Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Implementing GDPR rules in company without DPO

    You can implement GDPR rules by yourself. Start preparing a project plan of GDPR implementation and conduct a readiness assessment in order to verify what you need. Then, adopt policies and top-level documentation, prepare the Inventory of processing activities and define how to process personal data. You need to prepare information to data subjects (employee, customers, and suppliers) so implement the appropriate privacy notice for your website or contracts and verify if you need consent as a legal basis.

    You should implement also a policy on how to manage data subject rights and increase awareness on data protection and data subject rights on your employees. You should check if there is any transfer of data outside the EU and if it is covered by the appropriate legal basis. Then, verify security measures and implement a policy in case of data breach.

    Here you can find more information on how to implement EU GDPR:

    This EU GDPR Documentation Toolkit will provide you with clear steps and all the required documents to become compliant with GDPR: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

    Here you can find more information on how to start implementing EU GDPR rules:

    If you want to learn how to implement the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//

  • QM where its mentions the requirement of cl. 4.1.1, 4.1.2, 4.1.3, 4.1.4 separately

    The Quality Manual serves as the core of the QMS, documenting a description of the organization’s structure, and stating how the requirements of impartiality and confidentiality along with requirements for structure, resource, process and management are met.  Remember if you were implementing without a toolkit, you would document what you do, then look at the standard and fix the gaps. It is not advisable to implement by a copy approach from the standard and where it states, for example  “The lab shall..”, a laboratory simply states, “We do..” The approach taken with the Toolkit is not to document each subclause in the Quality Manual; otherwise, a laboratory might as well just extract the information straight from the Standard. It is a more effective approach to look at each activity / requirements of ISO 17025; for example, Impartiality, review each subclause (e.g., clauses 4.1.1 to 4.1.5) and state how these are met. Of course, if you prefer to structure the manual directly linked to each subclause, that is your choice.

    The manual does in fact cover all the subclauses 4.1.1 to 4.1.5. In some sentences the stated process covers more than one subclause- a reason for not just listing each subclause. For example, for a sentence you can see in the preview – “[Job title] ensures that laboratory personnel are free from pressures both internal and external that may compromise the results of their work” , the toolkit indicates this is typically the Quality Manager; so this statement covers both subclause 4.1.1 - activities to be structured and managed to ensure impartial and 4.1.2 - management must be committed to impartiality.

    My suggestion is when you go over the toolkit Quality manual and your procedures you review where you cover the requirements. This is an important part of awareness. If you prefer, you can indicate the subclauses in brackets after each section.

    For more information on what is required for ISO 17025 impartiality, read the whitepaper Clause-by-clause explanation of ISO 17025:2017, section 4.1, available for download from https://advisera.com/17025academy/free-downloads/ and preview the toolkit further at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

  • Why ISO 13485 didn't implement changes and format of ISO 9001:2015 edition?

    Until the introduction of the high-level structure in 2015, ISO 9001:2008 and ISO 13485:2003 were very similar standards.

    Unfortunately, corrections on the ISO 13485:2003 took too long. The new version of ISO 13485 has been decided to be released in 2016 although it relies on ISO 9001: 2008. So when ISO 9001:2015 was finally released with the new structure, 13485: 2016 was also already ready for release with the ISO 9001: 2008 structure. Then the ISO organization decided to release 13485 with the old structure.

    For more information on similarities between ISO 9001 and ISO 13485, see the following article:

    • Similarities and differences between ISO 9001:2015 and ISO 13485:2016 https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/

    • ISO 9001 top management

      According to ISO 9000:2015, the vocabulary standard, top management is a person or a group of persons that manage and control the organization at the highest level. Top management is the source of authority and resources.

      You can find more information below:

    • Implementation questions

      1. How does one determine an organization has enough employees to do the work? What sort of things need to be looked at, to ensure a company is adequately staffed?

      The first step is to create an organizational chart that clearly defines every job function required to effectively operate your company. The next step is to define your processes, to see what are the expectations (key performance indicators, goals) on certain processes and how many people can fulfill those expectations. To define key performance indicators, you need to know very well your processes, what are the risks in it, how do you deal with those risks (what control measures you have implemented to control them); you need to understand your technology and equipment, what resources is necessary and so on.

      The following articles can be helpful:

      2. What sort of things can we do to determine training effectiveness? At the initial training we can have an on the job training or when someone observes you and signs you off on a particular task, but after What are some industry standard practices.

      Usually, training effectiveness depends on the type of training performed. Here are some examples (but not all of course):

      Test or quiz after the trainingSupervision of some work (employee who had training perform that work under the supervision of the mentor)During conducting the internal audit is a good place to check whether the employee is taking the necessary steps to perform a jobTransferring knowledge further to employees is also one way. For example, Management has conducted training for Department Heads, and then these department heads must transfer knowledge to the employees in their department.

      Just keep in mind two things. It is important to determine training objectives before training, what you want to accomplish with it, what kind of knowledge training participants are expected to receive. Next thing is that for most training it is not possible to conduct an effectiveness assessment immediately, it takes some time for the acquired knowledge to be adopted and implemented. How much time is needed for this depends solely on each training, so you cannot say that you will always carry out an evaluation of effectiveness, for example, 3 months after the training.

