Search results

Is ISO 9001 listing of activities mandatory

Unfortunately, we cannot give you a specific answer because we are not aware of categories OGi. What we can say is that the scope defines and communicates the borders of the management system. The scope should clearly describe the type of Products and Services covered by the system and provide sufficient information, preventing the transmission of erroneous or misleading information about what the organization covers in the management system and what it is able to provide to its customers. Describing a list of activities, instead of a general description, is used either to reinforce the message of something that the organization wants to highlight that it is included in the management system, or precisely the opposite, to communicate what is not included.

You can find more information below:

• How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
• Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope -
• Free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

List of documentation required by the data processor

This is the list of mandatory documents required by EU GDPR to controller who is the subject liable of GDPR compliance in first instance.https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/  

Processor’s documents which are mandatory under GDPR are less and indicated by the controller who need to give instruction to the processor. Usually mandatory documents for processor in their relationship with controller are:- The Data Processing Agreement and it should contains also instructions from the controller on how to process personal data.- The registry of processing activities as a processor.- Data Protection policy, and confidentiality clauses in agreements with people accessing data should be implemented.

Other documents may be required by controllers in order to demonstrate compliance (i.e. a Data Processing Impact Assessment on the processing carried out by the processor), or a data breach notification procedure. 

The processor should be available to receive inspections and audits from the controller.

If you want to understand better data processor requirements under the EU GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Contract Review per ISO 13485 sec. 7.2.1, 7.2.2

Yes, if the sales order is distributed by the ERP as is, it is OK and enough from the standard point of view.

Difference between 3.10 Release in production/ market and 3.12 Transfer to production

This is related to the general demands exemplified by health records.

Audit

I will be grateful if you can solve my next query.

For some months I bought the Premium Package from you and I have been preparing for a company to be certified in ISO 27001.

My question is: To what extent should I go so that the Certifying company does its audit? They must consider that I have completed all the steps required and mandatory by ISO 27001, having reached the "Awareness and training plan". I am only missing the points of "Internal Audit", "Review by management" and "Corrective actions" .... My question is, if these last 3 steps must be carried out before passing the Certification Audit.

I must emphasize that, in my capacity as Consultant for the implementation of ISO 27001, I could not do an Internal Audit, because I should not be "judge and party".

What should I do or what do you recommend?

To go for certification, an organization must have evidence of the fulfillment of all requirements of the standard, as well as of the operation of all implemented controls.

Considering that, the certifying company must perform an internal audit, management review, and treat corrective actions, before going for the certification audit.

As for performing an internal audit, you still have some options: you can train organization employees to perform an internal audit (taking care they do not audit their own work), or the organization can hire an external auditor for performing this internal audit. 

These articles will provide you a further explanation about certification:

• Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

These materials will also help you regarding certification:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Business continuity management

ISO 22301, the ISO standard for Business Continuity Management, was designed to be implemented in organizations of any size and industry, so it can be applicable to a Pharmaceutical company.

To see how documents compliant with ISO 22301 look like, I suggest you take a look at the free demo of our ISO 22301 Documentation Toolkit at this link: https://advisera.com/27001academy/

This article will provide you a further explanation of ISMS implementation:

• 17 steps for implementing ISO 22301  https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

These materials will also help you regarding ISO 27001 implementation:

• How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Tinder Account Banned - removing my data

The legal basis for processing personal data is to fulfill a contract obligation, that is provide you access to the platform of Tinder. Tinder can store your personal data (Apple ID in order to verify the user) as long as they provide you the service and even after the termination of the contract if there is any reason (legal action, bookkeeping requirements, tax laws provisions) that requires Tinder to store such information.

Under Article 15 GDPR, you have the right to ask Tinder to let you know exactly what kind of data they process, what is the legal basis of data processing, and how long the data will be stored, according to the minimization principle, to delete any personal data that is not necessary to be processed anymore (i.e. if you did not make any purchase, there might be no reason to store the credit cards details and demand them to delete it) as stated in Article 17 par. 1 a) GDPR.

Tinder might reject your request by claiming to have the right to store your personal data, if you believe that your rights are compressed you can lodge a complaint to the Supervisory Authority of your home country.

Here you can find more information on data subjects rights and the right to be forgotten:

• Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
• Right to be forgotten in the era when everyone seems willing to be remembered https://advisera.com/eugdpracademy/blog/2019/08/26/gdpr-right-to-be-forgotten-an-easy-explanation/ 

To understand which are the data subjects rights and how to protect them under GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Post-market surveillance

Concerning ISO 9001:2015:

• Clause 8.2.1 c) – states that communication with customers should include getting customer feedback, including customer complaints
• Clause 8.5.5 – states a set of activities that should be considered after delivering a product or service like any guaranty, any repair, any complaint, any feedback
• Clause 9.1.2 – states monitoring customer satisfaction 

You can find more information below:

• Handling customer satisfaction with code of conduct and complaints procedure - https://advisera.com/9001academy/blog/2014/07/15/handling-customer-satisfaction-code-conduct-complaints-procedure/
• How the ISO 9001:2015 standard can help improve relationships with your customers - https://advisera.com/9001academy/blog/2016/02/23/how-the-iso-90012015-standard-can-help-improve-relationships-with-your-customers/
• Main elements of handling customer satisfaction in ISO 9001 - https://advisera.com/9001academy/blog/2014/07/01/main-elements-handling-customer-satisfaction-iso-9001/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ 
   

GMP accreditation

There is no mandatory requirement that cosmetic companies need to be certified according to the ISO 9001. ISO 22716:2007 does not require a quality management system in total. Understanding global cosmetics product safety is an essential factor in implementing ISO 22716.

In ISO 22716, there is no need for the Quality manual, Management review. It requires an internal audit, a system for deviation (corrective actions, non-conforming products, out of specification product). Of course, all procedures covering the production process, traceability, hygiene rules, and GMP requirements are necessary. 

The combination of ISO 9001 and ISO 22716 connects cosmetic product safety with overall business improvement tools.

Here you can see some information regarding ISO 9001:

• Free Gap Analysis Tool https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• Should you use a gap analysis in your ISO 9001 implementation? https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram

• ISO 27017 training presentation

  For an ISO 27017 you can use this material:

  • Why ISO 27001 – Awareness presentation (MS PowerPoint) https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation - this presentation template will give you the bases for the presentation
     ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/ - this article will provide you specific information about ISO 27017 to include in the presentation

  For further information, see:

  • How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

  This material can also help you:

  • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.