Vision

The company has an experienced sales team and an extensive distribution network covering basically all areas in Greece (mainland and islands). Important asset for the company is its human capital, that is always updated and trained, ready willing to reply to each request. Our company retains a fully equipped training center that is used for internal meetings, trainings and workshops.

Since 2011 the company has taken the strategic decision to become a certified manufacturer of surgical sutures. The strategy is to constantly enrich its product portofolio with more cutting-edge products, always in accordance to the growing demands and needs of the market.

Milestone

Quality Policy

The Vision of our company is to be a milestone in Manufacturing, Trading and Distribution of Medical Devices worldwide.

The management and staff of the Company believes in quality of service and products but also in their continuous improvement and commits to the following principles that constitute the company’s quality policy:

• the continued provision of high quality, safe products and services
• ensure the protection of patient health and well-being
• compliance with the rules of Ethical Practice and Conduct
• faithful implementation, continuous improvement and assurance of the suitability and effectiveness of the Integrated Quality Management System in accordance with the International Standards ISO 9001:2015, ISO 13485:2016 and the International Rules of Good Manufacturing and Distribution Practice (GMP and GDP respectively) of medical devices.
• continuous training of staff to ensure a high level of expertise
• compliance with internal quality control and validation procedures for the manufacturing and storage conditions of products
• usage and tight supervision of own and contracted facilities for product and service realization,
• effective maintenance, calibration and / or verification of equipment
• timely customer complaint handling using documented procedures.

These principles are achieved through:

• monitoring of quality indicators and by establishing ever higher aims,
• ongoing assessment of customer satisfaction,
• continuous improvement and assurance of effectiveness,
• ongoing assessment of resources and vendors
• constant vigilance and market surveillance to prevent potential problems

The Company’s management is committed to providing all the necessary resources and tools to implement the quality policy and to ensure the reliability of the Company. The Management of the Company ensures that the integrity of the quality system is maintained and when changes are planned and made to it.

The Company’s management is responsible for implementing the principles of the Quality Policy by Company staff in its entirety. The Quality Manager is responsible for monitoring the implementation and operation of the Quality System and all issues related to Quality. All Company personnel involved in the activities of the company bears the responsibility to be informed of the quality documentation and to implement the Quality Policy and Quality Management System Procedures at work.

The Quality Policy is drafted by the Company’s management and is reviewed periodically.

Information Security Policy

1. Information Security Requirements

A clear definition of the requirements for information security will be agreed and maintained with the business so that all ISMS activity is focused on the fulfilment of those requirements. Statutory, regulatory and contractual requirements will also be documented and input to the planning process. Specific requirements with regard to the security of new or changed systems or services will be captured as part of the design stage of each project.

It is a fundamental principle of the Atlas Medical SA Information Security Management System that the controls implemented are driven by business needs and this will be regularly communicated to all staff through team meetings and briefing documents.

2. Top Management Leadership and Commitment

Commitment to information security extends to senior levels of the organization and will be demonstrated through this ISMS Policy and the provision of appropriate resources to provide and develop the ISMS and associated controls.

Top management will also ensure that a systematic review of performance of the program is conducted on a regular basis to ensure that quality objectives are being met and relevant issues are identified through the audit program and management processes. Management review can take several forms including departmental and other management meetings.

The Information Security Manager shall have overall authority and responsibility for the implementation and management of the Information Security Management System, specifically:

• The identification, documentation, and fulfilment of information security requirements
• Implementation, management, and improvement of risk management processes
• Integration of operational processes, procedures, and controls
• Compliance with statutory, regulatory, and contractual requirements
• Reporting on performance and improvement

3. Framework for Setting Objectives

A regular cycle will be used for the setting of objectives for information security, to coincide with the budget planning cycle. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the business requirements, informed by the management review process during which the views of relevant interested parties may be obtained.

