Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Report writing for certification
We've received additional questions:
> 1. Hi, i need more further information about ISO 13485 report writing. How many report should be given to the client for one certificate ISO 13485?
Answer:
I assume that by „how many report should be given to the client for one certificate ISO 13485“ you mean how many reports certification body provide to the clinet after the certification audit is finished. If that was your question, than this is the answer to it.
-The number of reports depends on the Certification body rules. Some certification companies have one report, while others have two: Management Summary and List of findings.
If I missunderstand the question, can you please provide some clarification. Thank you in advance.
>2. Lead auditor must be responsible to prepare the report but, how about technical expert part?
Answer:
Lead auditor is responsible for preparing and finalizing the report. Technical expert fulfills only the part that is related to the area that he audited.
>3. Does it make sense if the audit and report (summary certification report) shall be covered by only one auditor?
Answer:
Yes, the audit report can be covered only by Lead auditor. He is responsible for it. But, if there is a Technical expert in the audit team, it should be mentioned somewhere in the report.
For more details on how the certification process looks like, what are the phases of the certification audit, what auditor can and cannot do, and how to solve non-conformities from certification audit, please take a look at the following material:
What to expect at the ISO certification audit: What the auditor can and cannot do
https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit -
Electronic signature for ISO 13485 documentation
Answer:
Simple Adobe sign is enough. ISO 13485 does not dictate the form of signature used. Companies can use electronic documents even without digital signature, it is sufficient to prove that the authorized person has approved them through email or document management system. -
Medical device file structure
Answer:
There is no template for Medical device file because its content is defined by the Medical Devices Directive 93/42 / EEC (https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:1993L0042:20071011:EN:PDF The Directive states which documents are required. Medical device file template is quite hard to do because there is extremely a lot of different things that are considered medical devices: from spoons for giving antibiotics through a variety of software, infusion tube, gauze and covers for surgery to artificial hearts.
Medical device files includes descriptions of design records, manufacturing processes, product specifications, device usage guides, quality measurement criteria, levels of compliance with regulatory bodies and quality standards, and, if required, servicing and installation records and their guidelines. For more detailes how to prepare medical device file you can find i n following link: https://advisera.com/13485academy/blog/2017/06/28/how-to-meet-iso-13485-requirements-for-medical-device-files/ -
Legal requirements and security awareness
Although the call was very interesting for us, some new questions are still emerging and we would like to get support from emails. I will start with two questions:
1. When I'm looking for my suppliers and they only have EU-U.S. Privacy Shield, Swiss-U.S. Privacy Shield creditations for information privacy, is that enough assuring compliance with ISO 27001 ? And What about SOC2 and SOC 3 ?
Answer: Considering ISO 27001, your suppliers need to be compliant with the legal requirements your own organization must be compliant with regarding information security, if they will have access to information in the scope of your ISMS. Considering that, if your organization must be compliant with SOC2 and SOC3, and your suppliers will have access to information related to these two requirements, then your suppliers will also have to be compliant with SOC2 and SOC3. If this is not the case, then your suppliers do not need to be compliant with such legal requirements.
2. Now talking about security awareness for all employees, is the confirmation that all employees watched a series of security awareness videos (like the ones in Advisera eTraining) enough for being compliant with ISO 27001 A.7.2.2 ?
Answer: Regarding awareness, a confirmation that an employee has watched security awareness videos will be sufficient to comply with control A.7.2.2. But you must note that this controls also cover training and education, and for these evaluations of improvement after the training or education activities are also required.
This article will provide you further explanation about awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/ -
ISO 27005 and ISO 27001
Answer:
ISO 27005 is a supporting standard to ISO 27001, detailing how to implement risk management for information security (basically covering ISO 27001 clauses 6.1.2 and 6.1.3).
Considering that, if you already defined a risk assessment and treatment process for your ISMS, then you have to evaluate if your defined approach is compliant with ISO 27005, and make proper adjustments. If you have not defined your risk assessment and treatment process yet, then you only need to follow ISO 27005 recommendations for each step of ISO 27001 clauses 6.1.2 and 6.1.3.
This article will provide you further explanation about implementing risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https:// advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
If you want to see how a risk management process compliant with ISO 27005 looks like, I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/ -
IT Service Management implementation
Answer:
Depending on the organization (implementing ITSM) as well as process maturity, there are many elements that must "fit" so that ITSM is implemented (which could be very broadly interpreted, anyways).
