Search results

ISO 14001 action plan for each objective

No, just based on ISO 9001:2015 the mandatory documents and records do not include clause 6.2.2. Please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ .

However, as an auditor you can ask:

• What is the plan to achieve an objective?
• Is the plan being implemented?
• And request a mandatory record about monitoring the actual performance. Please check clause 9.3.2 c)2) and clause 9.1.1 (How do you measure QMS effectiveness? By the ability to achieve quality results. See the last paragraph of 9.1.1)

The following material will provide you more information:

• Article - How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
• Article - How to write good quality objectives: https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
   

GDPR compliance

It depends on the data involved in your activity. If your start-up deals with health data (maybe developing a tracking health app for mobile)? Does it monitor consumer’s behavior for marketing purposes? Is it processing children’s data because develops videogames? In all these cases time to achieve GDPR compliance can be longer than if your start-up processes only personal data of staff, clients, and providers for example because it works on AI solutions with anonymized data or it is an animation studio.It can take from 3 to 6 months to reach GDPR compliance, but it depends on budget, time, and resources (intended as staff) available. In case the data processing involves a large scale of sensitive data or a transfer of data outside the EU, it may take more time because of the Data Protection Impact Assessment and safeguards for the transfer of data need to be considered and implemented.

Our Toolkit helps controller to implement GDPR requirements with the assistance of our expert team. 

EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

Here you can find more information for starting to be compliant with GDPR

• 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
• A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
• List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
• 3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

If you need to understand how to comply with GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Maintaining ISO 13485 certification

Maintaining a quality system is a day-to-day business. Every quality system has some kind of records that are proof of some work done. For example, if you need to procure something (raw materials, equipment) you have a purchase order, communication with the supplier. Then, when those goods arrive at your company you have an invoice, a receipt at the warehouse, a check to see if the goods that arrived are in line with what was ordered and the like. All of this is evidence that some work has been done, but so are the elements of the quality system.

If there are (non-conformities) omissions related to daily work, it is necessary to record such omissions and resolve them. Therefore, there are records of non-compliance, on the basis of which it is necessary to initiate corrective or preventive actions. This is also a day-to-day business.

As far as audits are concerned, an internal audit usually takes place once a year. When that will depend on your business. This can be at the end of one year, or at the beginning of another year, before submitting the final accounts and the like, whichever suits you. Management review is also conducted mostly once a year and is most often after an internal audit is conducted. 

So the maintenance of the quality system takes place throughout the year. 

The following articles can be helpful:

• How to perform management review according to ISO 13485 https://advisera.com/13485academy/blog/2017/11/09/how-to-perform-management-review-according-to-iso-13485/
• How to fulfill management responsibilities in ISO 13485:2016 https://advisera.com/13485academy/knowledgebase/how-to-fulfill-management-responsibilities-in-iso-13485/
• Five main steps in the ISO 13485:2016 internal audit https://advisera.com/13485academy/knowledgebase/five-main-steps-in-the-iso-134852016-internal-audit/
• How to create a checklist for an ISO 13485 internal audit for your QMS https://advisera.com/13485academy/knowledgebase/how-to-create-a-checklist-for-an-iso-13485-internal-audit-for-your-qms/

• The UK and GDPR commitments.

  The UK adopted the UK GDPR, an internal law that mirrors the EU GDPR with the aim to obtain the status of providing an adequate level of protection for freedoms and rights of individuals.

  It is an annex of the Data Protection Act adopted on December 18th 2020 before Brexit. 

  Here you can find more information on UK GDPR: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/

  And on the website of the UK Government you can find the text with the modification of the EU GDPR adopted ad domestic General Data Protection Regulation (UK GDPR) https://www.gov.uk/government/publications/data-protection-law-eu-exit

  Therefore, if your companies are located in the UK you will need to implement reference to the UK GDPR and the EU GDPR (i.e., in the privacy notice and in internal policies) and if any data transfer with EU happens, you need to indicate the Standard Contractual Clauses as a legal basis because actually UK is considered a third country and there is not an adequacy decision of the EU Commission.

  I can suggest you monitor the Information Commissioner’s Officer (https://ico.co.uk) that is the Surveillance Authority for Data Protection in the UK for any update.

  Here you can find more information about data transfer:

  • 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
  • Standard Contractual Clauses for the Transfer to Processors and Standard Contractual Clauses for the Transfer to Controllers.: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes
  • Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

  If you need to understand how to process personal data in the light of EU GDPR you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Can a process be ISO 17025 certified but the lab where the process was done is not ISO 17025 certified?

