Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Guidelines for the control of external origin documents

    You can find a set of guidelines for controlling external documents in this article - What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/

    You can find more information below:

  • Nonconformities, OFI's vs Low/Med/High Audit Gaps

    First is important to note that major/minor nonconformities are normally used only for certification/surveillance audits of certified ISO management systems. Internal audits in general use the ratings you mentioned.

    Considering that, major nonconformities would compare to high rating, while minor nonconformities could be compared to low or medium rating, depending on criteria used by the organization.

    As for Opportunities For Improvement (OFIs), they should be rated considering criteria adopted by the organization to evaluate their potential benefits (i.e., they could be rated low, medium, or high).

    These materials will also help you regarding NC and OFI ratings:

  • Writing quality assurance policies

    Please note that since the year 2000 ISO 9001 is no longer about quality assurance, but about quality management.
    An organization with a quality management system should have a quality policy. A quality policy is a set of intentions and directions for an organization as determined by top management.
    You will not see this in ISO 9001:2015, this is my practice. When I work with an organization’s top management in developing their quality policy I recommend thinking about some questions:

    • Who are our target customers and other very relevant interested parties?
    • What are the most important requirements for those target customers and other very relevant interested parties?
    • In what activities should our organization be excellent to be able to satisfy target customers and other very relevant interested parties?

    After discussing the questions and answers and after arriving at some consensus, I invite the organization to write a text with the following structure:

    • For whom do we work (We work for clients that value …) – In your case think about the more relevant interested parties: consumers, local authorities, …
    • What are our top priorities? In what things we need to be excellent to satisfy those for whom we work?
    • Add the commitments included and required by ISO 9001
    • That way you will write a guiding document that will focus your organization in a strategic way and translating that policy into objectives will be easier.

    The following material will provide you more information about the quality policy:

  • Importance of change controls

    Change control is very important in ISO 17025, as with any management system. In ISO 17025 it is typically managed at the activity level, for example Data, Information, Document and Record management; or ensuring validity of results. The scope of ISO 17025 is the competence, impartiality, and consistent operation of laboratories. To achieve stability and consistent operation, risks and opportunities must be managed. This means that any changes for management and technical activities must be planned, controlled, and coordinated. For example, changing a supplier of a critical chemical reagent could invalidate a method if the risk is not considered and the impact of the new chemical supply not evaluated.

    For more detail on what is required for ISO 17025, read the whitepaper Clause-by-clause explanation of ISO 17025:2017 available for download from https://advisera.com/17025academy/free-downloads/ and preview the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

  • ISO 14001 lineamiemtos precisos para establecer en una empresa minera

    La implementación de ISO 14001:2015 en una empresa minera es igual que en otro tipo de sectores, teniendo en cuenta que en el caso del sector de la minería se emplean muchos recursos naturales y por lo tanto hay número de aspectos ambientales e impactos significativos para los cuales se tendrán que implantar los consecuentes controles operacionales. 

    También es importante destacar la necesidad de estar al día en cuanto a los requisitos de cumplimiento, especialmente regulatorios, que son bastante numerosos en el sector de la minería, pero también aquellos relacionados con los requisitos contractuales

    En primer lugar es muy importante contar con el apoyo lo de la alta dirección, que va a facilitar los recursos tanto de personal como económicos para poder llevar a cabo el proyecto de implementación.

    Más adelante puede llevar a cabo un análisis de brecha (o GAP, por sus siglas en inglés) que le ayudará a identificar aquellos requisitos con los que la organización aún no cumple. Esto le va a facilitar la implementación ya que reducirá significativamente el tiempo de implementación. Aquí puede llevar a cabo el análisis de forma gratuita - Herramienta de análisis de brecha en ISO 14001: https://advisera.com/14001academy/es/herramienta-gap-analysis-iso-140012015/

    También le recomiendo que defina un plan de proyecto, donde determine las responsabilidades, hitos durante la implementación, plazos, etc. Aquí puede descargar de forma gratuita un plan de proyecto - Project Plan for ISO 14001:2015 implementation: https://info.advisera.com/14001academy/free-download/project-plan-for-iso-140012015-implementation-ms-powerpoint

