Search results

Management review questions

1. risk policy that is referred to in the template - what is this exactly? is it the risk management policy according to ISO14971 or is it a general risk assessment for the policy? how exactly can it be evaluated during management review?

During the Management review, you will check whether the risk policy must be changed due to complaints, possible withdrawals, or reported adverse events and whether it is necessary to change the eligibility criteria.

2. the matrix of KPIs - is it ok if timewise it is approved during the first MB meeting, or does it need to be prior (in our case, 3 months prior when the SOP was established) and presented to the management for review?

KPI is best to approve prior, so that you can discuss it in your Management review and that you can even assess what goals you will set for the next period after the Management review.

GDPR E-mail Question

In a privacy notice, you need to be very precise regarding the processing of personal data that you, as a data controller, are doing. Transparency is one of GDPR’s most important principles, as it is required in Article 5.1.a. So you must tell your data subjects if their emails are landing on a server owned by a third party. If you are using Gmail, you need to make sure that you are using GMail from Google Workspace in order to have clear accountability (in this case Google would act as a Data Processor for your organization).

Please find more details at these links:

• Article 5 GDPR - Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

To learn more about GDPR, check this free online training EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course/

IATF 16949 for improving procedures manual in automotive industry

You can consider article 10.3.1, which is the continuous improvement clause of the IATF 16949:2016 standard, and article 7.5.2, the creating and updating clause of the ISO 9001:2015 standard. 

Document Toolkit

ISO 27001 does not prescribe how to implement a confidentiality agreement, so organizations can implement it as it best fits their needs.

Considering that, you can keep the confidentiality agreement in the employment contract.

Regarding the document content, please note that a confidentiality agreement is more than simply saying that the parts need to keep the information confidential. It also helps explain other things, like what is confidential information, what to do in case of information compromise, penalties in case of a breach, etc.  

For further information, see:

• How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

ISO 27001 Certificate Renewal

Since your previous certification has expired, you need to go through all the certification processes again (i.e., first a certification audit, followed by surveillance audits).

Compared to ISO 27001:2005, ISO 27001:2013 has significant differences only in Annex A (security controls), so you do not need to consider a full fresh implementation (i.e., documents related to main clauses from sections 4 to 10 will need only some adjustments). 

For further information, see:
- ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How to make a transition from ISO 27001:2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/

Questions around templates - policies vs procedures

Please note that ISO 27001 does not prescribe how police and procedures need to be documented, so organizations are free to document them as best fit their needs (i.e., separated, or merged documents).

For large organizations, policies define the general rules for activities to be performed (what needs to be done), while procedures define specific steps to perform them (how to do).

For example, a Backup Policy can define that those users need to periodically update local data to corporate storage, and you can have specific procedures on how to do that considering different devices, operational software, or work sites.

For small organizations, you can have all this information in a single document, to reduce administrative effort.

These articles will provide you a further explanation about developing documents:

• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
• How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/

Most efficient steps in regulatory pathway to introduce class III implantable device

Please consider the following steps: 
Establish QMS - compile a dossier of pre-clinical evidence -  seek regulator approval for phase I safety trial - prepare the technical documentation - CE mark product and ISO13485 certification (last two steps goes together).

PHA risk evaluation

1. In the document ISO 13485 & MDR Integrated Documentation Toolkit – does MDR 2017/745 correspond to all 2017/746 requirements?

2. I need to create a PHA risk evaluation analysis for my medical device (photometer). I do not think that in this toolkit there is a template for PHA risk evaluation for an electrical device. Is it possible to request this document from you or to buy it separately?

Training and ISO 27001 implementation

Your assumption is correct. Required information security training and awareness activities, and which personnel is required to attend them, are mapped in the Training Module, but please note that this tracking is not done automatically. You need to define manually these activities, according to the competencies you identify you need to have.

From a standard point of view, the information included in the Training module is sufficient for certification purposes. In case you already have any other solution implemented for tracking training in your company you may include the information about information security training and awareness on it.

Privacy policy on my homepage

A privacy policy is usually an internal document, used to establish how personal data processing operations are handled by the organization, generic controls for the protection of personal data, and escalation paths. A privacy notice or privacy statement is something you communicate to data subjects whose data you process, as part of your transparency obligation.

In a privacy notice, you need to be very precise regarding the processing of personal data that you, as a data controller, are doing. Transparency is one of GDPR’s most important principles, as it is required in Article 5.1.a. So you need to determine whether you are using Google Fonts and then you must provide all details, including any personal data transfers to the US and the safeguards you are using to protect personal data.

Please find more details at these links:

• Article 5 GDPR - Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
• Article 46 GDPR - Transfers subject to appropriate safeguards: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/