Frequently asked questions and things to know
On this page, we have compiled interesting facts and answers to frequently asked questions about our topics/products and the digitization of quality and compliance processes. Would you like to digitize quality management, quality assurance or compliance processes or take them to a new level? We will be happy to provide you with advice and support in this regard. Feel free to contact us!
What is meant by SOP?
In regulated industries, SOP stands for Standard Operating Procedure. The abbreviation should not be confused with “Start of Production”, which is common in industrial serial production.
SOPs are documents with the highest importance in the pharmaceutical and medical technology industries (or, generally, the life sciences) and often also in the food industry. Standard Operation Procedures focus on critical procedures or processes with a potential impact on health, safety, and the environment. SOPs describe in detail how to handle work steps or procedures and how to check and document results. The aim is to ensure uniform execution and identical results and to guarantee adherence to ethical and legal standards.
Due to the importance of SOPs (especially with regard to patient safety), their management and control is regulated by authorities, in particular by FDA and EMA. Compliance with their guidelines is required and subject to regular audits. Violation of guidelines may result in severe penalties and sanctions, up to and including a marketing ban. For deviations from guidelines may cost human lives in the worst case.
SOPs have several advantages. For example, they describe all processes to all employees in a uniform and comprehensible manner. They clearly outline who has to do what, when, where and how. Such standardization simplifies and accelerates regular training and the onboarding of new colleagues. SOPs also prevent errors and ensure consistently high quality.
What do digital document control systems do?
Document control systems automate and standardize document lifecycle processes. Digital solutions guide the user in the best possible way through all steps of the document control process (document creation, review, approval, distribution, modification, validity extension, suspension, reactivation of instructions). Such solutions optimize collaboration with no local constraints. All relevant documents are assigned to users directly; they are stored in their personal workspaces for quick and easy access.
DHC VISION includes best practices for quality management processes based on over 20 years of experience. DHC VISION SOP Management, our document control solution, also supports adherence to regulations and ensures compliance. Reports and dashboards allow close monitoring of the status and validity of specification documents; they ensure the traceability of actions at any time. Companies, thus, are able to provide information; they are ready for an audit at any time.
What distinguishes document management systems for life science from classic DMS?
DMS solutions address a wide range of application scenarios. For companies from the pharmaceutical, chemical, medical technology, biotechnology sectors – or the “life sciences” in general – strict regulatory requirements must be observed; compliance is a must. One focus is on work instructions or SOPs. Via GxP guidelines, the Food and Drug Administration (FDA) or the European Medicines Agency (EMA) specify a strict framework for document management to which any software system must comply, technologically and functionally. Both, the software solution and the provider must have the competencies, methods, and tools to meet the requirements. Compliance with GxP, GMP, 21 CFR Part 11, to name but a few, is essential as is the validation and qualification of the software, e.g., according to GAMP.
DHC has specialized in meeting demands of regulated industries for over 20 years. DHC VISION Document Control (as well as the other modules) meets industry standards comprehensively. Also, DHC has expertise in validating and qualifying complex computer systems. Scalable CSV services and a comprehensive validation documentation (Validation Accelerators) are an integral part of our implementation projects.
What regulatory requirements should a managed documents solution meet?
Companies in the “Life Sciences” are subject to strict laws, regulations, and standards; compliance with the regulatory framework is essential. The regulations to be observed vary according to the industry sector. The list is long; examples for FDA or EMA regulated industries are: EU – GMP (EMEA), 21 CFR Part 11 (FDA), 21 CFR Part 820 (FDA), ICH, GAMP, PICs, the Medical Devices Act (MPG), the Medical Devices Ordinance (MPV), ISO 13485, ISO 9001, ISO 17779 or 14791. In addition, there are cross-industry regulations, e.g., on data protection or information security.
What types of training are supported in combination with DHC VISION SOP Management (controlled documents)?