ISMS objectives will be documented for an agreed time period, together with details of how they will be achieved. These will be evaluated and monitored as part of management reviews to ensure that they remain valid. If amendments are required, these will be managed through the change management process.

In accordance with ISO/IEC 27001:2013 the reference controls detailed in Annex A of the standard will be adopted where appropriate by Atlas Medical SA. These will be reviewed on a regular basis in the light of the outcome from risk assessments and in line with information security risk treatment plans. For details of which Annex A controls have been implemented and which have been excluded please see the Statement of Applicability.

4. Roles and Responsibilities

Within the field of information security, there are several management roles that correspond to the areas defined within the scope set out above. In a larger organization, these roles will often be filled by an individual in each area. In a smaller organization these roles and responsibilities must be allocated between the members of the team.

Within the ISMS the following major roles need to be defined and allocated:

• Information Security Manager
• Information Technology Support
• Information Security Auditor

There are also particular information security responsibilities that must be carried out by existing roles within the organization, and these are also set out in summary within this document.

These roles are:

• IT Users

In general, responsibilities that apply to all employees, contractors and other interested parties are set out within the relevant organizational policies.

It is the responsibility of the Information Security Manager to ensure that employees and contractors understand the roles they are fulfilling and that they have appropriate skills and competence to do so.

5. 5. Specific Role Responsibilities
      1. Information Security Manager

The Information Security Manager is the primary role with a dedicated focus on information security and related issues.

5. 5. 2. Responsibilities

The Information Security Manager has the following responsibilities:

5. 5. • Communicate the information security policy to all relevant interested parties where appropriate
      • Implement the requirements of the information security policy
      • Manage risks associated with access to the service or systems
      • Ensure that security controls are in place and documented
      • Quantify and monitor the types, volumes and impacts of security incidents and malfunctions
      • Define improvement plans and targets for the financial year
      • Monitor achievement against targets
      • Establish and maintain a continual improvement action list
      • Report on improvement activities
      • Identify and manage information security incidents according to a process
      • Attend management review meetings on a regular basis
   6. 3. Authorities

The Information Security Manager has the authority to:

5. 5. • Declare information security incidents
      • Approve limited expenditure on information security-related matters
      • Review the operation of controls within all business areas
   6. 4. Information Technology Support

The Information Technology Support is a technical role involved in the implementation and maintenance of many of the controls used to manage risk.

5. 5. 5. Responsibilities

The Information Technology Support has the following responsibilities:

5. 5. • Ensure that security controls are in place and documented
      • Manage the day-to-day maintenance of controls, including:
      • Access control (user account lifecycle)
      • Testing and implementing security patches
      • Vulnerability scanning
      • Software operation e.g., IDS, IPS, firewalls, DLP
      • System and network hardening
      • Remote access
      • Cryptographic key management
      • Log management
      • Identify and manage information security incidents according to a process
   6. 6. Authorities

The Information Technology Support has the authority to:

5. 5. • Take action to prevent an information security incident from occurring or escalating, where possible
      • Maintain information security records in accordance with defined policies and procedures
   6. 7. Information Security Auditor

The Information Security Auditor fulfils the internal audit requirements of the ISO/IEC 27001 standard and is generally responsible for checking that the ISMS is effectively implemented and maintained.

5. 5. 8. Responsibilities

The Information Security Auditor has the following responsibilities:

5. 5. • Plan, establish, implement and maintain an audit program including the frequency, methods, responsibilities, planning requirements and reporting
      • Define the audit criteria and scope for each audit
      • Conduct internal audits at planned intervals
      • Ensure the audit process is objective and impartial
      • Report the results of audits to relevant management
      • Retain documented information as evidence of the audit program and the audit results
   6. 9. Authorities

The Information Security Auditor has the authority to:

5. 5. • Investigate information security-related procedures and controls in order to assess their suitability and effectiveness
      • Report findings to relevant management
   6. 6. Other Roles with Information Security Responsibilities

There are other roles within the organization which, whilst not solely dedicated to information security, have relevant responsibilities and authorities.