      For more reading, see the following articles:

      3. Also if my company has an Asset Management, Gowning SOP, Environmental Monitoring and Pest Control procedure that cover the different points in your toolkit example for the infrastructure and work environment procedure will that be good enough or does the information need to live in one document titled “Infrastructure and Work Environment?”

      No, it is not necessary to be in the document titled Infrastructure and Work Environment?. It is absolutely OK to have your own pr5ocedures. Just be sure that all requirements from the standard ISO 13485 are fulfilled.

    • ISO 27001 certifying firm

      The first step in becoming a certification body is to identify the accreditation body in your country and become familiar with the requirements and the accreditation process (the core elements are based on the requirements of ISO/IEC 17021-1 and IAF Mandatory Documents, but other elements may vary according to the accreditation body).

      ISO/IEC 17021-1 and IAF Mandatory Documents do not require an organization to be certified against the standard it wants to certify, but this may be a requirement of the accreditation body, so you should consult it.

      Regarding costs and fees, these vary according to accreditation bodies and the certification scheme you want to adopt. You should contact your chosen accreditation body for detailed information.

      For further information, see:

    • Contradiction in reading material

      First of all, thanks for the feedback.

      Please note that this article was written according to the old 2005 revision of ISO 27001, and for this version the Corrective Action Procedure was mandatory. In the current 2013 version of ISO 27001 the Corrective Action Procedure is not mandatory. We apologize for this confusion and will work ASAP to update the article.

      In ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non mandatory requirements/documents are related to words “may”or “should”. Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:
      - Scope of the ISMS (clause 4.3)
      - Information security policy and objectives (clauses 5.2 and 6.2)
      - Risk assessment and risk treatment methodology (clause 6.1.2)
      - Statement of Applicability (clause 6.1.3 d)
      - Risk treatment plan (clauses 6.1.3 e and 6.2)
      - Risk assessment report (clause 8.2)
      - Records of training, skills, experience and qualifications (clause 7.2)
      - Monitoring and measurement results (clause 9.1)
      - Internal audit program (clause 9.2)
      - Results of internal audits (clause 9.2)
      - Results of the management review (clause 9.3)
      - Results of corrective actions (clause 10.1)

      Regarding the Corrective Action Procedure, it is documented in most cases because it is considered a good practice (it helps new employees to understand faster and easier how to handle corrective actions).

      These articles can be helpful for you:
      - Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/
      - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
      - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
      - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

    • ISO 9001 Risk and Opportunities

      Risks and opportunities (R&O) can be about:

      • Context and interested parties
      • Products and services
      • Processes

      R&O about products, services, and processes can be related to process performance indicators, and other indicators like customer complaints, customer satisfaction, and returns. These indicators illustrate how well R&O was determined, and effective actions were taken.

      R&O about context and interested parties are more about trends in the external environment that can help or hinder performance. For example, in this picture from our webinar about Clause 4:

      https://www.screencast.com/users/ccruz5284/folders/Default/media/6d41177e-6bb8-40f7-b18d-a7c297fb9baa

      You can see how internal and external contexts collide with an interested party's expectation to raise risk.

      Consider also the following information:

    • ISO 27001 Certification

      1. What is the frequency of auditing of the certification after an organization is certified.

      Normally, certification bodies establish a one-year interval between surveillance audits, but in specific cases, this interval can be shorter.

      When surveillance audits are annual, in year 3 only the recertification audit is needed.

      2. Is there a difference in the depth of auditing controls between the initial certification audit and the successive audits.

      The difference is related to controls coverage (the depth of audit is generally the same). Only during certification audits, all controls in the SoA must be audited. During each surveillance audit, the auditor can cover only part of the controls, provided that all controls are audited during the certification cycle (e.g., if you have 3 surveillance audits between certification audits, all controls must be audited at least once in these three audits).

      This article will provide you a further explanation about surveillance audits:

      This material will also help: 

    • Incident Response Plan Policy

      Advisera's ISO 27001 Documentation Toolkit does not have an Incident Response Plan Policy, and neither there is a separate template, because of the following reasons:

      1. ISO 27001 does not require an Incident Response Plan Policy to be documented
      2. If the toolkit had a document for each control, there would be too many documents, and this would be an overkill for smaller and mid-size companies.

      Since our target are SMEs, we have decided to include an optimum amount of documents for companies of this size - the toolkit includes:

      • All the mandatory documents - e.g., Information Security Policy, Statement of Applicability, Risk Assessment Methodology, Access Control Policy, etc.
      • Documents that are not mandatory, but are commonly used - e.g., BYOD Policy, Classification Policy, Password Policy, Backup Policy, etc.

      In case you identify that your organization needs an Incident Response Plan Policy, as part of your toolkit, you can schedule a meeting with one of our experts so he can support you in developing the required documentation using the blank template included in the toolkit (you can also ask additional questions you want through e-mail).

      To schedule a meeting, use this link: https://advisera.com/27001academy/consultation/
Page 202-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +