Search results

Carrying out document control effectively

Document control means that relevant documents for the quality management system:

• Are approved by an authorized person
• Relevant users have access to those documents
• Obsolete versions are removed
• It is easy to check the current version of a document and what changed from the previous version

Please check in this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ the list of mandatory records required by ISO 9001:2015

You can find more information about records below:

• How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
   

GDPR Privacy querries

Having longitude and latitude i.e. G. location coordinates (and hence the home address t believe if I am not wrong) of some person be considered as Pll

Yes, GDPR considers location coordinates as well as the home address as personal data. Article 4, (1) GDPR states that ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

Since Clouds like Amazon AWS have backups happening across the world to maintain a high availability and for BCP purposes, so I feel it's a fair assumption to thin, that AWS will he considering PrwacY laws Eke GDPR before sent. European resident Pll data to any other country outside Europe. Correct?

Yes, Amazon AWS implemented the GDPR compliance system in its services. Here you can find what Amazon does for GDPR https://aws.amazon.com/it/compliance/gdpr-center/

While doing assessment, Do I need to ask vendors to give me list of countries where the cloud is sending the backup data (containing PII) to, while thinking of pnvacy Logic being European resident data is going outside Europe ask if the cloud follow GDPR by having controls or not

You need to establish with your vendors who act as data processor a data processing agreement requiring them to select cloud providers who are compliant with GDPR (i.e. with data centers in the EU) you can also demand proof of compliance with GDPR of their cloud servers as the data controller has the power to give instruction on data processing, according to article 28 GDPR.

Am I correct regarding applicability of GDPR in below practical life scenarios-

 a) European resident I not citizen) went to India and registered an account with Uber by giving his Pil and rode on cab So GDPR would NOT be applicable regarding handling of this European person. Correct, I think GDPR should be as law of land will prevail which is India in this case and not Europe. 

Article 3 GDPR defines the territorial scope of GDPR and it is applicable to data processing taking place in the EU or from data controller located in the EU. Therefore, the EU citizen in India will not be under GDPR.

b) Indian resident went to Europe and registered an account with Uber Europe by giving PII and is currently doing a cab ride, so GDPR will be applicable as per what's written in the GDP. regulation. Correct? 

Yes, it is correct.

Now the Indian resident has completed the trip and has gone back to India and left Europe. Will GDPR still protect his Pll data which is now residing in Europe?

GDPR will protect data collected through the EU company, while the data collected through the Indian company will not under GDPR, because the data processing is outside the EU, with non-EU citizens and through non-EU data controller.

Someone from India want to make a trip to Europe and thought of advance booking, so while sitting from India itself register an account by giving his PII on the website of some European tour operator with its data center in:  c.1) Europe - Will GDPR be applicable?  c.2) Outside Europe - Will GDPR be applicable?

Yes, all data processed by the EU data controller (European tour operator) are under GDPR, for the processing carried all around the world.

Will the time of the actual visit make any difference on GDPR applicability i.e. GDPR is ON only after the actual visit has happened and not before?

No, even if the Indian tourist does not leave India but gave some PII to European Tour Operator, personal data will be processed according to GDPR.

Since IP is a PII, so will even the Dynamic IP not static IP) be considered as PII? By the time the captured dynamic IP will. processed to find PII, the dynamic IP would have changed/expired 

Requesting your guidance on these as I believe these will help me in understanding Privacy better"

Yes, dynamic IP is a PII because it makes the individual identifiable, according to article 4 GDPR.

Here you can find more information:

• Article 3 GDPR: https://advisera.com/eugdpracademy/gdpr/territorial-scope/ 
• Article 4 GDPR: https://advisera.com/gdpr/definitions/ 
• What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/

If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Sterilization procedure template

1. We have a procedure “Sterilization” covering below topics: Elements of the validation process - Bioburden Method validation - Bioburden enumeration -Sterilization process validation – Sterility testing - Validation by The Bacteriostasis/Fungistasis Test - Sterility testing - EO residue - Bacterial endotoxins (LAL) test – Product Package Testing - Functional test - Validation records and approval - Impact on manufacturing and packing in routine –Process review – requalification – Concession. However, we have a separate procedure on Sterility monitoring, covering below topics: Microbial environmental monitoring - Product bioburden monitoring - Sterility testing (confirmation) -Bacterial endotoxins (LAL) test Product Package integrity testing In the sample we see from your documentation we only find “Sterilization”. Are the monitoring topics included in the Sterilization procedure template?

Yes, monitoring and validation topics are included in the Sterilization procedure. We wanted to simplified documentation so we prepare just one procedure for that. 

On this link you can find out how to manage the medical device sterilization process according to ISO 13485:2016

• How to manage the medical device sterilization process according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/06/28/how-to-manage-the-medical-device-sterilization-process-according-to-iso-13485/

The documents show a very adequate relationship to the ISO13485 paragraph that is the basis for the requirement. Although most of these requirements are (then again) based on Article, annexes of the EU MDR (2017/745) For example: For 7.3.9 (ISO) is based (now in MDR) on Annex IX, 2.2 c and Article 10. Are there any referrals in the document point to these specific MDR article/requirements (possible?)

No, in our procedures we refer only to the MDR in general. However, this is a very good suggestion, we will think about it to implement in our documentation. Thank you for pointing it out to us.

8.5 Actions to address risks and opportunities (Option A) (new)

Complying with clause 8.5 starts with taking a process approach – knowing your workflow for activities that are (or will be) part of your laboratory scope of accreditation. It involves identifying the factors that can affect the activity being assessed. For example, not having a calibrators that are traceable to SI units will mean you have a risk to the validity of your result.