    Más tarde ya podrían empezar con lo que es la implementación en sí de la norma, definiendo el alcance del Sistema de Gestión Ambiental, para lo cual le recomiendo que primeramente de las cuestiones internas y externas del contexto de la organización, ya que le puede ser de gran ayuda a la hora de saber cuáles van a ser los límites de su SGA. A continuación, puede determinar tanto la política de su SGA así como los objetivos del SGA. Aquí puede obtener más información de cómo definir el alcance de su SGA - How to determine the scope of the EMS according to ISO 14001:2015: https://advisera.com/14001academy/blog/2016/02/01/how-to-determine-the-scope-of-the-ems-according-to-iso-140012015/

    Más adentante, deberá de establecer todos los procesos relacionados con el sistema e implentarlos para finalmente realizar la auditoría interna y finalmente llevar a cabo la revisión por la dirección.

    Estos materiales  pueden ayudarle a saber cuáles son los pasos en la implementación de ISO 14001:2015:

    - Why mining companies should obtain ISO 14001 certification: https://advisera.com/14001academy/blog/2018/04/17/why-mining-companies-should-obtain-iso-14001-certification/

    - Artículo: Lista de pasos para la implementación de la ISO 14001: https://advisera.com/14001academy/es/knowledgebase/lista-de-pasos-para-la-implementacion-de-la-iso-14001/

    - Curso gratuito - Fundamentos de ISO 14001:2015:  https://advisera.com/training/es/course/curso-fundamentos-iso-14001/

    - Libro - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/

  • Documents needed in term of testing methods

    You asked 

    ....what all documents would we need in term of testing for the said methods? for example, do I need to validate/ verify these methods?

    Yes, you do need to validate all test methods that are going to be on your scope of accreditation. You need to meet requirements of ISO 17025 clauses 7.2 and 7.6 for this activity

    You would need to include at least all mandatory procedures and records.
    See the Whitepaper Checklist of mandatory documents required by ISO 17025:2017
    For more detail on what is requires, read the whitepaper Clause-by-clause explanation of ISO 17025:2017
    Both are available for download from https://advisera.com/17025academy/free-downloads/

    You asked How?

    The ISO 17025 toolkit includes the procedure for validation and verification of methods, named Test and Calibration Method Procedure, along with two supporting documents Test Method Development, Verification and Validation Register and Test Method Development, Verification and Validation Record. The procedure is also available separately at https://advisera.com/17025academy/documentation/test-and-calibration-method-procedure/

    The overall techniques for method validation are listed as well as the required records. It is the responsibility of the laboratory to choose the suitable technique and performance parameters, plan experiments and use suitable calculations. This is not in the scope of the toolkit. It is important to reference sector specific guidelines and meet specific regulatory and accreditation body requirements. 

  • Questions regarding EU GDPR & ISO 27001 Integrated Documentation Toolkit

    1. Regarding EU GDPR & ISO 27001 Integrated Documentation Toolkit:
    Does it cover also ISO 27701:2019?

    Please note that ISO 27701 was developed as an extension of ISO 27001 and ISO 27002. Considering that, ISO27001/GDPR toolkit is approximately 80% compliant with ISO 27701. The remaining 20% refers to small adjustments to include the protection of privacy in the context of the documents (e.g., where a document states “information security”, it now should state “information security and privacy”, and applicable controls should consider complementary privacy protection measures), and the inclusion of applicable controls specifically developed for ISO 27701 (in a total of 49 controls).

    For further information, read:

    2. Does it cover also GDPR cases where EU customer personal data is processed outside of EU in a country like ***? (like using standard data protection clauses adopted by the EU Commission, etc?)

    The EU GDPR & ISO 27001 Integrated Documentation Toolkit has a full section dedicated to the transfer of personal data in a third country. The templates are indicated for all controllers subject to the EU GDPR wherever they are located. This section of the EU GDPR & ISO 27001 Integrated Documentation Toolkit includes templates of:

    • Cross Border Personal Data Transfer Procedure
    • Processor GDPR Compliance Questionnaire
    • Supplier Data Processing Agreement
    • Controller to Controller Data Processing Agreement
    • Agreement for the Appointment of an EU Representative

    3. Does there exist an employee contract template which takes into account GDPR?

    Employee contracts are subject to local labor legislation so there is not template. However, in the EU GDPR & ISO 27001 Integrated Documentation Toolkit you can find:

    • The Employee personal data protection policy on how the company handles the personal data of its own employee
    • The employee privacy notice to inform the employee about the processing of their own personal data by the company when signing a job contract
    • In the security measures section, there are most policies about how employees should handle personal data (of clients, suppliers, colleagues) like Access control policies, teleworking policies, etc. These policies should be known by employees and can be attached to their job contracts.

