Search results

Application of GDPR to emailed CVs

During the retention period, you can store the unsolicited CV, you don't need explicit consent because the legal basis falls under the request of pre-contractual measures on request of the data subjects (Article 6 par. 1 lett. b) GDPR). You need to state in the privacy notice that personal data in CVs will be processed for the purpose of selecting candidates for a job application and that will be stored for 6 months. 

Here you can find the legal basis in EU GDPR

• Article 6 GDPR https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/ 

• How to address the new standard requirement

  In ISO 45001 the previous requirements for identifying hazards and risks are not drastically changed from the OHSAS 18001 requirements, but these previous requirements only address the hazards and the OH&S risks defined in the ISO 45001 clause 6.1 requirements. Along with what is already in place from OHSAS 18001, you also need to identify other risks as well as OH&S opportunities and other opportunities. While it is possible to document these in the HIRA document you already use, it is not required to do so and in many cases you many not want to especially if the HIRA document is mandated by legal requirements.

  So while it might be good to include the OH&S opportunities along with the HIRA document (maybe a new column) as these are related to the hazards, you may want to include the other risks and opportunities of the OHSMS along with other strategic planning risks and opportunities of the company. How they are documented is not dictated in the standard.

   

  You can read a simplified explanation of the new requirements for hazards, risks & opportunities, and how this requirement works, in the article: The basics of ISO 45001 hazards, risks, and opportunities, https://advisera.com/45001academy/blog/2021/02/22/the-basics-of-iso-45001-hazards-risks-and-opportunities/

• Lead Auditor / Lead Implementer

  1. If someone enrolls for ISO 27001 Lead Auditor/Lead Implementer training at ISO accredited training provider and passes the exam, he/she/they will automatically be eligible to include ISO 27001 Lead Auditor/Lead Implementer at the end of his/her/their complete names?

  Attending the course and passing the exam is not sufficient to be eligible to use the credentials of Lead Auditor / Lead Implementer, because professional and audit/implementing experience may be required. The specific requirements to obtain the qualification vary depending on the organization issuing the certificate.

  2. Related to question #1, how to ensure someone’s else credential in ISO 27001 Lead Auditor/Lead Implementer certification? Any URL to validate it?

  The organization issuing the certification must maintain an available record of their certified members, so you only need to ask the person about his/her certification register and organization issuer, so you can check the validity of the credential.

  These articles will provide you a further explanation:

  • How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
  • What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/

  These materials will also help you regarding personal certifications:

  • Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
  • Free online training ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

• Conformio questions

  1. Can I treat the Project Plan as a statement of intention? If we do not meet the deadlines, we have set in the Project Plan, would this be a problem during certification?

  Answer: The purpose of the project plan is to clearly define several elements (e.g., the objective of the project, documents to be written, deadlines, roles, and responsibilities, etc.), so yes - project plan can be used as a statement of intention. On a general level, the top-level objectives are also a statement of intention.

  ISO 27001 does not require a project plan to be documented (it is a supporting document for the implementation, not for the ISMS itself), so if you do not meet initial deadlines this will not be a problem during the certification (the project plan always can be updated to reflect the real progress of the implementation). 

  For further information, see:
  - ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
  - How to use Scrum for the ISO 27001 implementation project https://advisera.com/27001academy/blog/2017/03/27/how-to-use-scrum-for-the-iso-27001-implementation-project/

  2. At the end of each document in the wizard, there is a set review cycle of 6 months or 12 months depending on the document. Why is this set in such a way and could I change it?

  Answer: 6 months and 12 months are the most frequent review periods adopted by organizations. ISO 27001 does not prescribe document review time, so organizations can define them as they fit their needs.

  You can change the review period according to your needs by adjusting the document review period field in the document properties tab when you are creating it.

  For further information, see:
  - How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

   

• ISO 9001 8.3 in a fertility clinic setting

  Yes, that is my understanding of the situation.

• Consequences and Costs of not abiding waste management

  What are the details of the possible consequences and cost implications of employers and employees not abiding by legislation and regulations with regard to waste management?

• Interested Parties

  What follows is a list of potential interested parties. Annex A.3 of ISO 9001:2015, last paragraph, states that only an organization has the authority to determine who are the relevant interested parties.

  You may consider:

  • Client (payer)
  • Client (users)
  • Regulators
  • Programmers (as suppliers or as employees)
  • Influencers 

  Please, check this free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar/ - where I present examples of different interested parties and their requirements and expectations.

  You can find more information below

  • How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

   

• DevOps

  In this case, you only need to include in the asset register the outsourcing organization as a service provider.

  Risks related to the outsourcing organization (i.e., risks related to hardware/software used by them) you can handle through the supplier security policy.

  These articles will provide you a further explanation of asset register and supplier security:

  • How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
  • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

• Mandatory documents for SaMD to develop QMS

  You do not need any sterilization documents of course. Considering the installation, if it is done by the user without any record for that, then you also do not need installation procedure and documents.

  In your case, the service procedure will cover solving bugs and similar problems.

  All other documentation is necessary for you, but you need to adjust it to your process. For example, you need Production and service procedure because here you will describe how you will program your software, who is involved in it, what kind of test you will do, how you will solve bugs, and so on.

  You also need Purchasing procedure because you need to define specifications for programs for software programming and licenses. Also, if you use cloud service or have a server at your place, then you need to order some specific elements for the server.

  You need a warehouse procedure if you use some computers, motherboards, hardware, and so on. If you use a server room then it is necessary for the server to be in an appropriate environment (temperature and humidity). In that case, you need to monitor the temperature and humidity in that room.  

• Ang release of Product

  There is no direct requirement for the release of the product. There is only in the requirement 7.5.8 Identification following requirement:

  "The organization shall identify product status with respect to monitoring and measurement requirements through product realization. Identification of product status shall be maintained throughout production, storage, installation, and servicing of the product to ensure that only  product that has passed the required inspections and test or released under an authorized concession is dispatched, used, or installed."

  So here is stated that release of the product must be controlled, but who will be that is up to the manufacturer.