5. 5. 1. IT Users

The responsibilities of IT users are defined in a variety of organization-wide policies, such as the AM-I-014 Internet Acceptable Use Policy and are only summarized in brief below.

5. 5. 2. Responsibilities

An IT user has the following main responsibilities:

5. 5. • Ensure they are aware of and comply with all information security policies of the organization relevant to their business role
      • Report any actual or potential security breaches
      • Contribute to risk assessment where required
   6. 3. Authorities

An IT user has the authority to:

5. 5. • Take action to prevent an information security incident from occurring or escalating, where possible
   6. 7. Continual Improvement of the ISMS

Atlas Medical SA policy with regard to continual improvement is to:

5. 5. • Continually improve the effectiveness of the ISMS
      • Enhance current processes to bring them into line with good practice as defined within ISO/IEC 27001
      • Achieve ISO/IEC 27001 certification and maintain it on an on-going basis
      • Increase the level of proactivity (and the stakeholder perception of proactivity) with regard to information security
      • Make information security processes and controls more measurable in order to provide a sound basis for informed decisions
      • Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data
      • Obtain ideas for improvement via regular meetings with interested parties and document them in a continual improvement plan
      • Review the continual improvement plan at regular management meetings in order to prioritize and assess timescales and benefits

Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessments and service reports. Once identified they will be added to the continual improvement plan and evaluated by the staff member responsible for continual service improvement.

As part of the evaluation of proposed improvements, the following criteria will be used:

5. 5. • Cost
      • Business Benefit
      • Risk
      • Implementation timescale
      • Resource requirement

If accepted, the improvement proposal will be prioritized to allow more effective planning.

5. 5. 8. Approach to Managing Risk

Risk management will take place at several levels within the ISMS, including:

5. 5. • Management planning – risks to the achievement of information security objectives will be assessed and reviewed on a regular basis
      • Information security and IT service continuity risk assessments
      • Assessment of the risk of changes via the change management process
      • As part of major projects to achieve business change g.new computer systems

High level risk assessments will be reviewed on an annual basis or upon significant change to the business or service provision.

A risk assessment process will be used which is line with the requirements and recommendations of ISO/IEC 27001, the International Standard for Information Security. This is documented in Risk Assessment and Treatment Process.

From this analysis, a risk assessment report will be generated followed by a risk treatment plan in which appropriate controls will be selected from the reference list in Annex A of the ISO/IEC 27001 standard, together with any additional controls thought to be necessary.

5. 5. 9. Human Resources

Atlas Medical SA will ensure that all staff involved in information security are competent based on appropriate education, training, skills and experience.

The skills required will be determined and reviewed on a regular basis together with an assessment of existing skill levels within Atlas Medical SA. Training needs will be identified, and a plan maintained to ensure that the necessary competencies are in place.

Training, education and other relevant records will be kept by the HR Department to document individual skill levels attained.

5. 5. 10. Auditing and Review

Once in place, it is vital that regular reviews take place of how well information security processes and procedures are being adhered to. This will happen at three levels:

5. 5. 1. Structured regular management review of conformity to policies and procedures
      2. Internal audit reviews against the ISO/IEC 27001 standard by the Atlas Medical SA Quality Team
      3. External audit against the standard by a Registered Certification Body (RCB) in order to gain and maintain certification

Details of how internal audits will be carried out can be found in Procedure for ISMS Audits.

5. 5. 1. Documentation Structure and Policy

All information security policies and plans must be documented. Details of documentation conventions and standards are given in the Procedure for the Control of Documented Information.

A number of core documents will be maintained as part of the ISMS. They are uniquely numbered, and the current versions are tracked in the ISMS Documentation Log.

5. 5. 11. Control of Records

The keeping of records is a fundamental part of the ISMS. Records are key information resources and represent evidence that processes are being carried out effectively.

The controls in place to manage records are defined in the document Procedure for the Control of Documented Information.