  As the accreditation is granted to a laboratory for their management system together with scope of tests, the simple answer is no - a process or test cannot be accredited as a standalone test, without the laboratory accreditation.

  For more information on 17025 requirements, have a look at the Whitepaper Clause-by-clause explanation of ISO 17025:2017 which will assist you with ISO 17025 awareness, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ and the ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

• EU-US Privacy Shield

  No, it has been invalidated by the European Court of Justice in July 2020. Since then, data transfer between the EU and the US need to be done under another legal basis, such as Standard Contractual Clauses.

  Here you can find more information about data transfer:

  • 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
  • Standard Contractual Clauses for the Transfer to Processors and Standard Contractual Clauses for the Transfer to Controllers: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes
  • Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

  If you need to understand how to process personal data in the light of EU GDPR you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• ISO 9001 Non-conformance justification

  Normally, auditors audit processes or departments, let us call it the physical audit scope. While auditing a process or a department they have to consider the audit criteria, and the audit criteria can be all clauses of the standard and internal procedures applicable within the scope of the audit.

  Let me imagine you are auditing process “Prevent breakdown time” or the Maintenance Department. Now, go to ISO 9001:2015 clause 4.4.1 c) – methods and criteria have to be determined. Then, go to ISO 9001:2015 clause 4.4.2 – organizations are free to design the required documented information structure, they have to comply with the mandatory documents and records of standard, but they can go beyond. Once included in the system’s design those documents and records have to be controlled according to ISO 9001:2015 clause 7.5.1 b).

  In the case of documentation being lacking or incomplete, as long as it is considered part of the QMS, you should raise a nonconformity. However, I think it is not about 7.5.1 b). Think, what is the problem with those records? Bad design? (clause 7.5.2). Lack of control? (clause 7.5.3). People not knowing how to fill a record? (clause 7.2). Not clear who has to fill the record? (clause 5.3)

  You can find more information about documentation below:

  • New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
  • Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
     

• ISO 27000: IT technical consultant

  To become an ISO 27001 consultant you do not need to have deep technical knowledge (although this knowledge, and related certifications like BCS, can provide a competitive edge).

  Considering that, you have the following ISO 27001 career you can follow:

  • ISO 27001 Lead Implementer – this certification recognizes people who have competency in the ISO 27001 implementation process.
  • ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISM S against ISO 27001 requirements and want to become certification auditors (and with this provides more confidence to an organization for being certified).

  These articles will provide you a further explanation about ISO 27001 personnel certifications:

  • What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
  • What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
  • Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

  For courses related to these certifications, please see:

  • ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
  • ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

• Implementation of ISO 27001 Guidelines

  In a general manner, to determine the time needed to implement ISO 27001 you need to:

  1. Identify which deliveries you need to make (e.g., policies, procedures, training, assessment, audits, etc.)
  2. Identify which tasks are required to produce each result (e.g., interview top management, elaborate a policy draft, submit the draft for evaluation, update draft if needed, approve the final version, etc.)
  3. Identify how much time you need to perform each task
  4. Identify the sequence in which these tasks should be executed

  After the sequencing, you only have to sum the times of the longest sequence to know how much time you will spend to achieve that result. Of course, this is a great simplification of the method, but for small and medium implementations it works well.

  To see how a sequence of tasks for ISO 27001 implementation looks like, please take a look at this free material:

  • Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation?

  Regarding times, when you consider all the steps as a whole, you can roughly consider that the steps before the risk management will take you ca 10% of the time, risk assessment ca 30% of the time, implementation of controls ca 50% of the time, and final activities (internal audit, management review, corrective actions) ca 10% of the time.

  These articles will provide you further information:

  • ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
  • How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - you should also note that this is the timing that is needed for companies that use our toolkits (e.g., ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/)

  These materials will also help you regarding ISO 27001 schedule development:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ This Foundations course will give you the basics about the standard.

  For more advanced knowledge I also suggest the Lead Implementer course for details on how to run the project: https://advisera.com/training/iso-27001-lead-implementer-course/

• Risk register

  Common documents required by customers are the Information Security Policy, Statement of Applicability, and Audit Report. Other documents can be asked depending upon what customers need.

  To share such documents (some of them may have sensitive information about your organization, like your risk register) you first should evaluate if the risks are worthy (e.g., the audit report has very sensitive information about your ISMS status, but the requester is your biggest customer or a potential customer you want to include in your portfolio). If you consider that the risk of sharing this information is acceptable, then you should provide a Non-Disclosure Agreement with these customers to formalize the required conditions for the protection of this information.

  Regarding the information in the risk register, all vulnerabilities considered relevant should be included in the risk register.