Opportunities must also be addressed, meaning opportunities for improvement. A lab must consider the impact of risk or opportunity and take propitiate action. This involves choosing your methodology, performing an assessment (identification and analysis), deciding if risk treatment is required (or in the case of opportunities, whether you should adopt that change), implementing and then monitoring and followup.

For more information regarding actions to address risks and opportunities, see the ISO 17025 toolkit document template: Addressing Risks and Opportunities Procedure at https://advisera.com/17025academy/documentation/addressing-risks-and-opportunities-procedure/

and for more information on the five steps to address risks, see the article Five-step laboratory risk management according to ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/12/05/iso-17025-risk-management-in-five-steps/

Other responses to similar questions may also be of interest – have a look at 
What is the efficient way and tricks to address, handle and treat the risk and opportunity? at https://community.advisera.com/topic/what-is-the-efficient-way-and-tricks-to-address-handle-and-treat-the-risk-and-opportunity/ and 
Addressing Improvement clause at https://community.advisera.com/topic/addressing-improvement-clause/

Setup of Governance, Risk and Security department

Broadly speaking, to set up a new department in an organization is very similar to the implementation of a management system, and you should consider:

• the identification of a clear reason why you need this new department (e.g., it will fulfill a business need, it will give a market advantage, it will comply with legal requirements, etc.).
• the definition of objectives, goals, and targets
• the performing of risk assessment, to identify relevant risks related to the achievement of objectives, goals, targets.
• the definition of an action plan, considering the activities the department must perform (e.g., risk management, audit, controls implementation, employees training, etc.), which competencies you need (i.e., job descriptions), how many people will be required, and how it will be its internal organization (i.e., hierarchy). At this point, you will define which policies, guidelines, and controls to implement to mitigate risks to the achievement of objectives, goals, and targets.
• the identification of requirements related to space, equipment, and facilities.
• how to fill job vacancies (e.g., internal placement, or external hiring)
• the definition of a specific budget
• top management approval of the proposed department

For further information, see:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

The concepts in these articles, although applied to ISO 27001, can be used to set up a new department from zero.

Which are the right ISO standards to use

First is important to note that there is no such ISO 27301 standard.

Considering that, the proper standard to use will depend on your needs:

• if your priority is information protection, then you should use ISO 27001.
• if your priority is to ensure processes and services delivery under disruptive conditions, then you should use ISO 22301.

ISO 27031 is a support standard that can be used together with ISO 27001, because it provides specific guidance for ICT readiness for controls from ISO 27001 Annex A.

Sometimes it may be advantageous to implement both ISO 27001 and ISO 22301 (e.g., when this integrated implementation can fulfill other business objectives).

These articles will provide further information:

• What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/
• How to implement integrated management system https://advisera.com/articles/how-to-implement-integrated-management-systems/
• Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/

Reputation Management ISO product

We are not aware of a Reputation Management ISO product. What we can tell you is about an ISO Technical committee about Online reputation (ISO/TC 290), whose current status is "stand by": https://www.iso.org/committee/5166853.html

Related to this committee there is a single published standard: ISO 20488:2018 Online consumer reviews — Principles and requirements for their collection, moderation and publication : https://www.iso.org/standard/68193.html?browse=tc

Do manufacturing of medical face mask require clean room?

The work environment for the production of face masks depends on the intended use and declarations that you want to put on your medical device. If you want to sell sterile face masks, then you need sterilization facilities. In that case, each mask will be packed in a separate pouch and will be class Is. 

If you do not want it to be sterile, then it is class I. There is no direct requirement in the standard to produce those masks in the cleanroom area. However, in ISO 13485:2016 in requirement 6.4.1 Work environment is stated that organization must be defined and document requirements needed to achieve conformity to product requirements. So, it is up to you how you will decide.

For more information regarding the work environment, please see the following links:

• Managing cleanliness of a product and contamination control according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/07/04/managing-cleanliness-of-a-product-and-contamination-control-according-to-iso-134852016/
• Managing medical device infrastructure requirements according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/06/28/managing-medical-device-infrastructure-requirements-according-to-iso-13485/

• Instructions for aspect evaluation

  Your organization will determine the environmental aspects. Determine also the environmental impacts related with each aspect. An organization may have the same environmental aspect but different environmental impacts. For example, wastewater discharging may be into a river with or without any treatment – very different environmental impacts.

  In your instruction you can consider if there is applicable legislation and if it is met or not. If it is not met it is a significant aspect. If it is met, you can apply more evaluation items to define priorities. For example – frequency/probability (normal, periodical, abnormal) – Consequences for the environment (minor, medium, major). These are the two more common topics. However, you add more topics like economic impact, interested parties relevance.

  Please check this information below with more detailed answers:

  • Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
  • Catalogue of environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/
  • How does product life cycle influence environmental aspects according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
  • Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
  • ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
  • Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
     

• Closed the minor NC for last year

  I'm assuming your question is "What if the client already closed the minor NC for last year, however this year we still find the same issue. Is it minor or major?"

  Considering that, if you found the same issue that should be solved by a previously issued NC, this means that the NC treatment was ineffective, and this would raise a major non-conformity because it means a mandatory requirement of the standard was not fulfilled.
   
  Please note that minor and major non-conformities are generally used for certification audits, not internal audits, and major non-compliances identified during ISO 27001 certification/surveillance audit, can lead to problems with the certification process.
   
  These articles will provide you a further explanation about the impacts of non-compliance:

  • Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
  • Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/