Search results

Benefits of ISO 9001 for food ingredients distributor

Yes, your company can apply ISO 9001 and be certified. Some of the benefits that normally accrue from certification and that are usually mentioned by organizations are: improvement of credibility and image; improvement of customer satisfaction and reducing costs due to unwanted variability.

The following material will provide you more information:

• Article - Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• Article - Gaining employee buy-in for your ISO 9001:2015 implementation - https://advisera.com/9001academy/blog/2015/12/15/gaining-employee-buy-in-for-your-iso-90012015-implementation/
• Article - What are the benefits of ISO 9001 for your employees? - https://advisera.com/9001academy/blog/2016/06/14/what-are-the-benefits-of-iso-9001-for-your-employees/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Risks and opportunities vs environmental aspects

Determining environmental aspects is determining how an organization interacts with the environment. For example:

Determining risks and opportunities of an organization, according to ISO 14001:2015, is based on its environmental aspects, compliance obligations, and context and interested parties.

For example, concerning environmental aspects we can have:

Since organizations have to consider the lifecycle of its products and services, do not forget to consider risks and opportunities around your products and services during use or final disposal.

For example, concerning compliance obligations, and context and interested parties we can have for example, the above organization can realize that neighbors (an interested party) are pressuring local authorities to not allow its expansion (an external issue) due to non-compliance with wastewater discharging legislation (compliance obligations) translated into river pollution.

Please check risk definition (3.2.10) on ISO 14001:2015 (effect of uncertainty). With environmental aspects and impacts we are considering normal, expected situations, like startup and closing down operations, but also abnormal and emergency situations. Whenever there is uncertainty there is risk or opportunities, there is a potential deviation from the expected.

About determining risks based on environmental aspects and compliance obligations I see that different organizations follow different approaches:

1. There are organizations that determine their environmental aspects and use a risk and opportunities assessment to determine its significant environmental aspects. (Please see the end of the second paragraph of Annex A.6.1.1 of ISO 14001:2015)

2. There are organizations that determine their environmental aspects evaluate them and determine the significant ones and use a risk and opportunities assessment to determine which ones need an action plan, and which ones need only to be monitored.

3. There are organizations that only apply the risk-based approach to the context part. In a certain way they are following the same approach as 1 without explicitly mentioning it.

Please check this information below with more detailed answers:

• Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
• Catalogue of environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/
• ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
• Risks and opportunities in ISO 14001:2015 – What they are and why they are important - https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Legal, regulatory, and contractual requirements

We are not legal experts, so our recommended approach is indeed for organizations to hire local expert advice to identify legal requirements that must be fulfilled to be compliant with the ISO 27001 and EU GDPR. An online search can help at the beginning of your work (for an overview), but local expert advise is highly recommended.

This article will provide you a further explanation about the identification of requirements:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Risk assessment question

1. Pls correct me if my process is wrong, I have identified one risk title and risk level (High) after done risk assessment on one application, then this risk is treated by risk acceptance by risk owner in the period of acceptance time. Thus the risk level after this treatment I keep same level (High) and status close for the period of acceptance time then will be open again after period of acceptance time is over.

Your thinking process is correct (but instead of risk title you should consider call it risk statement). After accepting the risk, since you will not apply any control, you need to keep the risk level as high, until the next assessment.

But please note that to accept a high risk you need to have a robust justification, such as the effort and resources required to reduce the risk to an acceptable level is greater than the impact if the risk materializes.

For further information see:

• 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

2. Risk level of same risk title could be different or not after done risk assessment on different applications?
I do appreciate for your kind comment and support.

The same risk statement can be of different levels for different applications if they have different values for the organization.

For example, the risk of data loss due to malware can have different values if it occurs in a local inventory application and if it occurs in the payroll application.

This article will provide you a further explanation about risk assessment:

• ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

Sustainable implementation

ISO 14001 has no additional legal requirements. Companies with an environmental management system in accordance with ISO 14001 are not required to perform better than legally required. In addition, an environmental management system can be used to reduce costs by reducing waste. Finally, an environmental management system can be designed to minimize bureaucracy. So, I cannot subscribe to the idea that implementing an environmental management system is an expensive project.