The SOP Management module provides procedures for distributing documents to a defined group of people. They can be distributed either for information or for acknowledgement. If content needs to be formally trained, further processes are available in a dedicated Training Management module. For example, documents can be automatically forwarded to employees; they confirm that they have “read and understood” the content. The module also covers classroom training or classroom events; trainers receive announcements, participant lists, feedback forms, and much more.
Can DHC VISION Training Management also be used stand-alone?
The SOP Management module is our solution for managing and controlling specification documents. It also provides the basis for employee training. With DHC VISION, we focus on the holistic digitization of the document life cycle. This includes not only the release of documents; it also covers training management and the verification of learning success. Thus, we implement “closed loop processes” – from document creation to learning success monitoring.
How does DHC VISION training management differ from learning management systems?
DHC VISION is designed for use in regulated industries, i.e., the pharmaceutical, chemical, medical technology industries. The system, in particular, targets the EMA and FDA regulated world. Hence, its focus is on training content provided in key documents; DHC VISION generates the proof of training required by regulation, which essentially is based on employees testifying that they have “read and understood” the document. The training status of employees commonly is checked in audits and inspections.
Learning Management Systems (LMS) are specialized in HR processes such as education and training, personnel development, or talent management. This usually includes course catalogs, learning media of various formats, e-learning courses to which employees can register themselves. LMS generally include authoring tools for the creation of multimedia learning content.
The validation of such system – not to mention their GxP-compliant development – is very time-consuming, if possible at all. Therefore, LMSs in the life sciences are often used for non-GxP-critical processes and training content only.
Our DHC VISION eDMS, by contrast, is specifically designed for the “validated” environment with its regulations on document management as well as training procedures and functions. The training solution focuses on specification documents, GxP or compliance topics, i.e., training measures and content required by law, regulation, or in-house guidelines – and where 100% traceability is required.
What is CAPA?
So-called quality anomalies, non-conformities, deviations, complaints, findings or, simply put, “errors” trigger detailed error and cause analyses, based on which measures are defined, initiated, and subsequently evaluated for their effectiveness.
A distinction is made between immediate actions, corrective actions (CA) and preventive measures (PA). Corrective measures must be initiated for deviations or errors that have already occurred. Preventive measures, by contrast, are initiated to prevent deviations before they occur. The CAPA process starts with measures to be implemented immediately to limit potential damage.
The regulatory requirements for corrective action and preventive action are comprehensively described, for example, in ISO 13485, the Medical Device Regulation (MDR), and in FDA 21 CFR part 820.100.
Why are digital CAPA processes recommended?
One of the well-known deficiencies detected in GMP inspections is inadequate documentation in the CAPA process. “What is not documented does not exist”; hence, documentation is crucial. However, deviations very often are not comprehensively documented and investigated in more detail; root cause analysis is neglected; and relevant CAPAs are not implemented.
Similarly, there is no evidence of measures taken to prevent recurring incidents, nor of activities that are planned to verify the effectiveness of measures. In short, the CAPA process is methodologically known and established; however, analog processing is prone to too many errors. Inadequate or insufficiently documented CAPA processes can lead to an warning letter, which are published on the FDA website Warning Letters | FDA.
A digital CAPA solution takes into account all necessary activities; it automates the entire lifecycle of relevant processes – from the identification of the problem to the successful implementation of a solution. This is how the CAPA process is complete and transparent at all times: No process or necessary activity is omitted, skipped, or forgotten; deadlines are strictly escalated, thus, preventing delays or procrastination. Digital processes are consistent down to the smallest detail. This is where the strengths of digital CAPA processes in DHC VISION become apparent.
Which CAPA reports are relevant to management?
Management reports start at the top of the information pyramid and move down to ever more detailed information. The first thing of interest is an overall view of the actual CAPA situation with a clear target group orientation. How many CAPAs are currently being processed? Are there specific trends? Is there an increase or decrease in CAPAs, the number of findings, deviations, and complaints? What is the processing status of these CAPAs? How many CAPAs are still being processee? And how does that number relate to the number of CAPAs already being reviewed for effectiveness? Which CAPAs are overdue? Are there clusters of CAPAs at certain company locations? These are all highly relevant questions for quality management.
