Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 certification

    What are the requirements for a company to have this certification?

    Broadly speaking, to be ready for ISO certification, an organization needs to:

    • get support for the project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control
    • define the ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties;
    • develop risk assessment and treatment methodology;
    • perform a risk assessment and define the risk treatment plan;
    • implement controls (e.g., policies and procedures documentation, acquisitions, etc.);
    • perform people training and awareness;
    • operate controls;
    • perform monitoring and measurement;
    • perform an internal audit;
    • perform management critical review; and
    • address nonconformities, corrective actions, and opportunities for improvement.

    This article will provide you a further explanation about ISMS implementation:

  • DPIA

    1. Appreciate your support to provide me with your advice regarding the followingAs a processor, should I perform DPIA (is it required)

    Article 35 GDPR defines Data Protection Impact Assessment (DPIA) as an obligation of the controller. Among the obligation of the processor, Article 28 GDPR requires however to “inform the controller of that legal requirement before processing”. This means that if DPIA is required to the controller and the processor becomes aware of it, processor should represent to the controller that a DPIA is needed. Of course, it is an obligation to inform, so it is the controller who shall perform the DPIA and the consequences shall be on the controller.

    2. If the controller is not in compliance with the GDPR and didn't share any direction with the data processor (in other words the controller didn't ask the processor to be in compliance with the GDPR). In this case will data processor be liable if any security breach occurs.

    From your question I understand that the controller transferred data to the processor without giving any instruction on the basis of a commercial agreement without clauses on data processing.

    In this case, the processor will be liable if any security breach occurs for data processed by the processor on behalf of the controller. In fact, article 28 GDPR requires the processor to adopt security measures in compliance with Article 32 GDPR which requires “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. Therefore, if you are processing personal data on the behalf of someone else, you are liable for security. As stated in the answer to the first question, you should inform the controller about requirement and you can propose your own data processing agreement (i.e. as Google does with its clients).

    Article 28 (3) GDPR requires on the processor a duty of information and supervision over the compliance with GDPR requirements of the controller. Therefore, increasing awareness on the controller on the applicability of GDPR and helping controllers to comply with GDPR requirements can be considered as a market additional value for processor and a legal requirement to avoid liability.

    In fact, accepting to process personal data without questioning over the applicability of GDPR can be interpreted as a violation of the processor’s vigilance duty laid out in Article 28 GDPR in case the Regulation is applicable and a data breach occurs. Article 28 (f) states that the processor “assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;”

    Of course, if the controller stated that the GDPR is not applicable and no information are available to the processor despite the requests, it could not be considered liable in case of a data breach.

    3. is it required for the traffic containing PII between a company and service provider to be encrypted."

    GDPR leaves up to the controller and the processor to determine the appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Of course, encryption is considered nowadays a good security measure so it is highly suggested.

    Here you can find more information:

    You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

     

  • Training Validation for ISO 13485

    Yes, you are right that ISO 13485:2016 does not specify how to handle the training validation. The only requirement in 6.2 Human resources is to evaluate the effectiveness of actions taken for the training. So, it is up to you how you will do it. I would like to point it here that it is also stated in the note of requirement 6.2 that the methodology used to check effectiveness is proportionate to the risk associated with the work for which the training is provided. It means that you decide which training there is a necessity to perform validation and to which there is no need for it (based on the risk).

    Sometimes, the method can be a quiz, sometimes it can be checking the person in everyday work, sometimes during an internal audit, you can check is whether everything is done in the prescribed and appropriate manner.

    The following article can provide you more information about effectiveness:

    • How to measure training effectiveness according to ISO 9001 - https://advisera.com/9001academy/blog/2016/03/29/how-to-measure-training-effectiveness-according-to-iso-9001/

    • Approved documentation for ISO 9001 audit

      Please check this article about mandatory documentation - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

      If you follow ISO 9001:2015 you don’t have to present documentation regarding internal or external issues. However, if in your management system approach you planned to document internal or external issues then you have to show them during the audit.

      You can find more information about documentation below:

    • Customers' Feedbacks and Complaints

      1. Would it be compliant that a medium size company (70 employees) to have separate procedures for Feedback and Complaint, Non-Conforming Product, Non-conformance and CAPA but the following logs: Feedback Log, Employee Suggestion Log (for employee feedback data gathering), CAPA log and just one log for both Complaints and Non-conformances.

      Yes, it would be compliant for a company this size to have separate procedures for defined requirements. How you divide the registration logs, it seems OK.

      2. If there were 2 logs, one for complaints and one for non-conformances and a complaint is received that is investigated and considered a non-conformance, shall that complaint appear in both complaint log and non-conformance log? Similarly, if a hypothetically a complaint is received and it is incident related, would it be registered in all logs applicable (complaint log, then incident log, then non-conformance log if it is due to a non-conformance, then in CAPA log when corrective action is required?) or can some of them be skipped (such as recording the incident straight into incident log rather than complaint log and in CAPA log to carry out relevant action plans?)

      In my opinion, it is OK to have one log for complaints and non.conformances to skip repeating the information. If that is not the case, then you need to register a complaint in one log, and then connect that complaint with the non-conformance log. The best way to do it is that in the complaint log you have one column where you will, after the investigation of the complaint, put the number of the non-conformance that you will raise to solve this complaint.

      3. Is it considered as being a complaint an instance when a customer is dissatisfied because his expectations are not met, but for meeting their expectations the regulatory requirements shall be broken?

      Here, the only question is - has customer expectation been written somewhere (in contract, on the invoice, or similar). If there is no record of the customer expectation and even if it will mean that regulatory requirements shall be broken, in my opinion, it isn't a complaint. In requirement 7.2.2 Review of requirements related to the product is stated product requirements must be defined and documented, and the organization must review the requirements related to the product. Records of the results of the review must be maintained.;

      4. I believe registering every issue that is detected in all the logs relevant is so confusing and time consuming.
      I agree with you. So try to make this as simple as possible. From my experiecne as auditor, some clients has only customer complaint log and all other elements are in one log: CAPA, non-conforming products, even findings from internal audit.  It is very easy to manage this logs when using advance excell.

      Following articels can be helpful:

Page 259-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +