Search results

ISO 27001 Conformio questions

1. In case we have to abide by requirements in several states because we are doing business with both, how should we handle these requirements in the context of ISO 27001 implementation?

First, these requirements must be included in the Register of Requirements module. After you include these requirements in this module, related controls will be identified as applicable in the Statement of Applicability module, and the responsible person for the requirement can define and upload the related implementation plan.

2. In case we have defined a security objective and we fail it (i.e., our target was to decrease the number of incidents, and we see that they have risen) will this hamper my possibility of obtaining the certification.

In case you evaluate that you have not achieved a security objective, this situation will affect your certification process only if any decision regarding how to handle this situation is not made, or if actions related to a such decision are not implemented or do not have the expected results.

For further information, see:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

3. How do we select a certification body?

Elements you should consider when selecting a certification body are at least these ones:

• Reputation.
• Accreditation.
• Specialization in your industry.
• Experience.
• Integrated audit.
• Flexibility.
• Required maturity for certification.
• Language.

For further information, see:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

Audit Plan non-mandatory

The mandatory document for ISO 9001:2015 is the audit program. According to the standard, the company must plan, establish, implement and maintain an audit program that includes the frequency, methods, responsibilities, planning requirements, and reporting. The audit plan is the schedule of the audit which is conducted in one or more days.

For more information about the audit program, you can see the following materials:

• What is the ISO 9001 audit program and how does it work: https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
• Free online training - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• MDR compliance for distributors

  You as distributor need to be in a complaint with MDR in the domain of how long will you keep the documents from the medical devices (10 years for all devices, and 15 years for class IIb implantable and class III). In the Medical device file, you need to have an EC certificate, Declaration of conformity, Label, and instruction of use, and in case of devices that need installation and service, some installation and service manual. 

• How can we move to 27001?

  First is important to note that the main clauses of ISO 27001:2013 (i.e., clauses 4 to 10) are still valid. The 2013 version of the standard was confirmed in 2019, and the new version of the standard, expected to be published still in this year, will have modifications only related to Annex A.

  Although the total number of controls had been reduced from 114 to 93, none of the old controls have been excluded (most of them have been merged), and you only have 11 new controls.

  Considering that, in case you are currently compliant with ISO 27001:2013, your main effort will be on reviewing risks and legal requirements to check if these new controls need to be considered in your implementation.

  The effort to transition to the 2022 revision is probably 10 to 20% of the time you needed to initially implement ISO 27001; alternatively, this effort can be cca 5% if you are using a tool like Conformio. Click here for more information: https://advisera.com/27001academy/iso-27001-transition-package/

  For further information, see:

  • Main changes in the new ISO 27002 2022 revision https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/
  • Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/
  • Overview of new security controls in ISO 27002:2022 https://info.advisera.com/27001academy/free-download/overview-of-new-security-controls-in-iso-27002/

  • Clauses 4.1.5 and 5.4

    You asked "How do i put in place clauses 4.1.5 and 5.4 in the laboratory?"

    To meet clause 4.1.5 requirements, a laboratory must use various operational activities such as audits, feedback from clients, evaluation of contracts and providers of services and products to identify risks to impartiality. Action must be taken to minimise or eliminate the identified risk, typically through a change in the process. For more information, see my response to a question Preparing risk analysis with regard to impartiality and confidentiality, at https://community.advisera.com/topic/preparing-risk-analysis-with-regard-to-impartiality-and-confidentiality

    Clause 5.4 has to parts to the requirement. Firstly a laboratory must implement a system that ensures all client contractual obligations, legal obligations (e.g labour laws and occupational safety, health and environment laws) are met. Then depending on the sector, the requirements of the IS7025 accreditation body, any certification body, and any other association, for example a professional body must also be met and maintained.

    The second part of the clause states that if a laboratory performs activities away from the main registered location, e.g in the filed or at a clients premises, it is the laboratory’s responsibility to make sure these requirements are still met.

     

  • SOPs

    No, we do not have a Change control procedure per se. Change control is both covered in the Document management procedure and in the Management review. There is no strict requirement for the documented procedure in requirement 4.1.4 in the ISO 13485:2016. 

    Clinical trials are not covered with this toolkit because there is no requirement in the MDR to be a part of the Quality management system (Article 10 Obligations of manufacturers, Point 9). We have in our toolkit the necessary documentation for clinical evaluation. 

    In the Documentation toolkit, there is a record Appendix 2 Training record where performance monitoring is defined within 3, 6, and 12 months. 

  • Does ISO 13485 cover incoming sampling inspection?

    Thanks for the reply. Exactly, we are doing the same thing as what you mentioned. We buy final product and release on the market.

    Thank you again for your time and effort kristina.

  • Do we need sales procedure?

    No matter that you for now do not have classic sales, giving the license to another company and having some communication with them is part of the sales process. The sales process is not just sales of the final product to the final users, but rather all communication that you have with the companies that use your service. 
    Therefore, you need the sales procedure, but it will be specific for you for the communication with the licensed company. 

  • Design and development of a service

    Yes, a new design file needs to be created for each version of the facility. 

  • Conformio - ISO 27001 Requirements

    The treatment of the listed risks needs to be defined manually by the user when filling in the wizard. The wizard will only point out where in the document the customization needs to be done.

    In this case, the customization needs to be done in section 3.4.

    It needs to be performed manually because each organization may have its own way to treat the same list of risks.