So, here are few items that must be in place, adapted to the services you provide and managed:
processes
organization
tool(s)/technology
partners
Each of these elements must fit for purpose, be mature and be managed.
Here are few articles that will give you a hint how to start:
Ready, steady… go – Starting ITIL implementation https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/
7 effective strategies to gain employee buy-in for ISO 20000 implementation https://advisera.com/20000academy/blog/2017/09/05/7-effective-strategies-to-gain-employee-buy-in-for-iso-20000-implementation/
This free webinar can help you speed up the implementation "How to use a Documentation Toolkit for the implementation of ITIL / ISO 20000" https://advisera.com/20000academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-itil-iso-20000-free-webinar-on-demand/ -
Start rolling a plan for the implementation of an IMS
Answer I recommend an approach like this one: 1. Why does your organization exist? It exists to offer dairy products. Consumers buy dairy products to your company clients and they pay your company for the supplies. So, I start by determining who are the interested parties, what do they want/need from your company, and what does your company want/need from them. 2. Draw a model of how your organization work based on the process-approach. I use this model as the anchor because the company only exists because of clients and consumers. 3. Assess your company’s environmental aspects and impacts based on your processes, products and services. Later, when you decide how to handle the relevant environmental aspects consider what kind of changes or controls should be introduced or improved in each process. This is important because you want to have an IMS, you don’t want people to wear different hats if they are working on quality, environment or health and safety. You want that people do their work and while doing their work they produce good products, minimize environmental impacts and do it safely. 4. Do the same for health and safety. 5. Previous steps will help you develop the operational side of the IMS. 6. Now, you have to develop the strategic side: consider strategic orientation, the context and risk analysis, a common policy and objectives, and you action plans. 7. Develop a monitoring and control plan. 8. Perform internal audits and a management review. The following material will provide you more information about integrated management systems: How to implement integrated management systems – https://advisera.com/articles/how-to-implement-integrated-management-systems/ - Free webinar – How to integrate ISO 9001:2015 and ISO 14001:2015 – https://advisera.com/9001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar-on-demand/ - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ - Enroll for free course - ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/ - ISO 9001, ISO 14001 and ISO 45001 Integrated Documentation Toolkit – https://advisera.com/9001academy/iso-9001-iso-14001-iso-45001-integrated-documentation-toolkit/ - book – THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business – /books/the-iso-14001-2015-companion/ - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Scope determination
Answer
An organization can have several lines of products, can have different markets, can provide different services. Once an organization decides to implement a quality management system (QMS) and certify it, the organization is not obliged to integrate all those services, lines and products under the QMS and subject all activities to certification. Deciding the scope of the QMS is not a technical decision, it is a management decision.
The certificate describes the scope of the QMS in order to avoid misleading any interested party. If financing services are very important for your organization’s offer perhaps it is useful to integrate them in the list.
The following material will provide you more information about scope definition:
- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Getting clients as consultant
Answer:
When people ask me: how do I get clients as consultant? I draw the following picture:
People must be aware of your existence and must be aware of your competence, and trust on your competence. I wrote a blogpost precisely for people like you facing the challenge of starting a business as consultants.
The following material will provide you information about getting clients as consultant:
- How to get new clients for your ISO 9001 consultancy - https://advisera.com/9001academy/blog/2019/03/05/how-to-get-new-clients-for-your-iso-9001-consultancy/
- Free webinar – How to sell ISO consulting services - https://advisera.com/9001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/
- Free online course - ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/ -
Alternatives for implementing a QMS
Answer
I start with a question: is there any relevant advantage for your company in being ISO 9001 certified? An organization can implement a quality management system according to ISO 9001 at its own pace and not advance to certification. However, if certification can give your company a boost in credibility and image, particularly among potential clients, then, perhaps it is worth getting it. During implementation year you will need a 60/80% time of a person for being p roject leader. So, you can get the help of a consultant, you can hire a quality manager/project leader with previous experience in implementation projects, you can hire someone to be the quality manager, even without experience, and train him or her on ISO 9001 and get help with documentation from a tool kit.
Please check the following material, Advisera developed these kinds of products/services with organizations like yours in mind:
- Article – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/