    For more information, see:

    4. Does there exist a B2B contract template which takes into account GDPR when processing EU customer personal data in a country like ***?

    As mentioned above, in the section of the EU GDPR & ISO 27001 Integrated Documentation Toolkit about data transfer there are some templates about the data transfer between controller and processor and among controllers.
    This agreement can be used as an annex to the B2B agreement (your general terms and conditions) and signed jointly. You need to remember to insert a clause in your B2B agreement in which undertakers are aware of compliance with GDPR requirements and comply with the terms in the attached data processing agreement. Of course, you should also mention compliance with your local privacy law requirements!

    This article may provide additional information:

    5. Does there exist a B2B contract template which takes into account GDPR when EU customer personal data is processed outside of EU in a country like ***??

    Because of the extraterritorial applicability of the EU GDPR, templates are not affected by the location of the company but only if the company is subjected to the EU GDPR requirements. If so, and the processing takes place in a third country, the transfer of the data section of the Toolkit will help to comply with contractual requirements. The easiest way is to develop a Data Processing Agreement and Standard Contractual Clauses as annexes to your own B2B agreement template (which vary depending on your own kind of activity).

    To understand how to comply with GDPR requirements when a transfer of data outside the EU is involved, you can consider enrolling in our free online training:

  • ISO / IEC 38500 question

    Do you have any thoughts on the ISO/IEC 38500?

    SO/IEC 38500 provides guiding principles for governance specifically directed for Information Technology. It can be used to help integrate business strategy, information technology, and information security initiatives.

    For additional information, see:

    Would we want to add this after our ISO/IEC 27001 that we are working on?

    ISO 27001 does not require the implementation of any other standard, so the decision about the application of ISO/IEC 38500 would depend on the evaluation of potential benefits that can be achieved and the costs of implementing an additional standard.

    Also, in regards to the ISO 22301, does this compliment the GDPR that we are working on?

    ISO 22301 is about business continuity and resilience of systems. It can help you to demonstrate compliance with security measures under Article 32 GDPR (which requires technical and organizational security measures) but it does not cover all GDPR requirements (i.e. the information to be provided to data subjects, or the respect of data subject rights are outside the purposes of ISO 22301 and they are the core of GDPR). GDPR refers to all data processing regardless of the form and it is not only about data security (yet it is crucial), it is also about information, transparency, and lawful processing.

    For more information, see:

  • 04.2 Personal Data Protection Policy Integrated

    The Toolkit requires you to insert your national privacy law if any. Most countries, even EU Member States adopted internal laws and regulations to implement GDPR requirements in certain fields. Video surveillance, controls of workers, social security, criminal conviction, or health data are some examples of topics nationally implemented. 

    You should consult the website of your local Data Protection Authority (or Surveillance Authority) to discover what are the applicable laws and regulations adopted in your country. Therefore, you should check if your organization is subjected to other extraterritorial privacy laws like the California Consumer Protection Act (CCPA) or the Brazilian Data Protection Act (LGPD). In such a case, you should also insert those references in your data protection policy.

    Here you can find the list of relevant Data Protection Authorities and the list of laws and regulations on information security:

  • A.9.2.5 Review of user access rights

    Please note that ISO 27001 does not prescribe how to document the review, so organizations can develop the form as best fit their needs.

    Considering that, to record reviewed access rights you can use the Internal Audit Report template included in your toolkit, using the field Audit Trail to record this information.

    In case you need a more generic approach, you can use a word or excel file.

    In both cases, it is important to cover at least this information:

    • review date
    • who performed the review
    • who approved the review
    • name of system/network / service / physical area reviewed
    • results of the review: uses reviewed and if they were compliant or not with the defined access rules
Page 229-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +