Search results

Controls for Acceptable Use Policy and awareness

Thanks so much. Very revealing 

GDPR and the relation whit CCPA

CCPA and GDPR have a similar approach to data protection yet with different perspectives. While GDPR is focused on consent and information to the user, CCPA is focused on transparency and the consumer's right to opt-out. Most of GDPR rules make you compliant with CCPA.

First of all, you should check if you are a business under CCPA, also remember that it refers to California residing consumers. 

Businesses, under CCPA, require:

AS9100D, Section 8.4.1

Identifying and managing the risks of externally provided processes, products and services is really a function of the purchasing department, as they are the ones working with these providers to ensure that they deliver on time, give good products and services, meet the requirements, etc. In fact, your purchasing process likely already has this included in one way or another when purchasers are assessing which supplier to buy from. I would suggest this goes into your purchasing process, possibly as training for purchasers.

You can find out more on this procurement requirements in the article: Purchasing in QMS – The Process & the Information Needed to Make it Work, https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/

Employment matter

According to the article 15 GDPR you have the right to access your personal data processed by the data controller. Therefore, if you had a wage increase you should have access to those data referring to you.Consider that if the wage increase is due to renegotiation of the service agreement between the local authority and your agency, data may not directly refer to you and it may be outside the GDPR, such agreement may be also under a confidentiality clause. You could send an access request to your data under article 15 GDPR demanding a reason in case of denial of access (article 23 GDPR has some restriction to data subjects rights) and check with your local labor lawyer or worker's Union representative what right of access to company registers workers have in your country. 

You can also find here some information about how employers deal with employees data under GDPRHow the GDPR could impact your HR department: https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/

If you want to know more about EU GDPR you can also take our free Foundation course

EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

ISO 9001 Certification before or after breakeven point

Implementing a quality management system according to ISO 9001 has in itself several benefits. Please check this article - Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/ Certification is the next step.

What could be the benefits of certification? Can certification help your organization win new customers or enter new market segments? Can certification improve your image and credibility among customers or other relevant interested parties?

If the answer is yes, perhaps your organization can invest in a certification to be able to get a return from that move.

Please check this article about the main steps to implement a QMS according to ISO 9001:2015 requirements - Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/ - Step 3 is where you define the borders of the QMS

The following material will provide you information about implementation:

• Article -  ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
• Free webinar on-demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Enroll for a free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/"

AS9100D Sections 9 and 10

When the standard is asking you to use the process approach, they are not saying that each clause will comprise a process. A process is anything that you do that takes inputs, does something to them, and creates outputs (see the AS9100 introduction section 0.3). This means that you need to identify all of the processes you do (and you will find that everything you do is a process) to create your products and services, and how these interact (as per clause 4.4).

So, you will need to identify processes such as contract review, design, purchasing, etc. as your processes and see what the requirements of those processes are to meet AS9100, customer requirements, legal requirements, and your own internal requirements. These processes interact and make up your QMS.

As for AS9100 sections 9 & 10, companies will very often have processes that align with these sub-clauses; for instance, internal audit is a process, management review is a process, corrective action is a process, and improvement activities is a process. Monitoring and measurement may not be a process in and of itself, but all processes will need monitoring and measurement, and your company may also have some key performance indicators (KPIs) that management uses to know the QMS is working well.

Since the process approach comes from the ISO 9001 management principles, you can get more information in this article from 9001Academy: ISO 9001: The importance of the process approach, https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/

You may also want to check out this 9001Academy webinar: The Process Approach - What it is, why it is important, and how to do it, https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/

Appointing consultants for implementation

The point that comes to my mind is familiarity. The person who did the Gap Analysis is already familiar with the organization, has already contacted people and, has done so with a general approach, not detailed, which allowed him/her to develop a big picture of the organization.

The following material will provide you more information consultants and implementation:

• How to choose an ISO 9001 consultant - https://advisera.com/9001academy/blog/2019/11/12/iso-9001-consultant-how-to-hire-the-right-one/
• Free online training ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-auditor-course/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Renewing mandatory documents

Let us use the list from this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

• Scope of the QMS (clause 4.3) – Only need to be updated after a formal decision to change the scope;
• Quality policy (clause 5.2) - Only need to be updated after a formal decision to make changes in the quality policy;
• Quality objectives (clause 6.2) – Should be updated whenever your organization decides to update objectives, or targets or timeframe;
• Criteria for evaluation and selection of suppliers (clause 8.4.1) Only need to be updated after a formal decision to make changes in the criteria

The following material will provide you more information about documentation:

• How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
• How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
   

Relevance of EMS to communities

The community, the neighborhood, the local authorities, may be relevant interested parties for an environmental management system. When an organization determines its environmental aspects and compliance obligations some may be related with these interested parties. So, implementing an environmental management system may be seen as a proactive action by an organization to be more environmentally responsible and transparent. For example, if an organization has relevant environmental aspects that impact the community, may have difficulties in expanding operations without a proactive and transparent communication with those neighbors. 

You may find more information in the following links:

• How to determine interested parties according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-determine-interested-parties-according-to-iso-140012015/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

ISO 27001 certification coverage

The certification coverage will depend on the ISMS scope definition. If it is issued to corporate X, then it is needed to verify which locations (i.e., addresses) were included. If the address of any subsidiary or affiliated entity is included, then it is covered by the certificate (of course this entity will have to go through all certification process together with the main Corporate X)

Adopting a single certificate for all units or separated ones for each unit is a business decision, depending on their objectives and strategies, but in general organizations like these adopt the model of one certification for each unit, because a change on a unit does not impact the certification of other units.

These articles will provide you further explanation about scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

This material can also help you:

• ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/