Search results

Compliance obligation record and operational control

Q1. How to prepare compliance obligation record according to clause 6.1.3?

Answer:

The standard uses the wording “maintain documented information of its compliance obligations”. Maintain is not applicable to records but this is strange concerning the content of the clause.

I recommend developing a register where you list each source of compliance obligations (general legal and regulatory requirements, permits, contracts, …). For each compliance obligation write its summary or purpose. For each compliance obligation determine if it is applicable to the organization and how its translated into specific requirements. If applicable what are the actions implied.

For example:

Q2. What is operational control and how to prepare this?

Answer:

How will your organization ensure that environmental aspects are receiving the expected treatment?

For each environmental aspects your organization has to set what is expected to be done in order to comply with the environmental policy commitments. For example, about wastes:

• Provide specific bins to segregate different kinds of wastes near generation
• Provide training, instructions, rules in order to be sure that segregation will take place
• Implement an internal waste collecting circuit to interim storage
• Implement rules for calling authorized waste operators
• Implement rules for official recording of waste transfer
   

Another example - operational control is what ensures that the wastewater treatment facility is operating under control and discharging treated wastewater according to legal requirements.

You can find more information below:

• How to create an ISO 14001 list of legal and regulatory requirements - https://advisera.com/14001academy/blog/2019/11/04/iso-14001-legislation-checklist-how-to-create-it/
• Demystification of legal requirements in ISO 14001 - https://advisera.com/14001academy/blog/2014/10/01/demystification-legal-requirements-iso-14001/
• Defining and implementing operational control in ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 9001 extent of process documentation

ISO 9001:2015 as you say does not make mandatory many documents. However, there are still several mandatory records - Consider this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

I understand your concern, but as long as you know that common documents used by other quality management systems are not mandatory, you can defend your position.

I, as an auditor, do not like to prescribe what kind or number of documentations an organization should have. I, as an auditor, look into an organization’s complexity level, look into staff turnover figures, look into the quality and extent of the training program and, above all, look into organization’s performance before I raise an opportunity for improvement about the number or quality of an organization’s quality management system documents.

You can find more information about documentation below:

• How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

GDPR - RTBF

"Hi All, I'm new to GDPR and reading blogs and articles from advisera.com which is really helpful. However, I have a query with respect to the Right to be forgotten.

I would like to know if a customer/individual can request a call center to delete or remove his chat logs which he had with a support agent?

It depends on the content of the chat.

Article 17, par. 1, (a) GDPR states that the data subject can demand the erasure of personal data processed by the controller if “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed”.Article 17 par. 3 GDPR states also that the controller can reject the request, when the reason of saving data is:(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;[…] (e) for the establishment, exercise or defence of legal claims.

If so, does the call center has to take this request as an RTBF??"

The call center will consider the request as a RTBF (Right To Be Forgotten) only if the processing is no longer necessary. Consider that you will need to be able to demonstrate why you rejected the request, because of the accountability principle. You should adopt a process that helps you to guide your staff in dealing with data subjects requests.

Here you can find more information:

• Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
• Four main questions for obtaining and managing data subjects’ consent under GDPR https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/

If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Production/services requirements records

Records are relevant either because they are required by contracts or legislation, or because they represent the memory of the organization. An organization without memory cannot learn.

First, what records are relevant for your quality management system (QMS)?
Consider this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ - here you can find the mandatory records according to ISO 9001:2015. Then, consider your own requirements. What does your organization find relevant to keep learning about the QMS? For example, is it relevant to keep records from maintenance?

Using the process approach and the turtle diagram – please check this free webinar on-demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ - you can systematically evaluate the need to keep records of your organization work and results

You can find more information about documentation below:

• How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

People aspect of ISO

The following picture describes how I see the people aspect of ISO 9001:2015.

Top management determines organizational roles, functions, with particular responsibilities and authorities. Based on those responsibilities and authorities, organizations can determine organizational knowledge required and the number of persons required.

Based on each particular person’s experience and education compared with required organizational knowledge competence gaps are determined and actions performed to close them.

Performance evaluation is used to update people requirements, organizational knowledge requirements and competence requirements.

You can find more information below:

• How to manage knowledge of the organization according to ISO 9001 - https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
• Using Competence, Training and Awareness to Replace Documentation in your QMS - https://advisera.com/9001academy/blog/2013/12/17/using-competence-training-awareness-replace-documentation-qms/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Organizational chart

Can you be more specific about what you feel you are missing?
There is no one size fits all organizational chart. Any organizational chart depends on the specific people that occupy each function, their experience, and personality.

Does your organizational chart include:

• General management?
• Commercial activity?
• Technical area?
• Purchasing?
• Operations?
• Quality?
• Human Resources?
• Maintenance?
• Facilities?

You can find more information below:

• How to document roles and responsibilities according to ISO 9001 - https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
• Enroll for free in ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - Discover ISO 9001 :2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Integration of ISO 9001:2015 with TS 16949 certification

1. If an Organization doesnt have ISO 9001:2015 certification, can it directly get TS 16949 certification alone?

If you manufacture parts for the automotive industry and the part you produce is assembled on an OEM or OES vehicle, you can apply for IATF 16949 certification. Your Quality Management System must be ready before the audit according to the IATF rules.

2. Do we need to maintain different set of Documents for ISO 9001:2015 and TS 16949 if we go for both the certifications? cant we have single process documents and Quality manual for both?

ISO 9001: 2015 and IATF 16949: 2016 should be managed with the same documentation structure, separating them from each other is not appropriate according to the rules.

3. Can the Audits (external/internal) audit be conducted together with the same ISO 9001:2015 qualified Auditor or do we need to train the Auditors and get qualified seperately for 9001:2015 and TS 16949?

All IATF 16949: 2016 3rd party auditors are also qualified within ISO 9001: 2015.

Verification and validation

You asked

if i done have traceability or stander to calibrate any device can i used ane method created by my lab employee???

Unless the client  or regulations require you to use a standard method, the laboratory is free to use any suitable method. “Suitable” means that the method measures what it is supposed to, in the matrix of interest; accurately, and reliably and meets the parameters required by the client; for example for limit of detection and precision. An inhouse method, however, requires a more extensive validation experiments than a standard method.

You also asked 

I need ti ask you about calibration based on iso 17025 if should be done by third party on we can do as internal party then records"

Certain calibrations can be performed inhouse, justified based on the assurance risk and the type of measuring equipment. You need to use an external accredited calibration laboratory if you need to meet legal requirements, those of your accrediation program, or do not have the expertise or suitable equipment /  calibrators that can provide results with unbroken metrological traceability to international measurement units.  Have look at the answer provided for a similar question. “Calibration of laboratory equipment” at https://community.advisera.com/topic/calibration-of-laboratory-equipment/
 

For further information see the following:
The article What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
The ISO 17025 document template: Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure//

Implementation difficulties

Raise awareness of people involved with the Information Security Management System and get their engagement are often the most difficult to implement, due to the tendency of employees to resist change.

These articles will provide you additional information:

• The 3 key challenges of ISO 27001 implementation for SMEs https://advisera.com/27001academy/blog/2017/04/17/the-3-key-challenges-of-iso-27001-implementation-for-smes/
• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/