Search results

Uncertainty Measurement

There are several points to note regarding the requirements. Firstly irrespective of whether the testing is reported as a pass/ fail result or not,  all laboratories must identify contributions to the measurement of uncertainty (MU). Secondly, a distinction is made between identifying contributions and evaluating measurement uncertainty, which involves quantifying the MU. The standard states in a note that when a well-recognized test method is used (i.e. standard methods) and controls are in place to limit the major sources of uncertainty, then the laboratory need not evaluate measurement uncertainty. This applies to both qualitative and quantitative results.  Bear in mind that even if a result is reported qualitatively, for example, a positive or negative for a diagnostic test,  it is still necessary to identify contributions to uncertainty to ensure that they are being controlled sufficiently. Typically a laboratory will state that a standard method is being used and performance parameters are met (verified); therefore, measurement of uncertainty wasn't fully evaluated. However, they need to list the major contributions to uncertainty, such as temperature affecting the volume of solutions in volumetric glassware and the uncertainty of calibrated mass balances. These controls can be considered as measures to minimise risk as part of addressing the risk that results may not be fit for purpose.

If the test involves a measurement rather than an observation, and the method is not a validated standard method, the measurement of uncertainty must be fully evaluated.

For more information, see a previous response to Measurement uncertainty in chemical process at https://community.advisera.com/topic/measurement-uncertainty-in-chemical-process/ and Calculating uncertainty at https://community.advisera.com/topic/calculating-uncertainty/

Questions for DPIA

Do we have to perform DPIA for all our processing activities, or only for some of them? If only for some of them, what is the criteria to distinguish for which activities to perform the DPIA? Is this covered in some of the documents in your GDPR Toolkit?

You have to perform a DPIA for all processing activities following under art. 35 par. 3 GDPR which are:
a) profiling or tracking activities
b) processing of particular categories of personal data falling under Article 9 GDPR
c) video surveillance on a publicly accessible area on a large scale.

In our toolkit, you can find the template of our

• DPIA Methodology: https://advisera.com/eugdpracademy/documentation/data-protection-impact-assessment-methodology/
• DPIA Register: https://advisera.com/eugdpracademy/documentation/dpia-register/ 

If we have a data breach, do we have to report each data breach to the supervisory authority? If not, what is the criteria to distinguish between the breaches we need and do not need to report? Is this covered in some of the documents in your GDPR Toolkit?"

You need to report any data breach unless it is unlikely to result in a risk for the freedom or rights of data subjects. Risks are fraud, identity theft, unauthorized access, monitoring, financial loss, or sensitive data are involved. When a data breach occurs, you need to assess the level of risk and then define whether there is a need to report to the national Data Protection Authority or not. You should keep a register of a data breach.

Our white paper on assessing the severity of personal data breaches according to GDPR can help you in the process: https://info.advisera.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr 
 

Here you can find more information about Data Protection Impact Assessment and Data breach:
5 phases of the EU GDPR Data Protection Impact Assessment https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
5 steps to handle a data breach according to GDPR https://advisera.com/eugdpracademy/knowledgebase/5-steps-to-handle-a-data-breach-according-to-gdpr/

If you need to understand how to implement EU GDPR in your organization, you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Dúvida no preenchimento dos documentos

Dúvida 1: Alguns links apontados nos comentários não estão mais disponíveis, existe alguma atualização?

Em primeiro lugar, desculpe por esta situação.

Por favor forneça informações sobre os links com materiais ausentes e enviaremos os corretos.

Dúvida 2: Alguns documentos falam em “[cargo]”, gostaria de saber qual a forma mais aconselhável de alterar essa variável? Se por um cargo existente mesmo que esse cargo esteja em várias funções ou preencher com um cargo a ser criado mas que interinamente será ocupado pela mesma pessoa?

Em primeiro lugar, é importante observar que ambas as abordagens são aceitáveis para cumprir os requisitos da norma. A abordagem sugerida é utilizar o cargo que será responsável pela atividade no longo prazo, independentemente da pessoa que for designada para tal. Desta forma, você minimizará a necessidade de atualização do documento para alteração da posição do responsável.

Comentários incluídos em cada [cargo] sugerem quais cargos você pode usar. Além disso, incluído no kit, você tem acesso a tutoriais em vídeo que mostram como essas cargos podem ser preenchidas para alguns documentos. 

Para mais informações, consulte:

- Como documentar papéis e responsabilidades de acordo com a ISO 27001 https://advisera.com/27001academy/pt-br/blog/2016/06/22/como-documentar-papeis-e-responsabilidades-de-acordo-com-a-iso-27001/

Dúvida 3: Com posso saber quais legislações são obrigatórias para minha empresa/situação?

Para esta situação, nossa recomendação é que você procure aconselhamento jurídico local.

Como ponto de partida, você pode usar as informações deste link:

- Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

Doubt in filling in documents

Doubt 1: Some of the links pointed out in the comments are no longer available, is there an update?

Answer: First of all, sorry for this situation.

Please provide information about the missing links and we will send you the correct ones.