What is meant by deviations?
In very general terms, a deviation is understood as the non-fulfillment of a desired regularity or a standard condition. The term is used in domains such as cost control or statistics; in quality management, it usually refers to the difference between an agreed target, a planned value, or target state on the one hand, and the actual value or actual state on the other.
In regulated industries, deviations are often quality anomalies or defects, out of specifications, non-conformities, or process deviations. In the broadest sense, such phenomena are deviations from the defined target state, e.g., deviations in the recipe, the filling quantity, or technical process parameters in production. In the life sciences, such deviations generally trigger further investigations. It is important to discriminate deviations from “changes”: Deviations are unplanned; changes, by contrast, are planned.
To give an example: Even a change of a few millimeters in the folding direction of the package insert in a drug box triggers a deviation process. The stance of regulatory authorities such as the FDA or EMA toward the detection of deviations is: Once deviations are identified, they must not be covered up or downplayed; rather, detailed investigations are required – and they have to be documented.
When analyzing deviations, it is important to first separate what is “conspicuous” or “extraordinary” from what is “less important”. Then, it is possible to focus on appropriate actions to eliminate the causes of such conspicuities. Prompt action can prevent greater damage, for example, if individual batches have to be blocked for delivery. There is a fluid transition from detecting irregularities to remediate actions, i.e., from the deviation to the CAPA process.
Why are digital processes recommended for managing deviations?
Deviations, e.g., in everyday pharmaceutical work, are mass phenomena; they quickly reach unmanageable dimensions. The deviation process must meet high standards; shortcuts or improvised approaches to solutions are not allowed. At the same time, many people are involved in the deviation process. The deviation process, thus, is complex. This is due also to the close interlocking with other processes such as corrective actions; additional complexity is added through the dependencies on “long-term measures” in place. Therefore, paper-based methods cannot cope with the flood of information and the complexity of the tasks.
Software for deviation management supports thorough documentation in line with regulatory requirements; it automates relevant workflows, from the first to the last step.
What are the reporting requirements in deviation management?
Every deviation, as well as every complaint, is initially a risk and thus a potential damage. Classifying a deviation in terms of criticality provides an initial assessment and, thus, an indication of the damage it may cause. Quality site reports cover deviation analyses in all conceivable cross-relationships to products, raw materials, processes, and suppliers.
Here, too, management reports follow a top-down approach in the information pyramid. The first thing of interest is an overall view of the current deviation situation; data aggregation here is target group-specific. How many deviations are there currently? What is their processing status? What trend is discernible? Is there an increase or decrease in deviations? Do the number of still open deviations predominate? Or is the majority of deviations reviewed for effectiveness? Which deviations are overdue for processing? Are accumulations of deviations detectable at certain company sites?
As always, such metrics and reports are all about complete traceability and regulatory compliance.
What is meant by “complaints”?
A complaint under 21 CFR Part 820.3 (b) means written, electronic, or oral communication that indicates deficiencies in the identity, quality, durability, reliability, safety, effectiveness, or performance of a product released for distribution. Complaints come from the outside; a pre-market product deficiency, by contrast, is a deviation.
Whenever customers file complaints, they have to be taken seriously; complaints require further investigation. Complaint management is a center piece in quality assurance; the manufacturer’s duty of care applies, as product defects impinge on customer satisfaction; they even may be a risk to patient safety and health.
And yet, if handled correctly complaints also may have a positive effect: They may contribute to optimizing product quality processes both on the supplier or customer side as well as on the manufacturer side and with regard to internal quality processes.
Is there also a digital solution for complaints management?
Manufacturers of medical devices, for example, must keep records of complaints. Procedures and standards must be defined for accepting, evaluating, and investigating complaints. A software system controls the entire handling process of each complaint in accordance with regulations in place and throughout the entire life cycle of a complaint; maximum traceability is expected. DHC VISION offers a wide range of methods and tools to record complaints, to identify their causes and errors, to take remedial action, and to avoid them in the future.
