Search results

ISO representative responsabilities

ISO 9001:2015 no longer makes mandatory the existence of an ISO representative function. So, organizations are free to decide to keep that function, and are free to decide what are their responsibilities and authorities. This is the technical answer.

The practical answer, based on my experience, is that an ISO representative can be a Project Sponsor or a Project Manager. As Project Manager an ISO representative coordinates a Project Team. Members of that Project Team should work together with people from each department to question the organization’s status quo, think about improvements and develop work procedures.

Putting an ISO representative as the sole writer of work procedures will delay the project implementation, will fuel resistance to change and will be far from effective to improve an organization’s performance.

Perhaps the following information could be useful for you:

• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• You can enroll for free in this ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO27001 for a Cloud Service Provider

First is important to note that ISO 27001 is not applied to services, but to the process they rely on.

The second issue is, I'm assuming your question is about if the approach to a cloud services provider is similar to a data center provider.

Considering that, the general approach is the same:

• identify relevant requirements (e.g., business, customers, legal, etc.)
• identify and treat relevant risks
• operate, evaluate and improve the controls and processes

The difference will be on the application of controls related to the type of provided cloud service. For example:

• for IaaS, the controls applied by the provider will be limited to physical infrastructure and virtual machines
• for PaaS, the controls applied by the provider will also cover virtual servers, and, to some degree, applications
• For SaaS, the controls applied by the provider will cover datacenter facilities’ physical location, hardware, and software

For a data center provider, the provider will have to consider applying controls to datacenter facilities’ physical location, hardware, software, and data.

This article will provide you a further explanation about ISMS scope for cloud services

• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding ISO 27001:

• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Difference in between ISO 9001 and ITAF 16949

ISO 9001 sets the base requirements of a quality management system. It is a generic standard, that means that can be used in any kind of organization. The IATF 16949 standard is a supplemental standard and is used in conjunction with ISO 9001 in the automotive sector.

Without any doubt ISO 9001 is easier and most appropriate for a small business company. I would only recommend IATF 16949 if your company is operating in the automotive sector and if any major customer requires its use.

You can find more information about ISO 9001 below:

• What are the main differences between IATF 16949 and ISO 9001? - https://advisera.com/16949academy/blog/2019/11/19/iso-9001-vs-iatf-16949-what-is-the-difference/
• What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
• Quality Management System: What is it? - https://advisera.com/9001academy/knowledgebase/quality-management-system-what-is-it/
• Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

GDPR and ISMS

I'm assuming that you already have knowledge about GDPR requirements related to information security.

Considering that, the proper course will depend on your objective:

• if you want to understand ISO 27001 and its controls to apply them for GDPR, you must go for the ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• if you want to implement ISO 27001 controls to cover GDPR, you must go for the ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/
• if you want to audit if ISO 27001 controls applied to cover GDPR, you must go for the ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

This article will provide you a further explanation about ISO 27001 and GDPR:

• Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

This material will provide you a further explanation about ISO 27001 and GDPR:

• How to integrate GDPR with ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/

Hand sanitizers under ISO 13485

According to the ISO 13485:2016, device that can be considered as medical devices is disinfectant substances. Here is the differentiation between similar products: sanitizers reduce bacteria on a surface by at least 99.9%, disinfectants kill a wider range of microorganisms (than sanitizers), and cleaners simply remove dirt, soils, and impurities from surfaces. 

So, if you declare that your hand sanitizer KILLS microorganisms, that it is disinfectant and is defined as a medical device that needs to be manufactured under ISO 13485:2016. If this is not your statement, then it is most probable that your product is a cosmetic product and needs to be produced in compliance with ISO 22716:2007 Cosmetics — Good Manufacturing Practices (GMP) — Guidelines on Good Manufacturing Practices.

For more information read the following article: 

• What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/

In case you decide to implement ISO 13485:2016, following link can help to see which documentation is necessary: 

• ISO 13485:2016 Documentation Toolkit https://advisera.com/13485academy/iso-13485-documentation-toolkit/  

• Change in quality manual

  If the quality manual mentions the Management Representative by his or her name, then there is need to update the quality manual. For example, some organizations include in the quality manual an organization chart with names. If the person changes the organization chart becomes outdated and the same for the quality manual.

  You can find more information about document control below:

  • New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
  • How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• Audit of completed erasure

  I have a GDPR question that’s not related to DPIAs and has been bugging me since I went through our GDPR documentation (from your kit – thank you 😊).

  We make software that is sold as a product but also offered SaaS. My question is related to the Right to Erasure. The product has a  directory database in it which holds, at minimum, business contact details.
  By design, there is no reason for the directory to hold anything more, although we do allow custom fields to be labeled an populated with anything. We have a Privacy module that allows a nominated set of DP users (either the customer or our managed services team) to run a “forget” process. This anonymizes all data held in the SQL warehouse and directory relating to the forgotten person.

  My dev team wants to have an audit trail to demonstrate that the process has been performed, and that is my preference as well, but without the name, it is pretty pointless.

  So, my question is: Do we need to have an audit of a completed erasure?

   

  An audit of completed erasure could enhance your accountability in complying with the right to be forgotten and it is a good choice yet it is not mandatory because GDPR leaves up to the Data controller the choice on how to comply with data subjects’ rights.

   

  If we have one and use the forgotten person’s name with no way to reverse engineer the process, is that compliant?

  Yes, the GDPR does not provide a specific definition of “erasure”, so it is open to interpretation. Austrian Data Protection Authority in 2018 considered irrevocable anonymization as compliant as data deletion. The key point is to highlight that once anonymized re-identification has become impossible. That’s why an audit of complete erasure (or irrevocable anonymization) is a good idea: you will be able to demonstrate your compliance with the data subject’s request.

  You can find more information in these articles:

  • Right to be forgotten in the era when everyone seems willing to be remembered: https://advisera.com/eugdpracademy/blog/2019/08/26/gdpr-right-to-be-forgotten-an-easy-explanation/
  • Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
  • Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/

  You can also consider enrolling in this free online EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Internal audit

  No, it is not mandatory to do that.

  Some may do it:

  • to gather more first-hand information that cannot be grasped from an audit report,
  • to help auditees in more need,
  • because they don’t trust the auditor;
  • because they want to check the auditor opinion in some “cloudy” areas;
  • because they want to pressure the audit content.

  The following material will provide you more information about internal audit:

  • 13 Steps for ISO 9001 Internal Auditing using ISO 19011 - https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
  • How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
  • Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
  • Enroll for free at ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-lead-auditor-course/
  • Book ISO Internal Audit: A Plain English Guide https: //advisera.com/books/iso-internal-audit-plain-english-guide/

• Nonconformity detection process

  Remember, when ISO 14001 speaks of nonconformity, the requirements refer to the nonconformity of a process with respect to the environmental aspects associated with that process. So, you must start with determining and classifying your organization’s environmental aspects and impacts. From there your organization:

  • Design monitoring activities (water discharge quality, air emissions, amounts of wastes, …);
  • Develop procedures and instructions to guide behavior.
     

  Now, you can use the risk-based approach. For each of these actions your organization can ask:

  • What can go wrong?
  • Is it relevant?
  • Can we do something to prevent it from happening?
  • Can we do something to detect if it happens? 

  Whenever your detection scheme, your control activities, find something wrong from that list you have a nonconformity. Your organization may develop a central procedure to handle all environmental nonconformities or may have rules inserted in each monitoring plan or procedure/instruction about how to handle each specific environmental nonconformity. For example:

  • What to do when air emission quality is noncompliant with legislation or permit?
  • What to do when employees are not segregating wastes?
     

  Please consider the following information:

  • Environmental Nonconformity Management: How is ISO 14001 different from ISO 9001 - https://advisera.com/14001academy/blog/2014/10/08/environmental-nonconformity-management-iso-14001-different-iso-9001/
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

• ISO 270001 standard implementation

  For ISO 27001 certification, a disaster recovery site is necessary only if you have relevant risks that are reduced to acceptable levels by implementing this approach, or if there are legal requirements (e.g., laws, regulations or contracts) demanding the implementation of this site.

  If none of the above-mentioned conditions apply, then you do not need a disaster recovery site to be certified.

  This article will provide you a further explanation about selecting controls:
  - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
  - Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

  These materials will also help you regarding ISO 27001 implementation:
  - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  - ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/