Search results

Scoping an organisation to be ISO 27001 certified

According to ISO 27001, an ISMS scope must be defined in terms of information, locations, or business units to be protected, considering the organization's objectives and context. For small and medium-sized organizations usually it is better to include all the organizations in the ISMS scope because the effort to manage a scope that covers only part of the organization is not worthy.

These articles will provide you a further explanation about defining scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding defining scope:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 14001 The Difference between Procedure and Induction Documents

An induction document is a document related with the welcome or preparation of someone into a new job. A procedure is a document that explain how a task or set of tasks are done. A procedure can be used by anyone at any time, whenever there is a doubt. I use to say that a procedure, even for those with a lot of experience is like a map in the glove compartment of a car, or in a smartphone. Normally, we do not need to use it, but sometimes it is very useful.

Please check this article - List of mandatory documents required by ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-mandatory-documents-required-by-iso-140012015/ - where you can see that there is no mandatory requirement for induction documents in ISO 14001:2015.

Please check this information below about ISO 14001:2015:

• Plan-Do-Check-Act in the ISO 14001 standard - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/plan-do-check-act-in-the-iso-14001-standard/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

ISO 9001 Vendor Ratings

ISO 9001:2015 is not about ad hoc procurement of services and products. Every organization buy services and products, that are not critical for the business, without a system in place. ISO 9001:2015 clause 8.4 is about procurement of products and services relevant for the business, a kind of procurement that must be done in a systematic and consistent way. Only critical products and services procurement is mandatory to be included in the quality management system.

The following material will provide you more information:

• Purchasing in QMS – The Process & the Information Needed to Make it Work - https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Appropriateness of requiring people to give their name/email in order to download special content from website

On May 2020 The European Data Protection Board (EDPB) adopted the new guidelines on consent https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf

It was reminded to controllers and processors that consent to data processing must be free and transparent related to the purposes of the processing. Article 4 (11) GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Therefore, if you are asking data to verify if the individual is human and you will not process any more data, the request will be coherent with the expectation of the subject (I give the email because I want to download the pdf). On the contrary, you must make clear to the individual that data will be used to send a newsletter or other material so that s/he is informed that data will be used to download material and send him email/promotion/anything else. 

You can find more information about GDPR and email marketing here:Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/

Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/

You can also consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

ISO 9001 Drafting QMS Requirements

Determine the monitoring and measurement resources with the appropriate characteristics to ensure valid and reliable results of the conformity of the products or services.
Demonstrate the client and legal requirements applicable to these resources, if any, were determined.
Make the resources available, identified, used and maintained in an appropriate manner for the intended use. To the extent necessary, preventive maintenance activities are planned, curative interventions, verification or calibration instructions are given for their correct use and preservation and the qualification of the people who ensure intended and proper use.
As evidence of the suitability for the purpose of the monitoring and measurement resources, keep records that demonstrates the suitability of the equipment to the intended purpose.
Equipment must be identified with a unique reference, and with their state of fitness, for not be used inappropriately.
 

You can find more information below:

• Monitoring and Measurement Equipment Control - https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 14001 Defining Minor and Major CARs

A major nonconformity is a situation where an organization:

• Completely failed to fulfill a certain requirement.
• Has a process that has completely fallen apart – rules are not followed systematically.
• Has several minor nonconformities that are related to the same process or to the same element of the management system.
• If a certification mark is misused
• If a minor nonconformity, raised during the previous audit, has not been resolved within the deadline – such a small nonconformity automatically becomes a major one.

Definition of minor nonconformity is easy: this is any nonconformity that is not major.

You can find more information in the following links:

• Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
• Free webinar on demand - How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar-on-demand/
• Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

ITIL & ISO 20000 Internal interactions

ISO 20000's communication requirements can be used for mentioned purpose.

Here is the article that can help: „IT Service Management communication according to ISO 20000“ https://advisera.com/20000academy/blog/2016/10/18/it-service-management-communication-according-to-iso-20000/

Also, read the article „Communication inside IT Service Management team – setup of joint vocabulary and criteria“ https://advisera.com/20000academy/blog/2013/11/26/communication-inside-service-management-team-setup-joint-vocabulary-criteria/ to see why IT Service Management establishes common language inside the team.

Exceptions in the application of the EU GDPR

To avoid the application of GDPR you should deal with anonymous data. Anonymized data are not under the GDPR. However, there will always be some aspects that require compliance with GDPR (i.e. job contracts, email between employees and researchers, and so on). Being based in the EU you are required to comply with GDPR.

Here you can find more information:

• What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
• First steps to take to reach GDPR compliance: https://advisera.com/eugdpracademy/blog/2018/10/08/first-steps-to-take-to-reach-gdpr-compliance/

If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

GDPR data in Microsoft office

Microsoft is a big player in developing tools to help companies and individuals and it is aware of GDPR requirements. Here you can see the Microsoft GDPR assessment and have a look if it suits your needs: https://www.microsoft.com/en-us/trust-center/privacy/gdpr-overview

Remember that GDPR leaves up to the controller the choice about the level of security compared to the risk, the state of art, and the costs (article 32 GDPR). Microsoft services are acceptable if inserted in policies and procedures that help you to guarantee the level of security. I.e. Microsoft Onedrive can have the best server and antivirus but if your password policy is weak it will be vulnerable to data breach and unauthorized access.

If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Is the calibration certificate number sufficient to control the calibration certificate issued to customers?  

The number helps you identify and trace the document, but is not the only control required. Each laboratory must determine the necessary controls for all documents and records to meet ISO 17025, customer and regulatory requirements. Calibration certificates require controls to ensure unique identification, indication of amendments, protection, back-up, archive, storage, retrieval, retention time, and disposal. An example of a control measure is protection against editing. Another example is to ensure the correct information is included to minimize any misuse or misunderstanding (see clause 7.8.2).

The Advisera ISO 17025 document template: Calibration Report and Certificate Requirements Procedure at https://advisera.com/17025academy/documentation/calibration-report-and-certificate-requirements-procedure/may be of interest.