Of particular interest is the analysis of complaint data. In-depth investigations focus on the detection of trends; they also analyze the status quo and investigate underlying error and cause patterns.
What are the relevant requirements for complaint protocols under 21 CFR Part 820.198?
The investigation report should include the following items (eCFR: 21 CFR 820.198 — Complaint files.).
- Name of the product
- Date of receipt of the complaint
- Identification number(s) and control number(s) of the product
- Name, address, and telephone number of the person filing a complaint
- Nature and details of the complaint
- dates and results of the investigation
- corrective action taken
- responses, if any, to the person who reported the complaint.
What is meant by "change management"?
In a general sense, the term “change management” refers to the need for organizations, organizational units, or departments to adapt to changing conditions. In this process, methods and measures are used to achieve the desired target state.
In the GxP-regulated environment, “change management” ensures that every change proposed, e.g., for a product, is appropriately defined, reviewed, and approved. In this context, change management is a key method for avoiding dangerous errors and for preventing consequential damage to consumers or patients.
What types of changes are there, and which are supported by our change management solution?
First of all, a distinction can be made between “normal” or standard changes on the one hand and emergency changes on the other. Standard changes refer to predefined or recurrent changes which are based on experience. Usually, they are pre-authorized and documented changes with a manageable risk and a successfully applied procedure. Emergency changes, by contrast, are to be implemented directly; they are usually based on previous highly critical deviations or incidents. An Emergency Change Advisory Board (ECAB) evaluates and authorizes these changes.
Furthermore, two types of changes can be differentiated, a general change (change requests of a functional nature) and an IT change (change requests of a technical nature).
DHC VISION supports a standardized process (workflow) for the systematic and controlled implementation of all changes. These can be change requests for products, processes, systems, IT applications or documents such as SOPs. A special workflow is provided for IT changes (e.g., “new software implementation”) as the impact analysis, for instance, is carried out in a different way (e.g., impact on validation, training documentation…). This results in very broad and diverse application options. The standard workflows can be adapted to company-specific requirements by configuration. Regardless of the change object, all steps and activities are documented – from the change design to the technical and formal reviews, the impact analysis, the approval of a change, its implementation and the review of its effectiveness, and, finally, to the completion of the entire change process.
Why do companies need a digital software solution for change management?
Changes usually have an impact on processes and documents (SOPs, manufacturing instructions etc.). Many people and departments are involved in the design and implementation of a change; they may even be located in different buildings or sites. Without digital support, it is hard to handle complicated and cross-system processes. In addition, changes may be triggered by external factors, which are not within the reach of the company itself; it is important to react quickly to such changes.
The use of a holistic solution automates the entire process and ensures that all changes are managed in a targeted and traceable manner. Records are kept completely electronically. It is always possible to see who did what, when, where and how. Changes, releases, approvals, verifications – everything is logged. The change management software ensures full adherence to compliance requirements.
As a web-based system (in the cloud or on premise), DHC VISION ensures that employees are informed of changes in good time; they can work from wherever they are based. Other processes such as SOP management or eDMS (modification and training of standard operating procedures) or CAPA & Deviation and Complaint Management can be integrated to create seamless processes across system components.
Is there a connection between the change processes and other processes in DHC VISION?
Change Management is closely integrated with other eQMS processes in the DHC VISION product family. If new training requirements arise from a change process, these can be covered by the Training Management module; document control in the change process is based on the SOP Management system component (document management for controlled documents or standard documents); and deviations and measures can trigger more extensive change processes, which are then digitally supported in DHC VISION Change Management and on the basis of information from the upstream processes. In sum, there is seamless integration with the other DHC VISION products; closed processes can be implemented on a uniform data basis. Quality management, quality assurance, production or IT are closely interconnected.
What types of audits are there?
There are different audit types: process audit, product audit, system audit, customer audit, supplier audit, monitoring audit, repeat audit, third party audit, GxP audit. Based on applicable standards, norms or regulations, DHC VISION provides all functions and processes for internal and external audits for convenient control. All steps in the audit process are automated by the system’s workflow engine.
