Search results

Procedures for suppliers to cover the control of External Providers

1. In addition to my 27th of December question, 8.6 paragraph demands evaluations of the business continuity capabilities of relevant partners and suppliers;
Where in the package can I find a format for conducting evaluation for partners and suppliers according to ISO 22301:2019

You can use the same procedure and checklist used for your internal audit. Both procedure and checklist can be found in folder 10 from your ISO 22301 Toolkit.

For additional information, see (the same concept applies to ISO 22301):

• How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/

2. And another question please. Where can i find a format to record business continuity objectives and actions and evaluation of them as 6.2.1 and 6.2.2 states
Thank you once again.

You can use your own document usually used for planning for documenting business continuity objectives and methods to measure them, and if you do not have such, then you can use the blank template provided in the root folder of your toolkit.

For further information, see:

• Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/

And another question, please.
Where in the package can i find a document to describe external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome such as Pandemic in the territory, Earthquakes, and risk appetite in general and according the site territory;

The information required by ISO 22301 clause 4.1 is addressed by the following templates:

• Organization's activities (from clause 4.1 a)) and potential impact from disruptive incidents are addressed by template Business Impact Analysis Questionnaire (located at folder 04 Business Impact Analysis Methodology)
• The organization's functions (from clause 4.1 a)) are addressed in all templates when an activity to be performed is required (by means of the field [job title]). Functions related specifically to the BCMS are defined in the template Business Continuity Policy, section 3.5, (located at folder 03 Business Continuity Policy)
• Organization's product and services (from clause 4.1 a)) are addressed by template Business Continuity Policy, section 3.5, (located at folder 03 Business Continuity Policy)
• Relations with suppliers, partners, and interested parties (from clause 4.1 a)) are addressed by template Business Continuity Strategy (located at folder 05 Business Continuity Strategy)
• Relationships between the Business Continuity Policy and other organization's policies, objectives, and general risk management strategy (from clause 4.1 b)) are addressed by template Business Continuity Policy, section 2, (located at folder 03 Business Continuity Policy)
• Organization's risk appetite (from clause 4.1 c)) is addressed by template Business Impact Analysis Questionnaire, section 6 (maximum acceptable outage) (located at folder 04 Business Impact Analysis Methodology)  

This article will provide you a further explanation (the same concept applies to ISO 22301):

• How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

This material will also help you regarding ISO 22301:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

ISO 13485 implementation

No, it is not mandatory for the company to go for the ISO 9001 as well. ISO 13485:2016 is a standard that is specific for Manufacturers of medical devices (Medical devices — Quality management systems — Requirements for regulatory purposes). Besides that, on the web pages of the European Commission are stated which standards are applicable for all types of medical devices:  https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/medical-devices On that list, which has around 300 standards, only ISO 13485:2015 is the standard for the quality management system.

For more information, please see the following links:

• Similarities and differences between ISO 9001:2015 and ISO 13485:2016 https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/
• What is ISO 13485? - https://advisera.com/13485academy/what-is-iso-13485/
• Checklist of ISO 13485 implementation and certification steps - https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

• IATF16949 VE ISO 9001

  1. IATF16949 dokumanlarını biliyorum ancak ISO9001:2015 ten farkını çıkaramadım. ISO 9001 de olmayıp IATF16949 olan neler var nereden ulaşabilirim bu bilgiye.

  ISO 9001’de olup IATF 16949 standardında olmayanlar diye hazırlanmış bir döküman olduğunu sanmıyorum ama örnek olarak şunu söyleyebilirim;’’Kalite El Kitabı’’ ISO 9001’de zorunlu değil iken IATF 16949 standardında zorunludur.

  IATF 16949:2016 standardı içinde bakınız ISO 9001 diye referans gösterdiği herşey ISO 9001 standardında mevcuttur. Yani  öncelikle ISO 9001 standart gereklilikleri ve paralelinde IATF 16949 standart gereklilikleri uygulanmalıdır. En iyi yöntem; 2 standardı beraber gözden geçirmek olabilir.

