Search results

ISO 9001 Vendor Ratings

ISO 9001:2015 is not about ad hoc procurement of services and products. Every organization buy services and products, that are not critical for the business, without a system in place. ISO 9001:2015 clause 8.4 is about procurement of products and services relevant for the business, a kind of procurement that must be done in a systematic and consistent way. Only critical products and services procurement is mandatory to be included in the quality management system.

The following material will provide you more information:

• Purchasing in QMS – The Process & the Information Needed to Make it Work - https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Appropriateness of requiring people to give their name/email in order to download special content from website

On May 2020 The European Data Protection Board (EDPB) adopted the new guidelines on consent https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf

It was reminded to controllers and processors that consent to data processing must be free and transparent related to the purposes of the processing. Article 4 (11) GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Therefore, if you are asking data to verify if the individual is human and you will not process any more data, the request will be coherent with the expectation of the subject (I give the email because I want to download the pdf). On the contrary, you must make clear to the individual that data will be used to send a newsletter or other material so that s/he is informed that data will be used to download material and send him email/promotion/anything else. 

You can find more information about GDPR and email marketing here:Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/

Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/

You can also consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

ISO 9001 Drafting QMS Requirements

Determine the monitoring and measurement resources with the appropriate characteristics to ensure valid and reliable results of the conformity of the products or services.
Demonstrate the client and legal requirements applicable to these resources, if any, were determined.
Make the resources available, identified, used and maintained in an appropriate manner for the intended use. To the extent necessary, preventive maintenance activities are planned, curative interventions, verification or calibration instructions are given for their correct use and preservation and the qualification of the people who ensure intended and proper use.
As evidence of the suitability for the purpose of the monitoring and measurement resources, keep records that demonstrates the suitability of the equipment to the intended purpose.
Equipment must be identified with a unique reference, and with their state of fitness, for not be used inappropriately.
 

You can find more information below:

• Monitoring and Measurement Equipment Control - https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 14001 Defining Minor and Major CARs

A major nonconformity is a situation where an organization:

• Completely failed to fulfill a certain requirement.
• Has a process that has completely fallen apart – rules are not followed systematically.
• Has several minor nonconformities that are related to the same process or to the same element of the management system.
• If a certification mark is misused
• If a minor nonconformity, raised during the previous audit, has not been resolved within the deadline – such a small nonconformity automatically becomes a major one.

Definition of minor nonconformity is easy: this is any nonconformity that is not major.

You can find more information in the following links:

• Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
• Free webinar on demand - How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar-on-demand/
• Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

ITIL & ISO 20000 Internal interactions

ISO 20000's communication requirements can be used for mentioned purpose.

Here is the article that can help: „IT Service Management communication according to ISO 20000“ https://advisera.com/20000academy/blog/2016/10/18/it-service-management-communication-according-to-iso-20000/

Also, read the article „Communication inside IT Service Management team – setup of joint vocabulary and criteria“ https://advisera.com/20000academy/blog/2013/11/26/communication-inside-service-management-team-setup-joint-vocabulary-criteria/ to see why IT Service Management establishes common language inside the team.

Exceptions in the application of the EU GDPR

To avoid the application of GDPR you should deal with anonymous data. Anonymized data are not under the GDPR. However, there will always be some aspects that require compliance with GDPR (i.e. job contracts, email between employees and researchers, and so on). Being based in the EU you are required to comply with GDPR.

Here you can find more information:

• What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
• First steps to take to reach GDPR compliance: https://advisera.com/eugdpracademy/blog/2018/10/08/first-steps-to-take-to-reach-gdpr-compliance/

If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

GDPR data in Microsoft office

Microsoft is a big player in developing tools to help companies and individuals and it is aware of GDPR requirements. Here you can see the Microsoft GDPR assessment and have a look if it suits your needs: https://www.microsoft.com/en-us/trust-center/privacy/gdpr-overview

Remember that GDPR leaves up to the controller the choice about the level of security compared to the risk, the state of art, and the costs (article 32 GDPR). Microsoft services are acceptable if inserted in policies and procedures that help you to guarantee the level of security. I.e. Microsoft Onedrive can have the best server and antivirus but if your password policy is weak it will be vulnerable to data breach and unauthorized access.

If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Is the calibration certificate number sufficient to control the calibration certificate issued to customers?  

The number helps you identify and trace the document, but is not the only control required. Each laboratory must determine the necessary controls for all documents and records to meet ISO 17025, customer and regulatory requirements. Calibration certificates require controls to ensure unique identification, indication of amendments, protection, back-up, archive, storage, retrieval, retention time, and disposal. An example of a control measure is protection against editing. Another example is to ensure the correct information is included to minimize any misuse or misunderstanding (see clause 7.8.2).

The Advisera ISO 17025 document template: Calibration Report and Certificate Requirements Procedure at https://advisera.com/17025academy/documentation/calibration-report-and-certificate-requirements-procedure/may be of interest.

Setting up a Quality control Lab

ISO 17025:2017 does not provide specific guidelines for laboratory layout. The requirements for facilities and environmental conditions are covered in clause 6.3. As the facilities and environmental conditions can have a major impact on consistent operation and result validity, the standard requires laboratories to:

• Ensure suitable separation of incompatible activities (eg vibrations near a weighing room is not suitable).
• Document requirements depending on the work to be performed.
• Control, record, and monitor any applicable environmental conditions as specified in methods, procedures, and specifications.

I recommend you document all the equipment you need, then look at their placement and a logical workflow. If you are not familiar with laboratory workflow and needs, it will be beneficial to contact a supplier that outfits laboratories.

For more information, see the ISO 17025 toolkit document template: Facilities and Environmental Condition Procedure at https://advisera.com/17025academy/documentation/facilities-and-environmental-condition-procedure/

and the  whitepaper Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

How training should someone have before they are deemed competent for a specific task?

Deeming someone competent needs to be against objective criteria. There is no fixed time period. For some tasks it may take just a few hours, others months. You need to state what does the laboratory needs them to be able to do. For a particular task start by naming the task and documenting the training and competency requirements.

For example 
1. Task: Weekly maintenance of instrument x. 
2. Training requirements: Witness task being demonstrated and was supervised for three operations. 
3. Competence criteria: The instrument operator must be able follow the maintenance work instruction x, completing maintenance steps one to three and thereafter perform the instrument qualification test, step four.  
4. Criteria for evaluation:  4.1 The laboratory manager (or other authorised person) must approve training record by reviewing and signing. 4.2 Witness the operator perform the task, meeting the stated competency criteria.

Now for a specific Operator, record evidence of supervision and training. When completed, the laboratory manager should declare and record the observation during witnessing against the criteria. For example “the operator was witnessed to follow the work instruction. The instrument qualification test performed (ref 2020/02/09, attached to training records) passed as per established limits. Operator “M” is therefore declared competent to perform task x. Competence will be monitored by his supervisor through witnessing and record review".

As personnel training and competency is a critical activity, the Advisera ISO 17025 toolkit includes the mandatory procedure as ISO 17025 document template: Competence, Training and Awareness Procedure along with 4 appendices: Training Program, Training Record and Performance Monitoring, Record of Attendance and Competence Approval and Authorization Record. You can preview the template at https://advisera.com/17025academy/documentation/competence-training-and-awareness-procedure/