What is meant by a "third-party audit"?
A “third-party audit” is conducted when a company wants to be certified according to a certain standard. The term “certification audit” is also used synonymously.
Such audits may only be carried out by approved bodies, which are then also allowed to issue the desired certificate. Internal processes and systems are assessed; the degree of compliance with regulatory requirements is evaluated. Certification is reviewed and updated as part of regular surveillance audits or audits for recertification. Digital audit systems are also extremely helpful for third-party audits: the processes and associated documents can be viewed and checked in one place; automated processes support the tracking of audit results and the review of measures introduced.
Why do suppliers need to be audited?
According to current regulations, “outsourced processes” must also be included in a company’s quality management. This is required, e.g., for medical technology by DIN EN ISO 13485:2016 in chapter 4.1.5; further relevant specifications are made by the EU GMP Guideline in part 1, chapter 7, the MDR Regulation (EU) 2017/745 in chapter 10 (9) d and the FDA-21 CFR in part 820, subpart 50. These specifications are intended to ensure that external partners – i.e., also suppliers – fulfill the regulatory requirements to which the company itself is subject. Hence, suppliers must be qualified initially and on a regular basis. This can be done through supplier audits based on questionnaires, checklists or on-site visits.
What is a Trial Master File?
With the discussion about the approval of Corona vaccines, the term “clinical trial” is known to the general public. A clinical trial tests the performance, efficacy and safety of medical devices, forms of treatment, active substances, etc. and is conducted with patients or volunteers.
The Trial Master File (TMF) is a collection of documents from a clinical trial. The TMF summarizes the essential files of the study while ensuring the integrity of the clinical data and compliance to Good Clinical Practice (GCP).
In a clinical trial, the following actors usually work together: The research company (sponsor), which has its product tested for performance, efficacy and tolerability; a contract research organization (CRO), which conducts the study on behalf of the sponsor; and one or more clinical institutions (investigators), which conduct the trial according to applicable standards and in accordance with the study plan. One TMF is created per Clinical Trial.
Which regulations and standards are relevant for a TMF?
The GCP – Good Clinical Practice – defines an internationally recognized standard for planning, conducting, monitoring/auditing, documenting, evaluating, and reporting clinical trials, based on ethical and scientific aspects. The content of a TMF is regulated in the EU Directive 2005/28/EC.
Relevant regulations of the European Medicines Agency (EMA) are: Guideline on the content, management and archiving of the clinical trial master file (paper and/or electronic), (EMA/INS/GCP/856758/2018); Guideline for good clinical practice E6(R2), Step 2b (EMA/CHMP/ICH/135/1995); Guideline for good clinical practice E6(R2), Step 5 (EMA/CHMP/ICH/135/1995).
The structure of a clinical trial and the corresponding documentation is defined in the Drug Information Association (DIA) reference model TMF.
What are challenges associated with TMFs? Does digitization help?
The particular challenges with TMFs are:
- the number of people/organizations involved (sponsor, CRO, investigators) and their different tasks and interests;
- the multitude and heterogeneity of data and documents, their completeness, retrievability, availability and auditable storage or documentation according to regulations in place;
- media discontinuities between analog, partly handwritten, data on the one hand and digital data on the other; the challenge is to manage such heterogeneous documents in a consolidated way due to the low degree of digitization, among other things;
- the lack of integration of IT systems on the sponsor’s, CRO’s and investigators’ sites, i.e., the heterogeneous and redundant IT-infrastructure, which impede the continuous exchange of data.
This makes it difficult to conduct or document a study in a way that can be audited by regulatory and licensing authorities.
Audit reports from regulatory authorities, therefore, regularly complain about the management of TMF and the comprehensible documentation of studies according to compliance regulations. Digital processes and appropriate AI support in an eTMF may help making clinical trial documentation more reliable and compliant. The research project NextGenTMF is working on a solution under the leadership of DHC. More information is available here.
What is a policy management system?