Doubt 2: Some documents mention “[position]”, I would like to know what is the most advisable way to change this variable? If for an existing position even if that position is in several functions or fill with a position to be created but which will temporarily be occupied by the same person?

Answer: First is important to note that both approaches are acceptable to fulfill the standard’s requirements. The suggested approach is to use the position that will be responsible for the activity in the long term, regardless of the person that will be designated for it. This way you will minimize the need to update the document to change the responsible position.

Comments for each [position] suggests which job titles you might use. Also, included in the toolkit you have access to video tutorials which show how these positions could be filled out for some documents.

For further information, see:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

Question 3: How can I find out which laws are mandatory for my company/situation?

Answer: For this situation, our recommendation is for you to look for local legal advice.

As for a starting point, you can use the information in this link:
- Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

Documents considered as next-level projects

1 - As you mentioned during the meeting, the following documents should be considered as next-level projects since they are not needed for our company. Am I correct in that assumption?

04.2_Cloud_Security_Policy_Cloud_EN.docx

04.3_Policy_for_Data_Privacy_in_the_Cloud_Cloud_EN.docx

If you want to be compliant with ISO 27001 only, and not with ISO 27017 and ISO 27018, the 2 documents you mentioned are not needed; also in the Statement of Applicability, you need to take into account only the 114 controls that are related to ISO 27001.

2 - Furthermore, I would appreciate it if you could see the attached and tell me which step you mentioned is not applicable to us? (If any)

Please note that to implement ISO 27001 you will have to go through all the folders listed in the toolkit. By consulting the List of Documents file that comes with your toolkit you will identify which documents need to be implemented to fulfill standards requirements (e.g., Information, Security Policy, SoA, etc.), and those that are recommended to be implemented because they are considered as good practice (e.g., Procedure for Corrective Action).

Mock examples

Yes, I agree with this approach. The point here is that you need to prove that you have a system in place, and that system is applicable for any type of medical device or component.

Internal Auditing specifics

“Do you have a white paper or any documented evidence that will support the case of those requirements relating to ISO auditing that you an share - especially ALL clauses and over what time span?"

Answer:

The requirement about auditing all clauses every year it is not in ISO 9001 but in the contract that you sign with the certification body as one of the commitments required. Same for at least one management review per year.

“the internal auditing process needs to be audited by a qualified person independent of the activity”

Answer:

Any function relevant to the quality management system must be performed by a competent person. It is up to each organization to determine internal auditor competence requirements. About independence, please check ISO 9000:2015 definition 3.13.1 where one can read that an audit is “systematic, independent and documented process”. That is why auditors should not audit their own work.

The following material will provide you more information:

• ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
• free online training ISO 9001:2015 Internal Auditor Course
  – https://advisera.com/training/iso-9001-internal-auditor-course/ 
• book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

AS 9100 Certification Body

A certification body is an independent third-party organization that will audit your management system for the purposes of “certifying” that your QMS meets all of the requirements of a standard, such as AS9100 (however, any management system can be certified). Certification bodies differ around the world, and are accredited by what is called an accreditation body who will ensure that they are following appropriate management system audit processes.

AS I can’t really tell you for your location in the world who to choose, I would suggest searching what your national accreditation body is, then on their website they will have a listing of the certification bodies that they approve. From here you can determine which ones can certify for AS9100. Then, it is best to interview several certification bodies to find one that is best suited for your particular organization and type of aerospace industry.

When you interview some certification bodies you can use our checklist to make sure that you choose one that will best help your organization. You can find it here:  List of questions to ask an AS9100 Rev D certification body, https://info.advisera.com/9100academy/free-download/list-of-questions-to-ask-an-as9100-certification-body

Compliance review

To look for if a company is certified, you can ask it who its certification body is, and its certification number, so you can verify if the certification is in good standing.

Regarding the evaluation of its security posture, you can ask for its Statement of Applicability (which contains information about applied controls), and the latest performed certification body’s audit report (which will inform the results of the latest audit performed by the certification body).

Please note that, unless you have a contract with this company ensuring the release of the SoA and audit report, the release of these documents is a decision of the company (in this case, if they decide to release the documents, they probably will require the signing of a Nondisclosure Agreement with your company).

This article will provide you a further explanation about the Statement of Applicability:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Knowledge management (7.1.6)

I recommend thinking about clause 7.1.6 together with clauses 5.3 and 7.2.

Start with clause 5.3, determine which functions are relevant for your quality management system (QMS). Then, for each function determine its authorities and responsibilities.

Now, go to clause 7.2 (immediately after 7.1.6), and for each relevant function of your QMS determine if there are any competence gaps. How can you determine competence gaps? Before evaluating competence, you must determine what is required in terms of organizational knowledge for each function to perform authorities and responsibilities properly.

So, for the first part of clause 7.1.6 that is how I work, determine the knowledge required to perform a particular relevant function and include that in the job description. For example, if your organization starts onboarding a new employee what kind of training and experience must be provided to operate competently? For example, that new employee must learn to work with the company’s software, must learn company’s products codes and references, …

For the second part of clause 7.1.6 I invite you to see this answer that I wrote that also include links to articles about this topic - https://community.advisera.com/topic/iso-9001-organizational-knowledge/