Please check this information below with more detailed answers:

• 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
  ISO 14001: The benefits for customers - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/
• How to get management buy in for an ISO 14001 project - https://advisera.com/14001academy/blog/2015/06/08/how-to-get-management-buy-in-for-an-iso-14001-project/
• Project checklist for ISO 14001 implementation - https://info.advisera.com/14001academy/free-download/project-checklist-for-iso-14001-implementation
• ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

CAR/NCR vs Material reject form

I cannot give you a straight answer, that will depend on your organization’s internal procedures. When a material has a defect, it is a product nonconformity. ISO 9001:2015 does not mandates a corrective action for each product nonconformity. ISO 9001:2015 requires deciding what to do with that product nonconformity. So, if you want to do that you have to update your procedure accordingly.

The following material will provide you more information:

• ISO 9001 – Understanding dispositions for ISO 9001 nonconforming product - https://advisera.com/9001academy/blog/2014/11/18/understanding-dispositions-iso-9001-nonconforming-product/
• Five steps for ISO 9001 non-conforming products - https://advisera.com/9001academy/blog/2014/01/13/five-steps-iso-9001-nonconforming-products/
• ISO 9001 - ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/ ion/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Question related to Controller and Processor with respect to GDPR

Article 4 paragraph 7 GDPR defines ‘controller’ as the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

It means that who collects data is the controller. If you are developing an App that will collect personal data, you (or your company) will be the data controller. You need to declare who the data controller is and inform your data subjects clearly in the privacy notice. Most likely it will be the company and not the person.

The controller will need to comply with GDPR requirements for data processing.

•  Find the legal basis of data processing
• Inform in a transparent manner the data subject about purposes and means of processing, the data retention period.
• Develop your app according to the principle of privacy by design and by default
• Follow the principles for data transfers if any.
• Adopt security measures complying with GDPR requirements
• Process data according to GDPR legal requirements.

Article 4 paragraph 8 GDPR defines the processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

Therefore, the data processor is someone who acts on behalf of the controller. Let’s make an example with your app. You are the developer of the app and you collect users’ personal data. Maybe you are going to share these data with third parties like Google Analytics, which provide you some services to implement the functionalities of your app. Third parties will act as the data processors.

It can also be a web agency that sends on your behalf customized emails to your customers. They will process email addresses (which are personal data) on your behalf.

The data processor needs to be appointed by the data controller who will instruct on how to process data, what principles follow, what data retention period, and so on. The data controller has also the power to control and verify if the processor complies with the data processing principles set. 

The responsibilities for not complying with GDPR requirements are liabilities towards data subjects for any damage caused by the data processing and also fines from the Data Protection Authorities. The fines are severe. Infringements are divided into two classes: infringements of data controller and data processor duties have fines up to 10 000 000 EUR or 2% annual turnover (whichever is higher), while the infringements of basic GDPR principles (like lawfulness of processing) has fines of 20 000 000 EUR or 4% annual turnover (whichever is higher). 

Here you can find more information about data transfers, controller and processor:

• Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
• First steps to take to reach GDPR compliance: https://advisera.com/eugdpracademy/blog/2018/10/08/first-steps-to-take-to-reach-gdpr-compliance/
• Implementing 3 main accountability principles under the EU GDPR: https://advisera.com/eugdpracademy/blog/2017/09/27/implementing-3-main-accountability-principles-under-the-eu-gdpr/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• The obligations of controllers towards Data Protection Authorities according to GDPR: https://advisera.com/eugdpracademy/blog/2017/12/11/the-obligations-of-controllers-towards-data-protection-authorities-according-to-gdpr/

You can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Replacing CAR/NCR with material reject form

Can I replace a CAR/NCR with a material reject form? The form calls out the issue and then allows quality and production to come together in a meet to resolve the issue at hand and further prevent it

Setting up a consulting firm

Implementing a lean quality management system for a consulting firm implies being very pragmatic and knowledgeable about ISO 9001:2015. Now the standard is less and less bureaucratic, it is up to each organization the task to develop and implement a lean quality management system.

Setup a project sponsor, a project manager and a project team. Ensure top management support, get training and as a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis you can develop your Project Plan, listing what needs to be done, by whom, until when.

Then, an important step is to design a model of how your organization work as a set of interrelated processes. For example:

Decide how to describe and monitor those processes.

From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

This is a very short description of the journey but below you can find more detailed information:

• Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Surveillance Audit

Yes, it is. According to the contract signed between your company and the certification body, after the certification audit your organization will have yearly surveillance audits.

The following material will provide you more information:

• What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
• Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
• ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-lead-auditor-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/