A guideline management system defines and sets up processes to control the entire life cycle of guidelines and other standard documents in an audit-proof manner. The lifecycle covers the creation, review, approval, publication, and final deactivation and archiving of a guideline document. The processes do not refer exclusively to guidelines; they also include all specification documents of a document pyramid, i.e., process instructions, work instructions, procedural instructions and other specification documents.
What are the advantages of system-supported policy management?
In organizations and companies, there are usually countless guidelines on a wide variety of topics, such as occupational safety, information security, data protection, quality management, or industry-specific compliance requirements in general. Most of the time, these documents are stored in uncontrolled file systems and are often outdated. It is rarely possible to trace who has actually read these documents. A system-supported policy management system ensures that documents are stored centrally. Review, approval, and publication are workflow-supported and audit-proof. Recipients can be clearly identified and defined as target groups; they are proactively informed about new developments and changes. A request for a confirmation or acknowledgement always allows for tracking the distribution of documents in a transparent way.
What are the advantages of a policy management system regarding compliance?
Companies and organizations are subject to a large number of legal and normative requirements. In part, compliance with such requirements is a legal obligation. In part, however, companies or organizations voluntarily commit to complying with external requirements. One of the goals pursued is to eliminate or reduce risks and to ensure secure business operations. A policy management system helps to administer the policies resulting from the requirements in a legally compliant and audit-proof manner. The timing of the publication of guidelines is always transparent and traceable. An obligation to comply with these guidelines can be initiated and controlled directly via the guideline management system. In sum, a guideline management system supports the adherence to compliance requirements through transparent communication of requirements and a legally binding commitment to compliance by employees.
What are “Written Fixed Rules”?
“Written Fixed Rules” include documents and regulations on the organizational structure resp. the structural and procedural set-up of an institution, financial institutions, in particular (banks, insurance companies, etc.). “Written Fixed Rules” also include guidelines, work instructions and procedural instructions. It is important that this information is always kept up to date and made readily available to the employees of the organization.
What are the essential components of “Written Fixed Rules”?
An essential component of “Written Fixed Rules” is the documentation of the organizational and process organization, which is required for legally compliant business operations.
The organizational structure is usually documented in the form of organizational charts; it describes the relevant positions, roles, and organizational areas in an institution. The process organization is documented using hierarchically structured business process models. Starting from the enterprise process map to the detailed processes, business processes are documented and linked to jobs, roles, and organizational areas. In addition, relevant standard documents are related to the organizational structure and to processes.
What are the advantages of implementing a digital system of “Written Fixed Rules”?
If “Written Fixed Rules” are implemented together with a software solution, the organizational charts and process flows can be made available to employees online in a navigable form. Employee select their job or role and receive a direct overview of their tasks and responsibilities. Relevant guidelines and standard documents are assigned to the processes; they can be accessed directly without media disruption. The software solution automatically initiates the regular review of content to ensure that it is up to date. Changes and innovations are automatically propagated to the predefined group of addressees upon publication.
What is an Internal Control System (ICS)?
An internal control system (ICS) refers to all measures and controls designed to minimize risks in the execution of a company’s business processes.
Business processes are to be designed in such a way that the legal requirements are met. Risks should be identified during the business definition process; they should be reduced by means of suitable preventive measures. In the operational execution of the business processes, the ICS is expected to prevent possible errors or intentional criminal acts in advance; at least, the system should be able to detect them downstream.
Who needs an ICS?
The German Stock Corporation Act (AktG), in Article 8, requires the management board of a stock corporation (AG) to maintain an Internal Control System (ICS). The same applies to the managing directors of a GmbH (limited liability company); they must provide evidence that an ICS is in place. The ICS must be designed in such a way that it is suitable to the company’ business operations as well as its legal, market etc. environment. It is important to regularly adapt the ICS to changing conditions and to review its effectiveness and efficiency. Changes to the written requirements must be continuously updated and communicated to employees.
What are the goals of an ICS?
