Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Requirements on RFQ in regard to annual management review

    IATF 16949: 2016 standard 9.3.2.1 item e) has determined one of the management review meeting agenda items as "assessments of manufacturing feasibility made for changes to existing operations and for new facilities or new product". 

    In addition, in the article 7.1.3.1 of the standard had determined, the subject of "Assessments of manufacturing feasibility and evaluation of capacity planning shall be inputted to management reviews (see ISO 9001, Section 9.3)". 

    In short, the management review process should give brief information about the feasibility review and capacity status of new products, projects, machinery, facilities, and changing products and processes and make decisions, especially about problematic issues. It should also provide summary information about the status of new projects and make decisions on this issue if the bottleneck issues are present.

    The important thing here is, the senior management has information about new projects, products, etc. and if there is a point to make a decision, it is support for budget, resources, etc.

    If the senior management is attending the routine meetings about new projects and products and the decisions are documented in this meeting; In this case, the management review meeting notes can be referenced to the new project meetings as a reference.

    Fore more information please see the following article:

    • How to implement management review according to IATF 16949 https://advisera.com/16949academy/blog/2017/10/25/how-to-implement-management-review-according-to-iatf-16949/

    • Combining ISO 27001 with other standards

      What other ISOs could it be complemented with?

      ISO management systems standards are designed to be easily integrated between them, so you can integrate ISO 27001 with ISO 9001 (quality management), and ISO 223001 (business continuity management), for example.

      Additionally, ISO 27001 has a set of support standards that can be used to implement an ISMS, like ISO 27002 (practices for security controls), ISO 27031 (practices for IT disaster recovery)

      These articles will provide you a further explanation about integrating standards:

    • ISO 20000 implementation process

      Our free tool "ISO 20000 implementation duration calculator“ https://advisera.com/20000academy/itil-iso-20000-tools/iso-20000-implementation-duration-calculator/ can help you calculate the duration of the implementation.
      This article "How much does ISO 20000 implementation cost?“ https://advisera.com/20000academy/blog/2016/08/23/how-much-does-iso20000-implementation-cost/ will help you with cost calculation.
      Additionally, this template will help you organize your implementation project "Project Plan for Implementation of the Service Management System according to ISO/IEC 20000-1“ https://info.advisera.com/20000academy/free-download/project-plan-for-implementation-of-the-service-management-system-according-to-iso-iec-20000-1

    • How to consistently implement ISO requirements?

      I assume you are referring to the general requirement (clause 8.1.1) to demonstrate the consistent achievement of the requirements of ISO 17025. Once implementation is complete, meaning all the processes and required documentation have been put in place; the objective is the consistent operation of the laboratory to support the policies, achieve the quality objectives and drive improvement in the performance of the laboratory management system.

      This is achieved by having processes and procedures, for example handling nonconforming work and corrective actions, that are firstly effective in meeting each ISO 17025 requirements, meaning implemented and achieves what was intended. Secondly you should aim for efficiency where the activity is performed in the best possible way with the least waste of time and other resources). Monitoring, evaluation and assessment activities such as quality control, ongoing competency evaluation of personnel, auditing and management reviews are used to provide information to be acted on to ensure continuing adequacy of the management system. Data, information and records such be kept to provide objective evidence of this consistent achievement.

      For more information to meet ISO 17025 requirements, see the complimentary white paper (PDF) Clause-by-clause explanation of ISO 17025:2017 available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ and the ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

    • GDPR Implementation Questions

      "I am *** Chief Technical architect from *** and I have a couple of questions about GDPR implementation in customers applications.

      In order to be compliant with GDPR the user has some rights that should be available by the different systems such as the right to delete the personal data, the right to rectify, the right to get a copy of his personal data, and so on.Are there any issues if these rights are implemented using defined processes with our customers and use database scripts to implement the required rights Instead of modifying each and every application to implement these rights? These database scripts will be included in the application deliverables.

