Search results

GDPR data in Azure

GDPR leaves upon the data controller any decision about how to store personal data as long as security measures are taken.Microsoft Azure, as well as many big tech players, is making a great effort to provide GDPR compliant cloud solution and guidelines to its customers that you can follow here: https://azure.microsoft.com/en-in/blog/protecting-privacy-in-microsoft-azure-gdpr-azure-policy-updates/

There are also guidelines for GxP compliance here: https://azure.microsoft.com/en-us/blog/new-azure-gxp-guidelines-help-pharmaceutical-and-biotech-customers-build-gxp-solutions/

You can consider enrolling in the EU GDPR Foundation Course:EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Communication Security

I'm assuming your organization is using outsourced cloud services.

Considering that, you can exclude controls only if you do not have relevant risks that can be treated by them, and there are no legal requirements (e.g., laws, regulations, or contracts). For example, the organization needs to implement a control to fulfill GDPR, or there are relevant risks related to information backup.

When using outsourced cloud services, you can verify if the provider has implemented such controls. In case they did, define in Statement of Applicability that the required controls are implemented by the provider.

This article will provide you a further explanation about supplier management:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

ISO 9001 + 27001 + 22301 implementation

1. I would like to implement ISO 9001 + 27001 (+ 27002 + 27031) + 22301 (+22313) all at the same time within the same company. I know there is quite a lot of overlap between these standards, but what would you advise we use as a starting point? Should we start with 9001 and add-on all of the additional requirements from the other standards? or start with 27001 ... ? What would you recommend?

The order of implementation will depend on your needs:

• if your priority is to ensure customer satisfaction, then you should use it as a starting point a QMS.
• if your priority is information protection, then you should use as a starting point an ISMS.
• if your priority is to ensure processes and services delivery under disruptive conditions, then you should use as a starting point a BCMS.

These articles will provide further information:

• Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
• What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/
• How to implement integrated management system https://advisera.com/articles/how-to-implement-integrated-management-systems/

2. Is there some sort of overview available of the overlap and differences between these standards?

These materials will provide information about overlaps:

• ISO 27001 vs. ISO 22301 matrix (PDF) https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-22301-matrix
• ISO 27001 vs. ISO 9001 matrix (PDF) https://info.advisera.com/9001academy/free-download/iso-9001-2015-vs-iso-27001-2013-matrix

IT and Riscs

Excellent answer i got it 

Becoming an ISO 9001 trainer

If you were in my country, I would advise you to:

• get a trainer certificate;
• and promote your expertise and experience as auditor as a basis for your skills as trainer. Find a way of documenting and giving credibility to your knowledge and preparation. Potential clients must be aware of your competence. About competence: Can you provide evidences of experience as auditor? Can you provide evidence of training as auditor? Can you provide evidence of certification as auditor and trainer to provide image and credibility?

Potential clients must be aware of your existence. You must develop your own brand by evidencing your knowledge and experience. You evidence your knowledge when you write. You should write. Share what you know, share your experience and results, share testimonies of your clients about the outcomes of working with you. Use blogs, professional networks, trade magazines, use your LinkedIn profile, make presentations at conferences. And don’t forget to develop a network of contacts.

The following material will provide you more information:

• How to sell your ISO 9001 consulting services - https://advisera.com/9001academy/blog/2017/06/20/how-to-sell-your-iso-9001-consulting-services/
• ISO 9001:2015 Foundations Training Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

How long we should retain measurement system records?

Measurement system records are technical records so the laboratory needs to comply specifcially with the requirements of ISO 17025 clauses 8.2 and 7.5.

