Search results

Difference between 3.10 Release in production/ market and 3.12 Transfer to production

This is related to the general demands exemplified by health records.

Audit

I will be grateful if you can solve my next query.

For some months I bought the Premium Package from you and I have been preparing for a company to be certified in ISO 27001.

My question is: To what extent should I go so that the Certifying company does its audit? They must consider that I have completed all the steps required and mandatory by ISO 27001, having reached the "Awareness and training plan". I am only missing the points of "Internal Audit", "Review by management" and "Corrective actions" .... My question is, if these last 3 steps must be carried out before passing the Certification Audit.

I must emphasize that, in my capacity as Consultant for the implementation of ISO 27001, I could not do an Internal Audit, because I should not be "judge and party".

What should I do or what do you recommend?

To go for certification, an organization must have evidence of the fulfillment of all requirements of the standard, as well as of the operation of all implemented controls.

Considering that, the certifying company must perform an internal audit, management review, and treat corrective actions, before going for the certification audit.

As for performing an internal audit, you still have some options: you can train organization employees to perform an internal audit (taking care they do not audit their own work), or the organization can hire an external auditor for performing this internal audit. 

These articles will provide you a further explanation about certification:

• Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

These materials will also help you regarding certification:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Business continuity management

ISO 22301, the ISO standard for Business Continuity Management, was designed to be implemented in organizations of any size and industry, so it can be applicable to a Pharmaceutical company.

To see how documents compliant with ISO 22301 look like, I suggest you take a look at the free demo of our ISO 22301 Documentation Toolkit at this link: https://advisera.com/27001academy/

This article will provide you a further explanation of ISMS implementation:

• 17 steps for implementing ISO 22301  https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

These materials will also help you regarding ISO 27001 implementation:

• How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Tinder Account Banned - removing my data

The legal basis for processing personal data is to fulfill a contract obligation, that is provide you access to the platform of Tinder. Tinder can store your personal data (Apple ID in order to verify the user) as long as they provide you the service and even after the termination of the contract if there is any reason (legal action, bookkeeping requirements, tax laws provisions) that requires Tinder to store such information.

Under Article 15 GDPR, you have the right to ask Tinder to let you know exactly what kind of data they process, what is the legal basis of data processing, and how long the data will be stored, according to the minimization principle, to delete any personal data that is not necessary to be processed anymore (i.e. if you did not make any purchase, there might be no reason to store the credit cards details and demand them to delete it) as stated in Article 17 par. 1 a) GDPR.

Tinder might reject your request by claiming to have the right to store your personal data, if you believe that your rights are compressed you can lodge a complaint to the Supervisory Authority of your home country.

Here you can find more information on data subjects rights and the right to be forgotten:

• Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
• Right to be forgotten in the era when everyone seems willing to be remembered https://advisera.com/eugdpracademy/blog/2019/08/26/gdpr-right-to-be-forgotten-an-easy-explanation/ 

To understand which are the data subjects rights and how to protect them under GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Post-market surveillance

Concerning ISO 9001:2015:

• Clause 8.2.1 c) – states that communication with customers should include getting customer feedback, including customer complaints
• Clause 8.5.5 – states a set of activities that should be considered after delivering a product or service like any guaranty, any repair, any complaint, any feedback
• Clause 9.1.2 – states monitoring customer satisfaction 

You can find more information below:

• Handling customer satisfaction with code of conduct and complaints procedure - https://advisera.com/9001academy/blog/2014/07/15/handling-customer-satisfaction-code-conduct-complaints-procedure/
• How the ISO 9001:2015 standard can help improve relationships with your customers - https://advisera.com/9001academy/blog/2016/02/23/how-the-iso-90012015-standard-can-help-improve-relationships-with-your-customers/
• Main elements of handling customer satisfaction in ISO 9001 - https://advisera.com/9001academy/blog/2014/07/01/main-elements-handling-customer-satisfaction-iso-9001/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ 
   

GMP accreditation

There is no mandatory requirement that cosmetic companies need to be certified according to the ISO 9001. ISO 22716:2007 does not require a quality management system in total. Understanding global cosmetics product safety is an essential factor in implementing ISO 22716.

In ISO 22716, there is no need for the Quality manual, Management review. It requires an internal audit, a system for deviation (corrective actions, non-conforming products, out of specification product). Of course, all procedures covering the production process, traceability, hygiene rules, and GMP requirements are necessary. 

The combination of ISO 9001 and ISO 22716 connects cosmetic product safety with overall business improvement tools.

Here you can see some information regarding ISO 9001:

• Free Gap Analysis Tool https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• Should you use a gap analysis in your ISO 9001 implementation? https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram

• ISO 27017 training presentation

  For an ISO 27017 you can use this material:

  • Why ISO 27001 – Awareness presentation (MS PowerPoint) https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation - this presentation template will give you the bases for the presentation
     ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/ - this article will provide you specific information about ISO 27017 to include in the presentation

  For further information, see:

  • How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

  This material can also help you:

  • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

• Can ISO 27001:2013 be certified against multiple legal entities?

  It is possible to have a single certification for multiple companies, provided that the ISMS scope covers elements of all companies (e.g., processes, information, and/or locations). Of course, all entities will have to go through all certification process together.

  Adopting a single certificate for all entities or separate ones for each entity is a business decision, depending on their objectives and strategies, but in general, organizations adopt the model of one certification for each entity, because a change in an entity does not impact the certification of other entities.

  These articles will provide you a further explanation about scope definition:

  • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
  • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  This article will provide an additional explanation about single certification for multiples entities (although it is about ISO 9001, the same concept applies to ISO 27001):

  • Certifying different legal entities under one certification scope in ISO 9001 https://advisera.com/9001academy/blog/2018/03/27/certifying-different-legal-entities-under-one-certification-scope-in-iso-9001/ 

  These articles will provide you a further explanation about implementing ISO 27001:

  • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
  • ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
  • How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/ - this is the timing that is needed for companies that use our toolkits

  These materials will also help you regarding ISO 27001 implementation:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  To see how documents used to implement ISO 27001 looks like, please take a look at the free demo templates of our ISO 27001 Implementation Toolkit in this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

• ISO 14001 Risk assessment example

  Let us consider three sources of risk. Risk derived from processes, risk derived from products, and risk derived from the context and interested parties.

  

  There is the risk that the operation of a wastewater treatment plan fails and due to that malfunction, the treated wastewater may have pollutants above legal limits.

  

  There is the risk that product disposal at the end of life may not be done by the consumer according to legal practices.

  

  General public, society, is pressuring politicians to restrict the extraction of a raw material used by an organization. If that pressure succeeds the organization may find progressive difficulty in accessing that same relevant raw material.

  Please check this information below with more detailed answers:

  • ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
  • ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
  • Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

   

• ISO 9001 DI controls visibility

  No, you do not need to add DI controls visibly.

  What is the purpose of a version or date?

  Ensure that users know which version they are using and be able to verify that it is the latest version. How can users be sure that they are using the last version of the complaints policy? As long as they are using the digital version that is ensured. Some organizations use a message saying that a printed version is a noncontrollable copy and users should be aware of that risk.

  You can find more information about documentation below:

  • Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/