Search results

Information security requirements

First is important to note that, according to ISO 27001, the security requirements to be included in contracts with suppliers must be based on the results of risk assessment and legal requirements your organization must fulfill.

Considering that, some common requirements are:

• Right to audit: clause ensuring the organization has the right to audit and test the security controls periodically, or upon significant changes to the relationship.
• Notification about security breaches: clause requiring the provider to inform the organization in a timely manner regarding any security breaches that may impact the organization’s business.
• Adherence to security practices: clause requiring the provider to adhere to the organization’s security practices, and to communicate any situations where this adherence is not achievable, helping to prevent security gaps or conflicts that could impair security performance.

This article will provide you further explanation about security clauses for contracts:

• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

ISO 27001 implementation

 ISO 27001 and ISO 9001 are independent standards, so you can implement ISO 27001 without implementing ISO 9001, but it is important to note that by adopting ISO 9001 concepts can make the implementation of ISO 27001 easier.

This article will provide you further explanation about ISO 9001 and ISO 27001:

• Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/

This material will also help you regarding ISO 9001 and ISO 27001:

• ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/

Inventory of assets

To fulfill the requirements of controls related to inventory of assets of ISO 27001 Annex A (controls A.8.1.1 and A.8.1.2), you do not need to have a specific policy or procedure for asset management/inventory. It is sufficient to have the records showing the asset and the owners.

This article will provide you further explanation about inventory of assets:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Purpose of a company´s Data Protection Policy

The right answer is "d. All of the above" because Data protection policy allows a company to guide its employees on key aspects of GDPR by establishing its principles in line with the GDPR and it is a key component of the accountability principle. 

GDPR structure establishes principles on how organizations must process personal data, such principles must be adapted by each organization to their own data processing activity. 

Answer c does not imply that the company formulates "new" principles, as principles are inside the GDPR. It implies that principles in line with GDPR are formulated into company principles to adapt to concrete company data processing. 

I.e. GDPR does not say company how long to store collected data, it establishes the principle of minimization of processing. In the Data Protection Policy, however, the company must set a principle to help employees to deal with this principle. The company may establish that collected CVs from job applicants are deleted as soon as the job position has been covered. From this principle comes the rule to HR department "delete every CV you received as soon as the selected candidates start working and no later than the trial period ends." Therefore, in this example, there is a GDPR principle (data minimization), a company principle (collected CVs must be deleted) and a rule for the HR department. 

In other words, Data protection policy explains how employees and company will process data and, though it is not directed to customer, it helps Supervisory Authority to verify that anything is declared in the Privacy policy (i.e. how data are processed) is coherent with principles and instruction given to employees, and with the internal company interpretation of GDPR. This is why the correct answer is d. All of the above.

For more information, see the following article:

Addressing TPM

Unfortunately, our IATF 16949 documentation toolkit does not contain TPM documents. However, these are some documents in our toolkit which are related to equipment maintenance. There are some documents under our ITAF 16949 Toolkit which are related to equipment maintenance. They are located in the folder 16 Procedure for equipment maintenance and measuring equipment. You can see the link address as below. These documents are very limited for TPM activities.

Feel free to check out our IATF 16949 Documentation Toolkit and the List of documents here:

IATF 16949 clause 8.5.1.5 defines requirements for total productive maintenance activity, but it does not define how it needs to be documented.

As you know, TPS is a system of maintaining and improving the integrity of production and quality systems through machines, equipment, process, and employees to add value to the organization.

Toyota production system defines TPM activities and there are different levels of TPM, from level 1 to level 5.It is not easy to apply full TPM in the first step; this is a culture for management for all organization activities, not only maintenance but also full systematic of organization management with Quality, Production, Maintenance, HSE, Planning,etc.

You can find more detailed documentation in Toyota TPM culture, TPM books and/or TPM trainings. 

Documents and forms that can be included as follows:

a) Daily machine control forms by operators

b) Weekly, Monthly, 3 Monthly, 6 Monthly, Yearly (accordign to machine/equipment situation and handboook) maintenance plan ans records

c) Machine maintenance wotk instructions for new maintenance

d) Break down records with MTTR and MTBF target and results

e) OEE targets and results

f) Spare parts for machines and equipments, minimum amd maximum levels

g) Machine break down reaction plans and operator trainings

h) Break down analyses and corrective action plans for improvements.

Internal Complaint

Internal OH&S complaints in ISO 45001 should be addressed as with any other process nonconformity, with the corrective action system required per clause 10.2, Incident, nonconformity and corrective action. These identifications of OH&S problems by employees are a key improvement opportunity, and are common in the OHSMS (although not everyone would call them complaints).

For more on corrective action in the OHSMS, see that article: Using corrective actions to eliminate nonconformities and drive health & safety improvements, https://advisera.com/45001academy/blog/2017/02/15/using-corrective-actions-to-eliminate-nonconformities-and-drive-health-safety-improvements/

MDR 2017/745

Liability insurance is designed to protect your property as a whole from claims by third parties. Your property is not physically insured under this policy, but it is protected from being reduced, as the insurer will pay out compensation to a third party on your behalf. This insurance protects your economic interest. 

In MDR, Article 10. General obligations of Manufacturers is stated that natural or legal persons may claim compensation for damage caused by a defective device in accordance with applicable Union and national law. Manufacturers must, in a manner that is proportionate to the risk class, type of device and the size of the enterprise, take measures to provide sufficient financial coverage in respect of their potential liability under Directive 85/374/EEC (on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products).

A lot of different insurance companies can offer you this kind of insurance, so please look through the internet.

Certificate of calibration

I understand from your question that a calibration certificate was not received. The answer is no, a receipt cannot be used in place of a calibration certificate. ISO 17025 has specific requirements for the suitability of equipment and its calibration. The laboratory must ensure that equipment conforms to specified requirements. Evidence that equipment can perform as required may, depending on the equipment, be a specific qualification or verification process which may be provided in some part by the provider. The laboratory needs to verify this post installation, on your site. If the use of your equipment is to establish the metrological traceability of reported results or if the validity of the reported results is affected by measurement accuracy and or uncertainty, then you need calibration and a calibration certificate which meets ISO 17025 requirements of for calibration reports.

The following articles will provide further information related to equipment and calibration

• What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
• Calibration of measurement equipment  https://community.advisera.com/topic/calibration-of-measurement-equipment//
   

The relevant ISO 17025 document template, Equipment and Calibration Procedure, as well as a list of related documents, is available for download at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure//

Legal basis and contracts

It depends on the purposes of data processing. If the data processing is related to give execution to the contract, article 6, paragraph 1, letter b GDPR, states that the processing is lawful under GDPR when "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract".

Of course, this is limited only to the performance of the contract. You must inform the data subject about data processing by providing your privacy notice. You may need consent form even if you are working on the contractual legal basis if your data processing purposes go beyond the contract (i.e. marketing purposes).

You may find some useful information here:

• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/

You may also consider taking our free Foundation GDPR Course: https://advisera.com/training/eu-gdpr-foundations-course// 

ISO 9001 and remote audits

Thanks