Search results

ISO 9001 Risk register

No, it is not mandatory to maintain a risk register. Please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

Having said that, I recommend organizations to maintain a risk register.

You can find more information below.

• How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
• Does ISO 9001 require a procedure for addressing risks and opportunities?: https://advisera.com/9001academy/blog/2017/10/10/does-iso-9001-require-a-procedure-for-addressing-risks-and-opportunities/
• For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Physical hosting in EU data centers for products and processing

Recently the European Court of Justice (in Shrems II decision) invalidated the adequacy decision of the EU Commission claiming that US Privacy Shield granted an adequate safeguard for data protection in the United States. This means that any data transfer between the EU and the US must be on another legal ground like the Standard Contractual Clauses (SCC) or the Binding Corporate Rules (BCR). 

The European Data Protection Board (EDPB) recently published a FAQ sheet on the implication of the Shrems II decision that you can find here: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

One of the suggestions that arose from EDPB is to consider avoiding storing personal data in the US and prefer Cloud Service Providers with servers based in the EU in order to be compliant with GDPR requirements. Please note that the decision applies to the transfer of personal data, not to all data transfers.

Here you can find more information:

• Full text of EU GDPR (General Data Protection Regulation) https://advisera.com/eugdpracademy/gdpr/
• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
• What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/

You can consider enrolling in our free EU GDPR Foundations Course:

• EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//

• ISO 9001 Different types of audits

  Answer:

  1. Upstream, and downstream audits are about doing audits along a supply chain upstream or downstream from a reference point

  2. A horizontal audit is when you audit one process across many departments in the organization. A vertical audit is when you audit all the processes used by a department. 

  3. Process audits are another name for horizontal audits

  4. These are the more common types

  You can find more information below

  • ISO 9001 Horizontal audit vs. vertical audit - https://advisera.com/9001academy/blog/2015/03/03/iso-9001-horizontal-audit-vs-vertical-audit/
  • ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
  • Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
  • Free online training ISO 9001:2015 ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ nal-auditor-course/
  • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

• Disposal of sensitive data

  Please note that ISO 27001 does not provide technical guidance on how to perform data disposal. 

  For technical guidance, you should consider these references:

  • ISO/IEC 27040 Information technology — Security techniques — Storage security https://www.iso.org/obp/ui/#iso:std:iso-iec:27040:ed-1:v1:en
  • NIST 800-88 - Guidelines for Media Sanitization https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

  These articles can also help:

  • Secure equipment and media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2015/12/07/secure-equipmentand-media-disposal-according-to-iso-27001/
  • 5 practical tips for media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2018/10/22/5-practical-tips-for-media-disposal-according-to-iso-27001/

• Cleaning validation SOP for orthopedic medical device

  what I am looking for Cleaning validation SOP for orthopedic medical device"

• ISO 45001 implementation minimal requirements

  There is no set of “minimum requirements” to implement ISO 45001, every requirement in the standard (identified with the work “shall”) needs to be addressed. However, the requirements describe what needs to be done, but do not give details on how to implement them, because they need to be tailored to your organization. For instance,  ISO 45001 does not tell you what OH&S legal requirements you need to meet (since this will be different all over the world), but requires that you have a process to identify your legal requirements, keep up to date with changes to these requirements, and confirm that you meet the requirements.

  You can learn more about the requirements in the whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

• ISO 14001 Risk Register Preparation

  You can prepare a table where you list:

  • risks,
  • sources,
  • measure of severity,
  • measure of probability,
  • measure of significance,
  • actions to be implemented,
  • responsibilities,
  • main resources needed,
  • time frame.
     

  You can find more information below:

  • ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
  • Risks and opportunities in ISO 14001:2015 – What they are and why they are important - https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
  • Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
  • ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
  • Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
     

• GDPR Implementation Inquiry

  "We have an inquiry regarding the GDPR implementation, we are a software company that develops a software solutions to  a customer X at Europe ; the  software solutions are carrying personal information for X’s employees so we are a processor.
  Internal systems developed and maintained by my company  for other customers that have EU citizen employees should be GDPR compliant and in this case it should be secure by design and data should be secured at rest considering there is no agreement between the client and ourselves for applying GDPR requirements on the system ..please confirm?

   

  You are a data processor under GDPR because you are processing personal data on behalf of your Client. You need a data processor appointment agreement to comply with obligations listed in Article 28 GDPR. It helps you to demonstrate accountability to GDPR principles in case of controls by Data Protection Authorities. 

  We developed the template of the Agreement to use with your Clients applying GDPR:
  EU GDPR document template: Supplier Data Processing Agreement https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/

  You can also find more information here:

  • Full text of GDPR: https://advisera.com/eugdpracademy/gdpr/
  • EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

   

  Regarding personal rights, are these rights applied on employees as they are EU citizens in the way that is compliant with business rules and data retention policies, for example if the employee left the company and wants his data to be deleted, in this case the company should reply within 1 month that according to the business needs and regulations, his data will be retained for 5 years for example and after these 5 years ha may ask for a data deletion confirmation, is that right? We need to know what are the employee rights here and what to be applied at our systems? 

   

  Being a data processor under GDPR you need to guarantee data subjects’ rights in your system. However, it should be the data controller to ensure that you comply with GDPR requirements through the Data Processing Agreement.

  This happens because data subjects shall exercise their rights in front of the data controller and you – as a data processor – will be jointly responsible. Keep in mind that retention periods may vary under national legislation implementing GDPR requirements (I.e. in Italy bookkeeping legislation requires a company to store documents for 10 years) so you need to check it with your Client.

  The employee rights are those listed from Article 15 to 22 GDPR:

  • Right of access
  • Right of rectification
  • Right of erasure (Right to be forgotten)
  • Right to restriction of processing
  • Right to data portability
  • Right to lodge a complaint to a Data Protection Authority
  • Right to object
  • Right to ask for human control in case of automated individual decision-making

  Here you can find more information:

  • Full text of GDPR: https://advisera.com/eugdpracademy/gdpr/
  • Data subject rights according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//

  You can consider enrolling in our free EU GDPR Foundations Course
  EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//