An Internal Control System (ICS) is expected to ensure that business processes are carried out in accordance with self-defined rules and existing legal requirements. Criminal acts or corruption should be prevented and even the attempt of misconduct be detected.
Concrete goals are:
- Compliance with legal requirements of the specified business policy.
- Ensuring that business processes are executed correctly
- Reducing process, organizational and IT risks
- Identifying errors in process execution
- Safeguarding business assets and reputation.
What are the methods for process modeling?
There are different modeling methods for mapping the process and organizational structure. These include: Process Map (PLK), Process Diagram, Process Flow Diagram / Value Chain Diagram, Supplier-Input-Process-Output-Customer (SIPOC), Business Process Diagram, Swimlane, BPMN 2.0, Event-driven Process Chain (EPC), Organizational Chart, Target Diagram.
The methods capture and document organizational structures and internal company processes. In a process model, the process map is the top level; at further levels, processes are represented in increasing detail.
How are process and quality management related?
For an effective quality management, it is essential to document processes, to continuously monitor them, and to implement improvements to the extent needed. Only when it is clear how processes are designed can irregularities in process flow and process execution be detected; deviations from the defined target state, which is to lead to the desired quality of results, can be identified. Accordingly, it is important that the specification documentation – instructions, manuals, forms, etc. – is integrated into processes and that risks, controls and measures are documented in a process-oriented and traceable manner. The latter is required by the ISO 9001 standard and its industry-specific variants.
What is meant by "quality oversight"?
“Quality oversight” refers to the continuous and systematic observation of all GxP-relevant processes in a company by the corporate unit responsible for quality management. The corresponding activities are related to the overriding concern of ensuring the quality and safety of medical devices. Effective “Quality Oversight” relies on detailed and comprehensive documentation of relevant processes; it requires access to data from process execution. On this basis, critical developments and incidents can be identified and analyzed; appropriate measures can be initiated to eliminate deficiencies or to minimize risks.
What is an ISMS?
ISMS stands for Information Security Management System. An ISMS defines methods and rules to ensure information security in an organization or company. Based on the actual threat situation, it identifies risks in relation to assets. Assets are not only IT components, but also the building infrastructure, business processes, employees, intellectual property, and other data worth protecting. Suitable technical and organizational measures are intended to reduce risks with regard to the likeliness of their occurrence and the expected extent of damage. This is a continuous monitoring and follow-up process.
What is the goal of an ISMS?
The goal of an ISMS, essentially, is to continuously improve the information security of an organization.
Concrete goals are:
- Creation of an overall awareness for information security in the organization
- Identification of assets to be protected
- Identification and assessment of information security risks
- Definition and implementation of suitable protective measures
- Establishment of processes for continuous improvement of information security.
Do I need an ISMS?
So far, only companies that are part of what is called Critical Infrastructure (CRITIS) are required to implement an Information Security Management System (ISMS). This holds, for example, for companies in sectors such as energy and water supply, transport and traffic, medical care, government administration – i.e., companies and organizations that ensure the supply of such services and other indispensable goods.
In times of constantly growing threats from cybercrime, hacker attacks and data theft, however, all companies and organizations are advised to deal with information security. Through a structured approach to introducing an ISMS, security gaps can be identified and closed through appropriate measures. In many B2B business relationships, business partners are expected to have a functioning ISMS in place.
You have questions?
Our experts are at your disposal! Simply fill out the form – we will help you as soon as possible!
"*" indicates required fields
Your information package
Get an impression of this and other products or read what insights we have gained from research and development. Take advantage of our exclusive content such as white papers or study results on the digitization of quality and compliance processes. Put together your desired media easily and conveniently.
RegTech insights: Digitization of Post-Market Surveillance: Ramp-up for the AI service platform SmartVigilance.
Saarbrucken, January 2023: After two years of research and development work, the ramp-up phase for the data platform SmartVigilance is now...
Artificial intelligence makes computer software validation (CSV) easier, more reliable, less expensive and more efficient. This is the...
Today, the development and production of pharmaceutical and medical technology products are no longer conceivable without digital...