Search results

Questions regarding Technical files 13485/MDR

1: Do we need a Technical File for outsourced products that are manufactured elsewhere?

2: Do we need a Technical File for products that we relabel?

Again, the question is who places the product on the market. If by putting the label you state that you are a manufacturer, in that case, you need to have the whole technical file. If with putting the label you state that you are a distributor, in that case, you do not have proper Technical documentation, rather medical device file according to the ISO 13485, requirement 4.2.3 which will then contain the EC certificate, instructions for use, information on installation/service and the like, depending on the type of product.

3: Do we need a Technical File for products that we do not adapt or manufacture ourselves but that we buy and resell (as part of one of our products)?

I believe that I have answered this in the previous two answers. If something else needs to be clarified, feel free to contact us.

Management Review

ISO 45001 is an international standard, intended to be used by any organization, in any industry, anywhere in the world. As such, it is written to be flexible in nature, giving requirements that describe what needs to be, but not how to do it. So, the standard will not give details such as who does and does not need to be included in a management review; only that a management review needs to happen, certain data needs to be reviewed, and records need to be kept. In this case, not all organizations would have access to a doctor for this review, so the standard will not identify this as a requirement.

So, it is up to your organization to determine who needs to be included in your management review. If you do have a doctor on site they may be a valuable asset to this process, but ISO 45001 does not require that a doctor take part.

You can learn a bit more about how management review works in the article:

• How to perform management review in ISO 45001 https://advisera.com/45001academy/blog/2018/11/15/how-to-perform-management-review-in-iso-45001/

• Email Marketing GDPR

  You could contact B2B leads using your legitimate interest to foster a mutually beneficial business, according to Art 6 GDPR (Lawfulness of processing), paragraph 1 (f). I recommend performing a Legitimate Interest Assessment to determine whether the purpose is correct (identify the legitimate interest), whether the processing is necessary (evaluate other means that might be less invasive), and the balancing test (consider the individual’s interests, such as not wanting to be contacted). If you go through the Legitimate Interest Assessment and decide to contact your B2B leads, please make sure you add a disclaimer at the end of the email to allow them to opt out from further communication.    

  Please consult these resources as well:

  • Article 6 GDPR – Lawfulness of processing https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/
  • Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/
  • How do we apply legitimate interests in practice? https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/

• Risk Assessment Question

  You should always approach risk assessment with professional skepticism.

  For the impact, you need to take the worst-case scenario, i.e., what is the worst impact that can happen if the risk materializes. For likelihood, you have to assess how strong are the current safeguards in place, and how reliable this person is.

  These articles will provide you with further explanation:

  • Risk assessment methodology https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section3
  • Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

  • Air Traffic Control Technology

    It is correct that AS9100 Rev D includes all of ISO 9001:2015, with additional requirements for aerospace organizations. What this means is that if a company is certified to AS9100, they are also certified to ISO 9001 in the same certification because they meet all requirements. In fact, most certification bodies I have seen will list both standards on the certificate.

    As to the question if you should include AS9100 as a supplier requirement, this is completely determined by what you need to meet your customer and legal requirements. If you do not have a requirement from them to use only AS9100 certified suppliers for your Air Traffic Control products I would hesitate to make this a requirement of your suppliers as some of them may not comply with AS9100. If you wanted to include certification to ISO 9001 or AS9100 to make it clear that either is acceptable, this would be my recommended approach.

    You can learn a bit more about the differences in the standards in the article:

    • ISO 9001 vs. AS9100 https://advisera.com/9001academy/blog/2014/09/09/iso-9001-vs-as9100/

    • LEEA and ISO 17025

      I'm not clear on what you mean by “cover” and am not knowledgeable about what membership to the Association entails. ISO/IEC 17025 is the international standard that sets out the general requirements for the competent, impartial, and consistent operation of laboratories. Membership and or certification by a sector specific association typically involves the member meeting a level of compliance and competency based on the associations their standards of practice.  This provides confidence in the organization but does not equate to certification to an ISO standard such as ISO 9001 nor accreditation to ISO 17025, the competency standard for calibration and testing laboratories. There may however be processes and documentation that you have in place that could be built on if you wish to implement ISO 17025.

      For more information on ISO 17025, see What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/ and the white paper
      Clause-by-clause explanation of ISO 17025:2017 available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025

    • Requirements for MSP Company Regarding Supplier Security Policy

      I’m assuming you are looking for accredited certification bodies.

      Considering that, please note that there is no central list of ISO 27001 certification bodies site. The main certification bodies for ISO 27001 are:

      • BSI: https://www.bsigroup.com
      • Bureau Veritas: https://www.dnvgl.com/
      • DNV: https://www.dnvgl.com/services?ServiceTypes=136423
      • SGS: www.sgs.com/
      • TUV: www.tuv.com

      This article will provide you with further explanation about selecting a certification body:

      • How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

    • Implementation of ISO 27001 already having a QMS (ISO 13485) in the company

      I agree with Rhand.
      
      Most clients I've dealt with usually combine their management systems such as ISO27001 together with other management standards such as ISO9001 and ISO14001.

    • ISO 27001 Audit

      The absence of an HR manager would be a problem in an audit only in case this absence impacts negatively information security in an unacceptable way (e.g., the relevant information is lost or information security processes are interrupted), and you do not have a planned treatment for this situation.  

      If there are no negative impacts to information security due HR manager's absence, or devised actions like formally designating a temporary substitute (that could be one of the junior employees or a manager from another area) have reduced the risks to acceptable levels, this absence wouldn’t be a problem in the audit.

      The best way to handle this situation is to include some kind of risk like “Loss of key personnel” in your information security risk management process and use the process to define if the risk is relevant or not, and in case it is relevant, define proper actions to treat the risk.

      These articles will provide you with further explanation:

      • Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
      • Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

    • ISMS Roles and Organisation within Conformio

      Besides Top Management, ISO 27001 does not prescribe roles to be related to information security management, so organizations can define them as best fit their needs.

      Common practice is to attribute information security responsibilities to already existing roles in the organization (e.g., responsibilities for IT security designated to the IT manager, responsibilities for physical security designated to the operations officer, etc.).

      Conformio’s roles were designed considering the most common organizational roles (e.g., IT manager, HR manager, Finance manager, etc.).

      These articles will provide you with further explanation:

      • Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
      • How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/