Search results

Clauses 4.1.5 and 5.4

You asked "How do i put in place clauses 4.1.5 and 5.4 in the laboratory?"

To meet clause 4.1.5 requirements, a laboratory must use various operational activities such as audits, feedback from clients, evaluation of contracts and providers of services and products to identify risks to impartiality. Action must be taken to minimise or eliminate the identified risk, typically through a change in the process. For more information, see my response to a question Preparing risk analysis with regard to impartiality and confidentiality, at https://community.advisera.com/topic/preparing-risk-analysis-with-regard-to-impartiality-and-confidentiality

Clause 5.4 has to parts to the requirement. Firstly a laboratory must implement a system that ensures all client contractual obligations, legal obligations (e.g labour laws and occupational safety, health and environment laws) are met. Then depending on the sector, the requirements of the IS7025 accreditation body, any certification body, and any other association, for example a professional body must also be met and maintained.

The second part of the clause states that if a laboratory performs activities away from the main registered location, e.g in the filed or at a clients premises, it is the laboratory’s responsibility to make sure these requirements are still met.

SOPs

No, we do not have a Change control procedure per se. Change control is both covered in the Document management procedure and in the Management review. There is no strict requirement for the documented procedure in requirement 4.1.4 in the ISO 13485:2016. 

Clinical trials are not covered with this toolkit because there is no requirement in the MDR to be a part of the Quality management system (Article 10 Obligations of manufacturers, Point 9). We have in our toolkit the necessary documentation for clinical evaluation. 

In the Documentation toolkit, there is a record Appendix 2 Training record where performance monitoring is defined within 3, 6, and 12 months. 

Does ISO 13485 cover incoming sampling inspection?

Thanks for the reply. Exactly, we are doing the same thing as what you mentioned. We buy final product and release on the market.

Thank you again for your time and effort kristina.

Do we need sales procedure?

No matter that you for now do not have classic sales, giving the license to another company and having some communication with them is part of the sales process. The sales process is not just sales of the final product to the final users, but rather all communication that you have with the companies that use your service. 
Therefore, you need the sales procedure, but it will be specific for you for the communication with the licensed company. 

Design and development of a service

Yes, a new design file needs to be created for each version of the facility. 

Conformio - ISO 27001 Requirements

The treatment of the listed risks needs to be defined manually by the user when filling in the wizard. The wizard will only point out where in the document the customization needs to be done.

In this case, the customization needs to be done in section 3.4.

It needs to be performed manually because each organization may have its own way to treat the same list of risks.

Questions about Scope of my ISMS ISO 27001:2013

1. Should I write the exact listing of all the information assets covered?

2. Should I write the exact list of the information provided?

3. Should I write the exact list of applications / software covered?

4. Should I write the exact list of the physical offices covered?

5. Should I write the exact listing of the databases covered?

6. Should I write the exact list of websites / mobile applications covered?

7. If I want to include all the information assets of my organization is it sufficient to write: "The scope of the SGSI covers all the information assets of the Organization" or do I have to be explicit by detailing all the information assets?

This answer applies to questions 1 to 7.

The ISMS scope is normally defined in terms of general information (e.g., business information, customer information, R&D information, etc.), processes (SW development process, customer support process, sales process, etc.) or location (e.g., headquarters, an office, a building, etc.) to be protected, so you do not need to include assets in the definition of the ISMS scope.

For further information, see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

8. Do I have virtual machines on Microsoft Azure that run critical applications, should I specify that the scope only covers the applications installed on these virtual machines that are on Microsoft Azure? or should I also include the virtual machines and their contents?

When dealing with cloud services, you need to include in the ISMS only the elements you are responsible for. The other elements can be left out of the scope.

In this case, if you control the virtual machines (i.e., their maintenance and operation), then you need to include them in the ISMS. In case not, you only need to include the applications in the ISMS scope.

For further information, see:

• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

9. We currently have corporate mail with GOOGLE, is mail a critical asset in our organization, should I also include it in its scope if a service provided by a third party? What considerations do you have in the writing in the link at the level of this service?

In this case, since GOOGLE provides email as a service, you need to include in the ISMS scope only the email data.

10. Currently we send our customers emails and massive newsletters that contain important business information, are these emails and newsletters sent through a provider's software, should I also include it in the scope of a service provided by a third party? What considerations do you have in the writing in the link at the level of this service?

In the ISMS scope, you need to include the reference to the data, and mention that related services are provided by third parties.

Swiss Notified Bodies

No, it means that you can sell all products. Class I must be in compliance with the MDR from May 2021. So, you have a very good client that follows everything necessary. 

Legal and contractual requirements question

First is important to note that the article linked to the template is only a starting point (it is updated by contributions of our readers and may not be fully updated). Our recommendation is for you to seek local legal advice so they can help you identify other legal requirements you need to consider for your ISO 27001 implementation (e.g., local laws and regulations).

ISO 27001 does not prescribe how long the list of Legal, Regulatory, and Contractual requirements must be. It is likely your list will be short since normally transportation companies are not security regulated, but they might have some privacy regulations that are applicable. 

For further information, see:

How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/