Relation between ISMS and QMS for a SaMD

#1
Hi guys,

The company I work for is a small SaMD startup. Due to some contracts, we signed with other companies which required us to be 27001 compliant we prioritised implementing ISMS over QMS. We passed both Stage 1 and Stage 2 27001 audits. Now we are implementing 13485 and setting up our QMS. We have a Stage 1 audit planned very soon.

At the company, we are all new to this, with very little RA experience so we are learning as we go with the help of a consultant. The consultant advised us to merge some of our policies and procedures (like training, data control, and internal audit...) but for the majority, he recommended keeping to systems separate because the auditors don't like to dig through the policies to find relevant bits for QMS. This made some sense but as we started implementing QMS, we realised that these two systems are so interconnected because we are a SaMD company. The way I see it, ISMS is only a part of our QMS (as a subdivision) that relates to how we handle documents, equipment, work environment and infrastructure. I feel like any issue with information security would affect our quality system and therefore our product which is cloud-based.

My question is - what is actually the relation between these two management systems, should they be completely merged and integrated or should they only be partially merged or kept completely separate? For example, having one Training & Awareness procedure for two systems, and listing all of our ISMS and QMS SOPs and POLs in the Training Matrix automatically opens all of our ISMS policies to a QMS auditor as they are part of the same record. Also, can a 13485 request to view a document that isn't in the scope of our QMS or part of our Master Document List just because on the employee training record he might have seen an ISMS policy not mentioned in QMS.
 
Elsmar Forum Sponsor

DannyK

Trusted Information Resource
#3
Hi guys,

My question is - what is actually the relation between these two management systems, should they be completely merged and integrated or should they only be partially merged or kept completely separate? For example, having one Training & Awareness procedure for two systems, and listing all of our ISMS and QMS SOPs and POLs in the Training Matrix automatically opens all of our ISMS policies to a QMS auditor as they are part of the same record. Also, can a 13485 request to view a document that isn't in the scope of our QMS or part of our Master Document List just because on the employee training record he might have seen an ISMS policy not mentioned in QMS.
It is really up to you to decide.
Most of the SaMD companies that I audit, keep the ISMS and QMS separate.
There is a little overlap and that is ok.
The QMS auditor could ask for records that are part of the ISMS but it is up to you to set the boundaries in the QMS.
 

Sidney Vianna

Post Responsibly
Leader
Admin
#4
When we’ll executed and implemented an ISMS and a QMS are just subsets of the organization business operational processes, properly embedded in the day to day operation and it makes sense to let overlaps exist as much as it makes sense.

The defense against misguided auditors is to keep them limited to the scope of the audit. If they are competent, they do know the limitations of the system they should be assessing.

Never ever ever ever design a system attempting to “protect” it against misguided and/or incompetent auditors.
 
