Search results

Data Storage

thanks Alessandra - much appreciated. :)

Difficulties in implementing ISO 14001

Let us consider two main barriers to implement the standard: a technical barrier and an organizational barrier.

Technical barriers are less frequent and derive from what is needed to close gaps in terms of compliance obligations and significant environmental aspects. Typical issues are lack of technical expertise, high capital costs, and sunk costs associated with the current operations.

Organizational barriers are more frequent and include things like lack of top management leadership and commitment, lack of communication, and people attitude.

You can find more information below:

• Disadvantages of ISO 14001, and how to overcome them - https://advisera.com/14001academy/blog/2019/09/23/iso-14001-disadvantages-in-depth-analysis-and-solutions/
• List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 14001 Mandatory documents for finance and marketing company

The article mentioned lists the mandatory documents and records. To proceed I recommend starting with clause 6 of ISO 14001:2015.

• What are your organization’s environmental aspects and impacts?
• What are your organization’s environmental risks?
• What are your organization’s environmental compliance obligations?

From there you can determine where should be your organization’s priorities in order to improve its relationship with the environment. These are the foundations on which an EMS is structured and implemented

Please check this information below about implementation:

• Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
• Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• Free webinar on-demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
• List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Legal Document Acceptance Log

If acceptance is in a contract, you will need to store the contract with the customer acceptance (even electronically).One example can be contracted with mobile phone operators, you can buy a sim card in the shop and sign a contract, purchase one online and consent with electronic means (the website will store the client clicking on the checkbox of consent on Privacy notice) or even orally when you make a new contract with the call center operator. They ask you to say that you agree with data processing under their privacy notice, they register the conversation and store it on their servers linked to the number of clients.

Here you can find more information on consent.

• Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//

If you need to understand how to process consent under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Design & Development consultation

1) We are OEM company, so one product will be sell to few customers. a) the market region might be differ according to customers. So how should I put into the design input as it also covers the markets region. Example, the product is design to customer A for US market. After few years customer B would like to purchase the same product but for Australia market. Should we just revised the design input or need to remark into design changes? Need your comment.

Since this is a change in the input data the best way would be to put market change as a design change. Any change to an existing approved document is considered a change to the document. In Design and development process there are two types of changes: changes in design and changes in the process. A design change is an alteration of the device's design basis. The incentive for design change is often field or other quality problems. Process changes change process management methods, but are not intended to change design; however, a design change can force changes in the process. Your market change is a design change.

For more information, see:

• How to manage design and development of medical devices according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/08/24/how-to-manage-design-and-development-of-medical-devices-according-to-iso-134852016/
• Design and development validation and verification according to ISO 13485 https://advisera.com/13485academy/blog/2019/02/14/design-and-development-validation-and-verification-according-to-iso-13485/

2. Can you elaborate further for IS0 13485 clause 7.3.3 Design Inputs which stated " Requirement shall be complete, unambigous, able to be verified or validated, and not conflict to each other" ? How can we verify these ?

The main point here is to check are your design inputs written well enough. The key is to avoid being overly broad. Think narrowly instead. When you defined your inputs, think in advance are those inputs can be verified or validated, are there any tests that can prove those input data. So, for some input data there will be possible to verify, but some not. For example, the market data that you mentioned in the previous question can not be verified or validated. But, if as input data you defined some physical characteristics, then definitively you can have some tests with which you will prove it.

Risk Assessment - change

1. as we made the Risk Assessment initially, a couple of months ago, we've had some servers in one of the locations, which had high Risk levels. Now, we've moved them to the cloud, and don't have those risks anymore. Should we now perform the Risk Assessment again?

ISO 27001 requires a risk assessment to be performed at planned intervals, or when significant changes are proposed or occur, and normally servers change can be characterized as a significant change, so you must perform risk assessment again.

But please note that moving servers to the cloud may not mean that all related risks are eliminated. Some of them may have been only transferred. For example, if your servers are in a service provider´s cloud, the physical related risks are now with the provider (e.g., physical servers hosting your virtual server can fail), and to handle this risk you must ensure the existence of proper security clauses in the contract or service agreement with the provider.

For further information, see:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

2. If yes, should the previous version be saved as well?

ISO 27001 requires results of risk assessment to be kept, so the previous version of risk assessment must be kept.

This article will provide you a further explanation about record management:

• Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

These materials will also help you regarding record management:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 course and materials related to 2017 revision

Thank you very much for clarifying my doubts about the updates to the iso 27001 standard. Kind regards. 

ISO 14001 action plan for each objective

No, just based on ISO 9001:2015 the mandatory documents and records do not include clause 6.2.2. Please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ .

However, as an auditor you can ask:

• What is the plan to achieve an objective?
• Is the plan being implemented?
• And request a mandatory record about monitoring the actual performance. Please check clause 9.3.2 c)2) and clause 9.1.1 (How do you measure QMS effectiveness? By the ability to achieve quality results. See the last paragraph of 9.1.1)

The following material will provide you more information:

• Article - How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
• Article - How to write good quality objectives: https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
   

GDPR compliance

It depends on the data involved in your activity. If your start-up deals with health data (maybe developing a tracking health app for mobile)? Does it monitor consumer’s behavior for marketing purposes? Is it processing children’s data because develops videogames? In all these cases time to achieve GDPR compliance can be longer than if your start-up processes only personal data of staff, clients, and providers for example because it works on AI solutions with anonymized data or it is an animation studio.It can take from 3 to 6 months to reach GDPR compliance, but it depends on budget, time, and resources (intended as staff) available. In case the data processing involves a large scale of sensitive data or a transfer of data outside the EU, it may take more time because of the Data Protection Impact Assessment and safeguards for the transfer of data need to be considered and implemented.

Our Toolkit helps controller to implement GDPR requirements with the assistance of our expert team. 

EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

Here you can find more information for starting to be compliant with GDPR

• 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
• A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
• List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
• 3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

If you need to understand how to comply with GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Maintaining ISO 13485 certification

Maintaining a quality system is a day-to-day business. Every quality system has some kind of records that are proof of some work done. For example, if you need to procure something (raw materials, equipment) you have a purchase order, communication with the supplier. Then, when those goods arrive at your company you have an invoice, a receipt at the warehouse, a check to see if the goods that arrived are in line with what was ordered and the like. All of this is evidence that some work has been done, but so are the elements of the quality system.

If there are (non-conformities) omissions related to daily work, it is necessary to record such omissions and resolve them. Therefore, there are records of non-compliance, on the basis of which it is necessary to initiate corrective or preventive actions. This is also a day-to-day business.

As far as audits are concerned, an internal audit usually takes place once a year. When that will depend on your business. This can be at the end of one year, or at the beginning of another year, before submitting the final accounts and the like, whichever suits you. Management review is also conducted mostly once a year and is most often after an internal audit is conducted. 

So the maintenance of the quality system takes place throughout the year. 

The following articles can be helpful:

• How to perform management review according to ISO 13485 https://advisera.com/13485academy/blog/2017/11/09/how-to-perform-management-review-according-to-iso-13485/
• How to fulfill management responsibilities in ISO 13485:2016 https://advisera.com/13485academy/knowledgebase/how-to-fulfill-management-responsibilities-in-iso-13485/
• Five main steps in the ISO 13485:2016 internal audit https://advisera.com/13485academy/knowledgebase/five-main-steps-in-the-iso-134852016-internal-audit/
• How to create a checklist for an ISO 13485 internal audit for your QMS https://advisera.com/13485academy/knowledgebase/how-to-create-a-checklist-for-an-iso-13485-internal-audit-for-your-qms/