  2. Ve ISO 9001:2015 de tasarım iatf16949 gibi hariç tutulabiliyor mu acaba şimdiden teşekkürler ?

  Eğer organizasyon ürün tasarımı  yapmıyor ise; IATF 16949:2016 standardında ürün tasarım maddeleri hariç bırakılabilinir.  Proses tasarımı IATF 16949:2016 için herzaman geçerlidir ve kapsam dışı bırakılamaz.

  Eğer ISO 9001 ve IATF 16949 firma için beraber yönetiliyor ise ve ürün tasarımı IATF de var ama ISO 9001’de yok ise; o zaman IATF gerekliliği olarak otomotiv ürünleri için kapsamda ürün tasarımı alınabilinir ve ISO 9001’de ise tasarım kapsam dışı olduğu için, komple ISO 9001 kapsamından tasarım çıkartılabilinir. 

   

• Charitable organisations, non for profits, refugees.

  "Thank you for your reply.I have read it.2 more questions1 if organisation is not in EU but gathering data with consent from EU residents (not citizens). Do this organisation should comply with EU GDPR.?

  Yes, if the organization offers services or goods or processes data of EU individuals it must comply with GDPR.

  2 what kind of status (refugee, person who has working visa, tourist visa, visitor visa) are to be considered as EU resident that data from him can be collected or stored.

  It is considered with a broad meaning. Recital 14 states: “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.” Therefore, if the GDPR applies because it offers services (even without a price) to EU residents, you should intend the residence broadly.

• Corrective action plan for audit observation for clause 8.1 of ISO 22301

  It is not clear to which processes this nonconformity refers to - if this refers to e.g. business impact analysis, then you need to have a methodology document for performing business impact analysis; if this is about risk assessment, then you need to have a risk assessment methodology, etc. 

  Here you can see the templates for the mentioned documents: 

  • Business impact analysis methodology https://advisera.com/27001academy/documentation/business-impact-analysis-methodology/ 
  • Risk assessment methodology https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/ 

  You can get all the required documents for ISO 22301 implementation in this ISO 22301 Documentation Toolkit: https://advisera.com/27001academy/iso22301-documentation-toolkit/ 

• Maintaining two risk registers for ISO 9001 and ISO 27001

  No, it is not mandatory to maintain two risk registers for ISO 9001 and ISO 27001 respectively. Please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ - there is no mandatory requirement in ISO 9001:2015 to keep a risk register. So, it is up to you to design the approach that best suits your organization, one common or two separate risk register.

  You can find more information below:

  • How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
  • About risks, you can see this free webinar on-demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• Real examples of "process approach", "risk management" and "PDCA" concepts mentioned in ISO9001:2015

  Please check our webinars free on-demand, perhaps they have examples that can help you build your communication to the staff of your company.

  • The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
  • How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
  • Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/ 

  Please check also my book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ - where I develop a case based on the process approach and the risk-based approach.

• ISO 9001 mandatory clauses and scope for implementation

  what clauses are compulsory to our organization? 

  Answer:
  Basically, all clauses are mandatory. An organization can only exclude those clauses that are not applicable. Without knowing in detail your business, it is very difficult to give a clear answer. For example, does your organization design consulting services? If not, ISO 9001:2015 clause 8.3 is not applicable. 

  What should be the scope? 

  Answer:
  About the scope, as you can see in this free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/ - it is a management decision, not a technical decision. The webinar explains some of the nuances behind different scopes. Your organization can have 10 different consulting services and decide to design a quality management system applicable only to three of those services.

  The following material will provide you more information about exclusions:

  • What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
  • How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
  • Enroll for free in the course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

   

• GDPR Documentation and PII

  Please advise regarding the below:

  1. What is data processor obligations in details regarding data subject rights

  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • Rights in relation to automated decision making and profiling.

  Is there any procedure to be taken as example

  2. When providing outsourcing call center services , what is the legal basis to process the data noting that consent is taken by the data controller (is it legitimate interest : be able to fulfill our contractual obligation with the controller ?)
  
  3. What is the list of documentations required by the data processor

• Filling templates

  "Thank you for your detailed responses! Our company is in the US but we have a representative in Austria (Prighter). I assume I use this address for the supervisory authority address? Can you confirm if this is correct?"

  Yes, you should refer to the Austrian Supervisory Authority.