      No, the GDPR does not prescribe any mandatory method. It leaves up to the data controller to determine the methods to ensure data subjects' rights are assured. Of course, these methods must be compliant with GDPR requirements in terms of security e risk for freedoms and rights.

      The right to be informed will be included in the cookies bar or a separate checkbox in the registration process or the consent signed by the employees using these applications, is that accepted?

      Article 7 GDPR requires that when consent is collected in written form should appear “in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.” Therefore, a separate checkbox is preferable. The consent can be collected also by a checkbox.

      Would you please confirm that securing the data at rest can be achieved by applying security measures on the database access either physically (access to the physical server) or logically (access to the database tables) if it is on-premise?

      This is also applied on databases hosted on the cloud by the cloud providers and in this case we need a confirmation from the cloud provider that the servers are secured as required and confirm the required security measures.

      Yes, article 32 GDPR requires the adoption of organizational and technical security measures taking into account the state of the art, costs, purposes of the processing, and risks. If data are stored in the cloud, you need to evaluate the compliance of your cloud provider which will be considered a data processor.

      Securing the data at transit can be implemented by securing the communication channel (i.e. using HTTPS protocol, or SFTP if the personal data included in files) and securing any media used to backup or transfer the data

      Yes, as said GDPR leaves up to the data controller the choice on the security measures to adopt.

      Encryption of personal data in the databases is something that is recommended and it is not mandated by GDPR for securing user personal data at rest, please confirm"

      Yes, encryption is a recommended security measure. It is not mandatory because you need to balance risks, costs, state of art, kind of data processed as indicated in Article 32 GDPR.

      Here you can find more information:

      If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

       

    • Handling data according to EU GDPR

      "If we are coordinating a European project, and the data we collect is basic personal data (name, phone, email) from different EU city employees who take part in that project, are we, as a coordinator, responsible for how other project partners handle this data? i.e. the project makes us ensure that many partners also view this data (it wouldn't serve a purpose if we anonymize it) and then how can we control what the partner organisations do with this data, whether they delete it on time, etc.? so far we had a project document called DP management, where we would write down procedures, including that the data needs to be deleted after the project ends and so on.

      You need to evaluate if your project partners process data on your behalf, you can be considered as the leader of the project, and therefore they will be seen as a data processor. In this case, you need to appoint them and determine procedures, controls, and require compliance with your policies. 

      Your partners may be seen also as a joint controller, under article 26 GDPR, if they determine with you the mean and the purposes of data processing. In this case, you can make a data processing agreement and determine jointly policies to follow. Each will be accountable for the data processed by its company.

      Is this enough to show our accountability as coordinators?

      If your partner is a data processor, you need to appoint them as a data processor with a data processing agreement. Article 28 GDPR requires a written legal undertaking. Of course, you can demand to follow your policies and rules and also control if they comply with it.

      Here you can find more information

      If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

    • Minor nonconformities

      ISO 27001 does not prescribe that Nonconformities must be graded, so you can treat all of them only as Nonconformities in the internal audit. The use of minor and major Nonconformities are more used for certification bodies as a best practice.

      Considering that, for certification purposes, you only need to ensure that any nonconformity is remediated by the time of the next surveillance/certification audit and that there is no recurrence of the same situation.

      This article will provide you with a further explanation about nonconformities:

      For further information, see:

    • Preparing site for first-time audit

      Site preparation depends on the type of production you have for your medical device. If that is a sterile medical device, then a lot of attention needs to be on the cleanliness of the premises. It means for example: the separate entrance of the raw material and exit of the finished product, special rules for clothing and behavior in the facility (protective clothing and other equipment, not allowed to eat or drink in the production area).

      If you produce a non-sterile device, then also there must be special attention to the work environment which is applicable for that kind of device. 

      If you produce software, rules for the work environment are less important, although it is important for the server room to have proper temperature and humidity. 

      In the warehouse, you need to have a properly labeled place for non-conforming products. 

      Other elements that cover site preparation mean that you need to have everything properly labeled, eg. shelves, lockers, locations in the premises.

      For more information on this topic, please see the following articles:

Page 274-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +