Search results

External audits

No, a certified organization must go through yearly surveillance audits. It is not an ISO 9001 requirement, it is a requirement from your organization’s contract with the certification body.

Design and Development Agreement

No, we do not have a direct Design and development agreement, but we do have a document that is part of the folder 10_Purchasing and evaluation of supplier, 10.7_Appendix_7_Quality_Agreement_for_Subcontractor, that covers what is necessary for the provider of outsourced process. You can just tailormade it for the design process. 

Gaps From MDR to CFR

There are some differences between documentation. You can find it in the following article:

• FDA vs. EU MDR Technical Documentation Matrix - https://info.advisera.com/13485academy/free-download/fda-vs-eu-mdr-technical-documentation-matrix

For any other questions, do not hesitate to contact us.

Risk-based approach

Yes, a risk-based approach is a requirement stated in 4.1.2 of the ISO 13485:2016 - apply a risk-based approach to the control of the appropriate processes needed for the quality management system. This means that for each process you need to be aware of possible risks that can occur, and you must have a mechanism for how to control them. 

Definitively it can be in a table where you will have your processes, risks than can occur, and then control measures.

Some approaches regarding the risk you can find in the following article:

• Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits  - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/

• Conformio expert questions

  1. In the Project Plan document under section 3.4.3. the document is referencing a project team, however later on the title of the table is "Participants in the project". There is an inconsistency in the understanding of who are the members of the project team as there can be more participants in the project than the team members, especially if it is a larger company. Can you please clarify this section for me in this document? 

  Answer: Please note that the project team, in general, refers to people involved in the tasks of the project, while participants cover not only the project people but also people who provide knowledge about the organization’s processes and information (e.g., key users), and decision-makers (e.g., managers and department heads). Is a good practice to identify the last ones early in the project to ensure engagement with the project.

  Considering that, you use the table "Participants in the project" in the Project Plan Document as it is to include members of the project team as well as the other relevant users for the project.

  For further information, see:
  - RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/

  2. We are a very small company and we do not have Head of IT department, but only the Senior IT technician and two IT support guys. In Conformio I can only define one IT support job title for one of the guys, but I cannot give the same job title to the second IT support person even though both of them have the same job title in our company. Can you explain why this is so?

  Answer: Defining the same job title to different persons is not allowed to prevent conflict of responsibilities in the responsibility matrix (if two persons have the same job title it is not clear who needs to perform a task attributed to this job title). As an alternative, you can differ the job titles by a number (e.g., IT support 01 and IT support 02).

  3. We want to declare all printed documents as unreliable and therefore uncontrolled, but we were not able to find a way to do that in the Procedure for document and record control. Can you advise how we can add this statement in this document or where we can add this statement?

  Answer: Currently it is not possible to define treatment for uncontrolled documents in the Procedure for Document and Record Control. As an alternative solution, you can develop a simple procedure to document this rule (e.g., a Procedure for Labeling Uncontrolled Documents), or a simpler solution would be not to define written rules for paper documents, and apply the Procedure for Document and Record Controls only for the digital documents.

• ISO 20000 Service Desk

  I don't know your current state of service desk (related to the level of digitalization), but in general digital transformation:

  1.    Enables you to do things differently (or do different things) compared to the state before digital transformation. That will, I assume, require a significant change in some of the activities

  2.    Is achieved by digitizing, robotizing, and use of some other form of automation.

  3.    Requires a change in leadership style – e.g. servant leadership, challenging own assumptions related to the way they work, fostering experimentation and safety culture among the workforce, etc.

   

  So, these are some characteristics of digital transformation. Apply them to the specifics of your organization.

  Digital transformation offers many opportunities, but it also brings some risks. Risk should be managed proactively since digital transformation involves technological shifts which carry risks.

  Governance is also an important element that needs to be adjusted, e.g. responsiveness and flexibility.

   

  So, digital transformation requires a shift in almost every area of the business. 

• Risk Register Team work question

  The information about these controls can be located as follow:

  • Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4): security roles and responsibilities are defined alongside all documents implemented for the ISMS. You can see a summary of this information by accessing the “Responsibility Matrix” link in the left side panel of Conformio Screen.
  • Inventory of assets: Conformio enables you to draw up the list of assets during the risk assessment process by suggesting a checklist of potential assets you can find in your company. The inventory of assets is part of the Risk Register Module
  • Acceptable use of assets (clause A.8.1.3): this control is implemented by means of the IT Security Policy
  • Access Control Policy: this control is implemented by means of the Access Control Policy
  • Operating Procedures for IT department: this control is implemented by means of the Security Procedures for the IT Department
  • Secure system engineering principles (clause A.14.2.5): this control is implemented by means of the Secure Development Policy
  • Supplier Security Policy: this control is implemented by means of the Supplier Security Policy
  • Incident Management Procedure: this control is implemented by means of the Incident Register
  • Business continuity procedures (clause A.17.1.2): this control is implemented by means of the Disaster Recovery Plan document
  • Legal, regulatory, and contractual requirements: this control is implemented by means of the Register of Requirements module

  Approved documents can be found by accessing the “Documents” link in the left side panel of Conformio Screen.

  Please note that the documents “IT Security Policy”, “Access Control Policy”, "Security Procedures for IT Departments", "Secure Development Policy", "Supplier Security Policy" and "Disaster Recovery Plan" are added after completion of the Statement of Applicability step, as justification for the controls they are related to. Please take a look at the following help video for more information: https://vimeo.com/showcase/6734609/video/472957258

• ISO 27001 A.8. 1.1 Asset Inventory

  The equipment’s serial number is a common practice adopted for a unique identifier.

  ISO 27001 does not prescribe information to be used to track an asset, so organizations can define the information they see best fits their needs.

  This article will provide you with a further explanation of asset management:

  • Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

• Mandatory docs

  This information can be located as follow:

  • Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4): security roles and responsibilities are defined alongside all documents implemented for the ISMS. You can see a summary of this information by accessing the “Responsibility Matrix” link in the left side panel of Conformio Screen.
  • Acceptable use of assets (clause A.8.1.3): this control is implemented by means of the IT Security Policy
  • Secure system engineering principles (clause A.14.2.5): this control is implemented by means of the Secure Development Policy
  • Business continuity procedures (clause A.17.1.2): this control is implemented by means of the Disaster Recovery Plan document
  • Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3): logs are generated and stored in the information systems the organization configures them (these records need to be uploaded manually to Conformio if you want to access them through the platform). Security events can be found in the Incident Register Module.