Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risks SOP, Medical Device File and auditing ISO 13485

    My first question is: do I need to have a Risk Management SOP?
    My understanding is that we need assess the risk on the devices associated with the medical industry (we only manufacture the batteries) and I'm already drafting up a Risk Register for ISO 9001:2015 but do I actually need an RM SOP and, if so, what needs to be in it? I'm also adding a risk assessment to the bottom of each ‘Product Change Form’, ‘Calibration – Adjustments Form’, and Corrective Actions Form to monitor any changes for associated risks.

    First, instead of implementing ISO 13485:2012, you should implement ISO 13485:2016 since this is the latest version of the standard and in this way you will avid later transition process.

    When it comes to risks, ISO 13485 requires organization to “document requirements for risk management throughout produ ct realization”, translated to plain English, this means that you need SOP for risk management.

    I've put together Medical Device Files – neither one really takes up more than an A4 page listing the customer specs, QMS control documents, procedures surrounding how we measure/control process performance – does there need to be more? Do you have any templates/examples for something like a non-medical battery that would be used to power a medical device? (I can send an example of what I'm using?)

    The standard does not defines the volume of the documentation or the mandatory elements other than the ones you've mentioned, so you are compliant with the standard in this regard. Unfortunately, we do not have templates specific for non-medical batteries, but here you can download free preview of our ISO 13485 Documentation Toolkit https://advisera.com/13485academy/iso-13485-documentation-toolkit/

    I've made sure our internal audits are ‘process approach’ and documented with both 9001 and 13485 requirements but I'm unsure as to whether 13485 audits need anything extra?

    ISO 13485 does not have any additional requirements regarding internal audit compared to ISO 9001, so you don't have to do anything more than ISO 9001 requires.

    I've also gathered all of the regulations such as IATA and IEC 62133 that affect batteries and listed them on a controlled document to monitor for changes that may affect the business.

    If you identified all legal requirements regarding your product, you are compliant with this requirement of the standard.

    Is there anything else that the assessor will want to see that I'm not considering?

    From your questions I see that you covered the key points of the standard, so I don't have anything to add.

  • Validity of Internal Auditor Certificate

    First of all, it is necessary to see if there is a requirement about this issue in your customer's specific requirement.

    If not, it is sufficient to know the IATF 16949 standard and receive internal auditor training, but you must also be competent enough to audit your supplier's production process.

    If these 3 issues are suitable for you and there is no specific requirement from the customer, you can audit your supplier

  • Remote Audit


    Answer: Besides documentation audit (which you can send to the auditor before the audit local phase), other situations for remote audit should be evaluated by the auditor on a case by case scenario, considering the specific organizational context, identified risks and implementation methods applied, so it is not possible to point a proportion or rule. What I can say to you is that an auditor would keep remote audit to a minimum, because direct observations are one of the main resources for compliance verification (e.g., even when auditing teleworking the auditor can find some local evidences in the organization like systems access logs).

    This articles will provide you further explanation about performing an audit:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

    These materials will also help you regarding performing audit:
    - Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

  • Information Security Governance In Health Services


    I would appreciate your invaluable inputs as soon as possible because I have to make a presentation on this program in a few days.

    Answer: From the Information Governance Toolkit site (https://www.igt.hscic.gov.uk/), I assume you are referring to the requirements for Health and Social Care Information Centre, which cover requirements for: Information Governance Management, Confidentiality and Data Protection Assurance, Information Security Assurance, Clinical Information Assurance, and Corporate Information Assurance.

    Considering the definitions provided in the "About The IG Toolkit" document (https://www.igt.hscic.gov.uk/resources/About%20the%20IG%20Toolkit.pdf), I understand the implementation of information governance toolkit can follow the same general steps used for an ISO 27001 ISMS implementation:

    - Project planning and elaboration of basic documentation
    - Carrying out the risk assessment and risk treatment plan elabo ration
    - Information security policies and procedures elaboration
    - Implementation, operation and evaluation of policies and procedures (at this point some corrective actions may be required)
    - Internal audit and management review
    - Treatment of internal audit nonconformities and management review decisions

    Advisera works with ISO management standards, and I personally do not know details regarding the specificities of UK Health care regulations, so we cannot provide much more inputs beyond that.

    Regarding the specific scenario of an Healthcare organization, you can include as reference ISO 27799 - Information security management in health using ISO/IEC 27002, which will provide you specific recommendations about this sector: https://www.iso.org/standard/62777.html

    These articles will provide you further explanation about ISO 27001 implementation:
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
    - How ISO 27001 and ISO 27799 complement each other in health organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/

  • Supplier security clauses


    Answer: No. The clauses presented are suggested based on the most common requirements to be covered by organizations that rely on outsourced services. Depending on the nature of the business and results of risk assessment you my need to consider other clauses.

    This material will provide you further suggestions about supplier security clauses:
    - Security Clauses for Suppliers and Partners https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/

  • Implementing integrated management systems


    Answer: Considering the number of people you stated, an implementation, including the certification process, usually takes between six and eight months. Since you are thinking about implementing multiple standards, the implementation may vary, but you can take advantage of the similar structure of ISO standards to save some time and money implementing common requirements, like planning, internal audit and management review.

    The maintenance process is an ongoing process that will last until the organization decides it does not want the certifications any more. The certification cycle is three years for all standards you mentioned.

    Most of the outsourced activities your organization has will be handled by contractual clauses.

    These articles will provide you further explanation about implementing the standards:
    - How long doe s it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/
    - How long does it take to implement an ISO 9001-based QMS? https://advisera.com/9001academy/blog/2016/07/05/how-long-does-it-take-to-implement-an-iso-9001-based-qms/
    - How long does it take to implement ISO 14001:2015? https://advisera.com/14001academy/blog/2016/04/04/how-long-does-it-take-to-implement-iso-140012015/
    - How long should it take to implement OHSAS 18001? https://advisera.com/18001academy/blog/2017/01/18/how-long-should-it-take-to-implement-ohsas-18001/
    - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

    This material will also help you regarding ISO implementation:
    - Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/

  • L1, L2, L3 activities


    Answer:
    L1, L2, L3...are typical for Incident Management process. How many levels i.e. where does certain level belong in ITSM of the company depends on various factors. Here are few examples:
    - processes/functions in place
    - complexity of IT services supported
    - 3rd parties in place (or not in place)
    - capability of ITSM employees
    - geography of the organization
    - etc.

    So, according to the organizational setup, so will be L1, L2, etc. job description (including responsibilities) made. For example, Service Desk can have L1 responsibility, L2 could be expert for certain technology and L3 could be development department.
    Other processes - usually organizations don't need many levels in e.g. Knowledge Management.

  • Filling SoA

    Sorry, I don't understand your answer. Can you point us specifically to Annex A in the documentation toolkit provide with the ISO27001 package?

  • ISO 27001 and information security governance

    The article links on this post helped me. Thanks Rhand Leal

  • Risk-based thinking in IATF 16949


    Answer:

    When it comes to risk-based thinking or addressing risks and opportunities, IATF 16949 has addition to requirements of ISO 9001. IATF 16949 requires risk analysis to include, at minimum, product recalls, product audits, returns and repairs, complaints, scraps and rework. The evidence of the risks-based thinking would be FMEA (Failure Mode Effect Analysis) conducted for processes with appropriate actions taken to address the risks. As far as the staff operating the processes is concerned, the best approach is to focus primarily on the risks emerging from their processes and what has to be done to avoid the risks. For example, how to perform the activities and avoid the nonconformities.
Page 885-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +