Search results

Legal, regulatory, and contractual requirements

We are not legal experts, so our recommended approach is indeed for organizations to hire local expert advice to identify legal requirements that must be fulfilled to be compliant with the ISO 27001 and EU GDPR. An online search can help at the beginning of your work (for an overview), but local expert advise is highly recommended.

This article will provide you a further explanation about the identification of requirements:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Risk assessment question

1. Pls correct me if my process is wrong, I have identified one risk title and risk level (High) after done risk assessment on one application, then this risk is treated by risk acceptance by risk owner in the period of acceptance time. Thus the risk level after this treatment I keep same level (High) and status close for the period of acceptance time then will be open again after period of acceptance time is over.

Your thinking process is correct (but instead of risk title you should consider call it risk statement). After accepting the risk, since you will not apply any control, you need to keep the risk level as high, until the next assessment.

But please note that to accept a high risk you need to have a robust justification, such as the effort and resources required to reduce the risk to an acceptable level is greater than the impact if the risk materializes.

For further information see:

• 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

2. Risk level of same risk title could be different or not after done risk assessment on different applications?
I do appreciate for your kind comment and support.

The same risk statement can be of different levels for different applications if they have different values for the organization.

For example, the risk of data loss due to malware can have different values if it occurs in a local inventory application and if it occurs in the payroll application.

This article will provide you a further explanation about risk assessment:

• ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

Sustainable implementation

ISO 14001 has no additional legal requirements. Companies with an environmental management system in accordance with ISO 14001 are not required to perform better than legally required. In addition, an environmental management system can be used to reduce costs by reducing waste. Finally, an environmental management system can be designed to minimize bureaucracy. So, I cannot subscribe to the idea that implementing an environmental management system is an expensive project.

Please check this information below with more detailed answers:

• 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
  ISO 14001: The benefits for customers - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/
• How to get management buy in for an ISO 14001 project - https://advisera.com/14001academy/blog/2015/06/08/how-to-get-management-buy-in-for-an-iso-14001-project/
• Project checklist for ISO 14001 implementation - https://info.advisera.com/14001academy/free-download/project-checklist-for-iso-14001-implementation
• ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

CAR/NCR vs Material reject form

I cannot give you a straight answer, that will depend on your organization’s internal procedures. When a material has a defect, it is a product nonconformity. ISO 9001:2015 does not mandates a corrective action for each product nonconformity. ISO 9001:2015 requires deciding what to do with that product nonconformity. So, if you want to do that you have to update your procedure accordingly.

The following material will provide you more information:

• ISO 9001 – Understanding dispositions for ISO 9001 nonconforming product - https://advisera.com/9001academy/blog/2014/11/18/understanding-dispositions-iso-9001-nonconforming-product/
• Five steps for ISO 9001 non-conforming products - https://advisera.com/9001academy/blog/2014/01/13/five-steps-iso-9001-nonconforming-products/
• ISO 9001 - ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/ ion/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Question related to Controller and Processor with respect to GDPR

Article 4 paragraph 7 GDPR defines ‘controller’ as the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

It means that who collects data is the controller. If you are developing an App that will collect personal data, you (or your company) will be the data controller. You need to declare who the data controller is and inform your data subjects clearly in the privacy notice. Most likely it will be the company and not the person.

The controller will need to comply with GDPR requirements for data processing.

•  Find the legal basis of data processing
• Inform in a transparent manner the data subject about purposes and means of processing, the data retention period.
• Develop your app according to the principle of privacy by design and by default
• Follow the principles for data transfers if any.
• Adopt security measures complying with GDPR requirements
• Process data according to GDPR legal requirements.

Article 4 paragraph 8 GDPR defines the processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

Therefore, the data processor is someone who acts on behalf of the controller. Let’s make an example with your app. You are the developer of the app and you collect users’ personal data. Maybe you are going to share these data with third parties like Google Analytics, which provide you some services to implement the functionalities of your app. Third parties will act as the data processors.

It can also be a web agency that sends on your behalf customized emails to your customers. They will process email addresses (which are personal data) on your behalf.

The data processor needs to be appointed by the data controller who will instruct on how to process data, what principles follow, what data retention period, and so on. The data controller has also the power to control and verify if the processor complies with the data processing principles set. 

The responsibilities for not complying with GDPR requirements are liabilities towards data subjects for any damage caused by the data processing and also fines from the Data Protection Authorities. The fines are severe. Infringements are divided into two classes: infringements of data controller and data processor duties have fines up to 10 000 000 EUR or 2% annual turnover (whichever is higher), while the infringements of basic GDPR principles (like lawfulness of processing) has fines of 20 000 000 EUR or 4% annual turnover (whichever is higher). 

Here you can find more information about data transfers, controller and processor:

• Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
• First steps to take to reach GDPR compliance: https://advisera.com/eugdpracademy/blog/2018/10/08/first-steps-to-take-to-reach-gdpr-compliance/
• Implementing 3 main accountability principles under the EU GDPR: https://advisera.com/eugdpracademy/blog/2017/09/27/implementing-3-main-accountability-principles-under-the-eu-gdpr/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• The obligations of controllers towards Data Protection Authorities according to GDPR: https://advisera.com/eugdpracademy/blog/2017/12/11/the-obligations-of-controllers-towards-data-protection-authorities-according-to-gdpr/

You can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Replacing CAR/NCR with material reject form

Can I replace a CAR/NCR with a material reject form? The form calls out the issue and then allows quality and production to come together in a meet to resolve the issue at hand and further prevent it

Setting up a consulting firm

Implementing a lean quality management system for a consulting firm implies being very pragmatic and knowledgeable about ISO 9001:2015. Now the standard is less and less bureaucratic, it is up to each organization the task to develop and implement a lean quality management system.

Setup a project sponsor, a project manager and a project team. Ensure top management support, get training and as a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis you can develop your Project Plan, listing what needs to be done, by whom, until when.

Then, an important step is to design a model of how your organization work as a set of interrelated processes. For example:

Decide how to describe and monitor those processes.

From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

This is a very short description of the journey but below you can find more detailed information:

• Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Surveillance Audit

Yes, it is. According to the contract signed between your company and the certification body, after the certification audit your organization will have yearly surveillance audits.

The following material will provide you more information:

• What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
• Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
• ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-lead-auditor-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Internal and external issues in a recycling company

Internal and external issues are relevant topics that can influence the future of an organization. For example, governments can issue legislation that will affect the activity of a recycling company. Socials trends can influence how consumers and households react to recycling practices. About internal issues you can have, for example, experienced workforce, inflexible machinery or lack of capacity.

You can find more examples in this free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/ (it is about ISO 9001 but I think it may be useful)

The following material will provide you more information:

• Determining the context of the organization in ISO 14001 - https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/
• How to determine interested parties according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-determine-interested-parties-according-to-iso-140012015/
• Understanding the needs & expectations of interested parties in ISO 14001 - https://advisera.com/14001academy/blog/2017/04/03/understanding-the-needs-expectations-of-interested-parties-in-iso-14001/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Safety culture

Providing a safety culture is critical to implementing ISO 45001, and the crucial step is in the example of top management. There is a saying that “management leads whether they mean to or not”, and this is equally important to a safety culture. If there is a rule that safety glasses need to be worn, but the president of the company never wears them in the area, then this tells people that the safety rules are not important; if top management tries to say safety is important in words, but not in actions, they the culture of safety will not happen. A culture of safety will only occur when the rules are known, understood, and equally applied to everyone; then you can work on maintaining and improving safety.

You can find out more about convincing top management about the OHSMS that are still applicable to ISO 45001 in the article: 4 crucial techniques for convincing your top management to implement OHSAS 18001, https://advisera.com/45001academy/blog/2017/08/30/4-crucial-techniques-for-convincing-your-top-management-to-implement-ohsas-18001/