Hi guys,
The company I work for is a small SaMD startup. Due to some contracts, we signed with other companies which required us to be 27001 compliant we prioritised implementing ISMS over QMS. We passed both Stage 1 and Stage 2 27001 audits. Now we are implementing 13485 and setting up our QMS. We have a Stage 1 audit planned very soon.
At the company, we are all new to this, with very little RA experience so we are learning as we go with the help of a consultant. The consultant advised us to merge some of our policies and procedures (like training, data control, and internal audit...) but for the majority, he recommended keeping to systems separate because the auditors don't like to dig through the policies to find relevant bits for QMS. This made some sense but as we started implementing QMS, we realised that these two systems are so interconnected because we are a SaMD company. The way I see it, ISMS is only a part of our QMS (as a subdivision) that relates to how we handle documents, equipment, work environment and infrastructure. I feel like any issue with information security would affect our quality system and therefore our product which is cloud-based.
My question is - what is actually the relation between these two management systems, should they be completely merged and integrated or should they only be partially merged or kept completely separate? For example, having one Training & Awareness procedure for two systems, and listing all of our ISMS and QMS SOPs and POLs in the Training Matrix automatically opens all of our ISMS policies to a QMS auditor as they are part of the same record. Also, can a 13485 request to view a document that isn't in the scope of our QMS or part of our Master Document List just because on the employee training record he might have seen an ISMS policy not mentioned in QMS.
The company I work for is a small SaMD startup. Due to some contracts, we signed with other companies which required us to be 27001 compliant we prioritised implementing ISMS over QMS. We passed both Stage 1 and Stage 2 27001 audits. Now we are implementing 13485 and setting up our QMS. We have a Stage 1 audit planned very soon.
At the company, we are all new to this, with very little RA experience so we are learning as we go with the help of a consultant. The consultant advised us to merge some of our policies and procedures (like training, data control, and internal audit...) but for the majority, he recommended keeping to systems separate because the auditors don't like to dig through the policies to find relevant bits for QMS. This made some sense but as we started implementing QMS, we realised that these two systems are so interconnected because we are a SaMD company. The way I see it, ISMS is only a part of our QMS (as a subdivision) that relates to how we handle documents, equipment, work environment and infrastructure. I feel like any issue with information security would affect our quality system and therefore our product which is cloud-based.
My question is - what is actually the relation between these two management systems, should they be completely merged and integrated or should they only be partially merged or kept completely separate? For example, having one Training & Awareness procedure for two systems, and listing all of our ISMS and QMS SOPs and POLs in the Training Matrix automatically opens all of our ISMS policies to a QMS auditor as they are part of the same record. Also, can a 13485 request to view a document that isn't in the scope of our QMS or part of our Master Document List just because on the employee training record he might have seen an ISMS policy not mentioned in QMS.