Search results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Timing requirements for quarantine areas and non conforming areas

    ISO 9001:2015 does not include any concrete requirement regarding the timing for closing a non-conformity. However, clause 8.7.1 includes this "prevent their unintended use or delivery" which can be used by an auditor to raise the risk that a long-term nonconformity in the quarantine zone could be confused with conforming product and be treated as such. Of course, this will depend on the fragility of the means of identifying non-conformities and on the greater or lesser capacity for effective segregation of the quarantine area. A padlocked zone is safer than a zone simply marked on the floor. Long stays in the quarantine zone can be a symptom of a deficient capacity to deal with non-conformities.

     

    The following material will provide you information about nonconformities:

  • Accessories to Medical Device

    Yes, both electrodes and cable are accessories. 

  • ISO 13485 Certification in company without manufacturing processes

    Yes, it is possible to certify a company with outsourced production of devices. Actually, it is rather common these days. Company A first has to have a proper quality agreement with company B. In this agreement will be stated all mutual responsibility.   

    The most important thing is that Company B undertakes to carry out production as Company A tells it and in accordance with the necessary regulations. If Company B does not have any of the documents according to ISO 13485, either Company A or Company B must prepare them.  Next, it is important to define who is responsible for what - for ordering bulk materials, for control points, releasing the product, and the like.   

    The next important item is that Company B agrees to the audits that will be conducted for Company A on the premises of Company B. These are both announced audits and unannounced audits.

    All these elements, as well as some others, are included in the Quality agreement and are in our toolkit: 

    https://advisera.com/13485academy/documentation/quality-agreement-for-subcontractor/

  • GDPR intermediary

    The professional, when using third-party tools, acts as a Data Controller and must make sure that it understands the fact that it needs to respect the relevant data protection legislation. If this legislation is GDPR, the professional must understand Calendly’s Terms and Conditions and determine whether Calendly is a Data Processor or a Data Controller, by assessing it’s level of autonomy in establishing the scope and means of personal data processing. Once the role is established, the professional needs to sign either a Data Processing Agreement, as requested by article 28 GDPR - Processor, a joint controller agreement as requested by article 26 GDPR – Joint controllers, or a controller to controller data processing agreement. Also, it should establish if the consent is the best legal ground for processing, or other legal grounds for processing should be established, per article 6 GDPR – Lawfulness of processing.

    More details here:

  • Is Conformio for us?

    In the context of offices in different countries in case you need documents defining global information security rules (applicable to all offices) and documents defining local rules (according to local legal requirements and/or relevant risks), Conformio up to this moment does not have such feature. The Backup Policy and the Access Control Policy are possible examples.

    In terms of the number of people, in case you need different people to approve the same document this feature is not available (you only can have multiple reviewers).

    In any case, you can try Conformio for free for a 14-day period and test its features to see if it can fulfill your needs.

  • Question about ISO-27001

    1 - Would it be acceptable to rent a bare office where no actual work happens? Wouldn't that mean that risks at the office location are being minimized or eliminated altogether and that the security control A.11 (physical and environmental security) becomes non-applicable?

    If no actual work happens in this office, it wouldn’t make sense for the auditor, so probably this alternative wouldn’t be acceptable. The address should be related to a local where any activity related to the ISMS scope happens, or where the management responsible for the scope works.

    2 - How does that compare to a rented room or desk in a co-working space?

    I understand that the answer may depend on the CB and/or the kind of business being audited, but some generic advice would already be helpful for us to know our options on this matte

    The same applies. If some business or management activity takes place in the local it may be used as the address for the certification scope, but this shared scenario is more complex to protect than the rented office.

    Additionally, please note that the space needs to be rented for the duration of the certification. If you change the location, this will need to be notified to the certification body, and if no activity is performed there, this may represent resources are not properly allocated.

  • ISO 27001 Risk Assessments

    To be compliant with ISO 27001 information security risks cannot be identified randomly, they need to be identified according to the defined risk assessment and treatment methodology.

    These articles will provide you with further explanation about the risk assessment process:

    These materials will also help you regarding risk management:

  • Page 79-vs-13485 of 1130 pages

    Didn’t find an answer?

    Start a new topic and get direct answers from the Expert Advice Community.

    CREATE NEW TOPIC +