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/- Article - How to establish QMS Statistical Process Control according to IATF 16949 - https://advisera.com/16949academy/blog/2017/08/30/how-to-establish-qms-statistical-process-control-according-to-iatf-16949/- Article - How to use quality control tools to improve your QMS - https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/- Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/