Thread starter Similar threads Forum Replies Date
T Is there a direct relation between surface roughness and gloss? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 7
Y What is the relation between MDD 93/42/EEC and Biocide 98/8/EC EU Medical Device Regulations 5
A How can we find the relation between life time and durability test in automotive part Reliability Analysis - Predictions, Testing and Standards 8
C Relation between 93/42/EEC and 2007/47/EC EU Medical Device Regulations 21
J MD Compliance for Dummies - Relation between devices, directives and standards ISO 13485:2016 - Medical Device Quality Management Systems 3
A Difference between major, Minor, finding and Observation in relation to a CAR Nonconformance and Corrective Action 7
E Cpk - Relation between measurements and resulting tolerances - Trimming resistors Capability, Accuracy and Stability - Processes, Machines, etc. 4
samer Relation between warranties and ISO 9001:2000 Clause 7.5.2 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
S What is the relation between competence and performance? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
A What is the relation between SAP and ISO 9001:2000 documentation requirements? Quality Assurance and Compliance Software Tools and Solutions 3
H Relation of VDE mark with CE certification CE Marking (Conformité Européene) / CB Scheme 11
D What evidence do I need to supply as a remote location in relation to manufacturing sites? IATF 16949 - Automotive Quality Systems Standard 14
S MSA for attribute relation gage Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 3
F NCMRs and its relation to CAPA Nonconformance and Corrective Action 7
K Measuring Function MEDDEV 2.1/5 relation with MDD 93/42/EEC CE Marking (Conformité Européene) / CB Scheme 2
M Informational EU – Minutes of the 24 July 2019 SCHEER Working Group on safety of breast implants in relation to anaplastic large cell lymphoma (BIA-ALCL) meeting Medical Device and FDA Regulations and Standards News 0
M Informational US FDA paper – Epidemiological Evidence on the Adverse Health Effects Reports in Relation to Mercury from Dental Amalgam: Systematic Literature Review Medical Device and FDA Regulations and Standards News 0
L Calibration Accuracy In Relation To Reporting General Measurement Device and Calibration Topics 1
R EN 80601-2-13 in relation to an AGSS (Scavenging) product Other Medical Device Related Standards 0
D Cpk relation to Reliability Capability, Accuracy and Stability - Processes, Machines, etc. 4
M Regarding the definition of "pneumatic" in relation to IEC 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 9
Douglas E. Purdy Relation of Aluminum 6061-0 to AMS 4025 or AMS 4027 Various Other Specifications, Standards, and related Requirements 3
G The leading practices in Customer Relation Management Customer Complaints 3
G Leading Practices in Customer Relation Management Quality Manager and Management Related Issues 2
C Furnace Classes in relation to AMS 2750 to determine Calibration Interval Calibration Frequency (Interval) 2
G Relation b/n Process Failure Mode RPN Value and the associated Process Failure Cost FMEA and Control Plans 3
D Classifying Nonconformance so that they can be Actioned in Relation to Time Frames Nonconformance and Corrective Action 7
V Minitab Pareto - Trying to plot a relation of Count and Cycle Time Using Minitab Software 5
Manix GM Terms - GLD in relation to Master Colour and Gloss? Can anyone define! Customer and Company Specific Requirements 12
C Guidance required in relation to refurbishment / remanufacturing of a Medical Device ISO 13485:2016 - Medical Device Quality Management Systems 4
D ISO 9001 tree - Diagram showing the inter-relation of all the ISO clauses ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
K Could anyone tell me what is relation / difference in Cpk and Ppk Capability, Accuracy and Stability - Processes, Machines, etc. 4
Douglas E. Purdy Infrastructure (6.3) and Work Environment (6.4) In Relation to 7.4.1 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 24
Q Definition BOS - Business Operating System - Does BOS have any relation to Ford's QOS? Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 1
A Heard of FS 9000? This is in relation to the Financial Industry Other ISO and International Standards and European Regulations 3
O 61010-1 Annex D Protection between HAZARDOUS LIVE circuits and ACCESSIBLE external TERMINALS Other Medical Device Regulations World-Wide 0
W Cross reference between APQP and VDA MLA? APQP and PPAP 0
K What are the differences between the certificates required for home and medical medical equipment? US Food and Drug Administration (FDA) 1
L Assignment on the link between Quality Gurus & ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
X Difference between the Figure J.6 and J.7 insulation examples IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
W Difference between Appliances and Parts according EASA EASA and JAA Aviation Standards and Requirements 0
X Insulation between opposite terminals of battery IEC 60601 - Medical Electrical Equipment Safety Standards Series 6
M FMEA Severity Scores Between Two Sister divisions? FMEA and Control Plans 6
S Disparity between Job Descriptions in QMS & Contract ISO 13485:2016 - Medical Device Quality Management Systems 7
A Difference between general PMCF and PMS EU Medical Device Regulations 3
F Difference between "misuse" and "off-label use" EU Medical Device Regulations 12
placebo_master What is the difference between "Fitness for Purpose" and "Calibration/Verification"? General Measurement Device and Calibration Topics 6
S Link Between Essential Performance Requirements and Essential Design Outputs 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
G Similarities between format of technical file for CE and ASEAN common submission dossier template (CSDT) CE Marking (Conformité Européene) / CB Scheme 2
B For professionals from an amateur: What are the differences between some plans and procedures? EU Medical Device Regulations 5

Similar threads

Top Bottom