The laboratory needs to establish what a suitable retention time is for different types of records, based on contractual and legal requirements.  The potential risk or impact to the laboratory should be evaluated if the period selected is too short, or even too long.  Consideration should be given to the medium  of the records as all requirements of ISO 17025 must be met during the retention period in terms of data confidentiality, security and integrity.  You need to considering both paper, scanned and electronic records. This also includes being able to “read” the record either with the human eye or a computer process, throughout the retention period,  i.e. format ands medium must be contemporaneous. Consider for example if there was a legal dispute over a result or report years down the line, the results would need to be traceable to legible (readable) measurement system records to verify validity of the reported results. 

It is interesting to note that most laboratories do not define the concept of archiving. By definition retention period is the period of time that records (documents) should be retained in their offices of origin or in records centres before they are transferred to an archive(s) <organization>  or otherwise disposed of  (SOURCE: ISO 5127:2017(en) Information and documentation - Foundation and vocabulary). In other wordsm to mitigate risk, a laboratory could consider keeping a particular hand written raw data record for say 6 months, then scanning it and retaining the electronic file with quick access by the laboratory say for 3 years. Thereafter it could be archived for a suitable period, before disposal. Costs need to be considered as a factor in the risk assessment too.

For further information, have a look at the ISO 17025 document template: Document and Record Control Procedure at https://advisera.com/17025academy/documentation/document-and-record-control-procedure/

For supporting information regarding actions to address risks and opportunities, see: 

• The ISO 17025 toolkit document template: Addressing Risks and Opportunities Procedure at  https://advisera.com/17025academy/documentation/addressing-risks-and-opportunities-procedure/
• The article Five-step laboratory risk management according to ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/12/05/iso-17025-risk-management-in-five-steps/
• The Free ISO17025 Academy webinar – How to manage risks in laboratories according to ISO 17025 at https://advisera.com/17025academy/webinar/iso-17025-risk-management-how-to-manage-it-free-webinar-on-demand/ 
   

Approval of documents

Yes, authorship and approval are not exclusive. The only criteria is that a chain of authority coming from top management gives someone the authority to approve a document.

The following material will provide you more information:

• ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Política ambiental en la ISO 14001

La principal diferencia entre la política de calidad de la norma ISO 9001 y la política ambiental de la norma ISO 14001 es el enfoque sistemático que ofrecen. En ISO 9001 el enfoque de la política está centrado en la calidad del producto o servicio y satisfacción del cliente, mientras que en ISO 14001 la política ambiental busca medir el impacto ambiental preservar el medio ambiente. 

Para más información sobre la política de calidad y de medio ambiente, vea los siguientes materiales: 

- How to write a good quality policy: https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/

- How to write an ISO 14001 environmental policy: https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-write-an-iso-14001-environmental-policy/

- Curso gratuito en línea - Fundamentos de ISO 9001:2015 -  https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

- Curso gratuito en línea - Fundamentos de ISO 14001:2015 - https://advisera.com/training/es/course/curso-fundamentos-iso-14001/

- Libro - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

- Libro - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/

Internal audit for clause 8.1

Auditing clause 8.1:

a) You will ask for specifications for products and services. Are they defined, approved and current?
b) 1) You will ask for a process control plan
b) 2) You will ask for a product or service quality control plan
c) You will ask for any definition of conditions or resources needed to meet product or service requirements. For example, materials and components to be used as raw materials, or requirements for subcontractors, or requirements for people – number and competences
d) You will ask for evidences of following and applying b)1) above
e) You can ask for a list about documents and records used in operations.

Audit also how changes are implemented and controlled and how subcontractors are controlled.

The following material will provide you more information:

• ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

BCP templates

The BCP templates from the Toolkit are compliant with ISO 22301 and are applicable to organizations of any industry (although our templates are designed for small and mid-sized organizations, up to 500 employees).

The templates provide the basic structure to build a business continuity plan, so they do not contain details about specific industries. The IT examples are used because most of our customers rely on Information Technology processes, but the examples can be extrapolated to any industry.

These articles will provide you a further explanation about elaborating BCPs (not only involving IT scenarios):

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

 These materials will also help you regarding elaborating BCPs:

• Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/