Search results

Becoming an ISO 27001 auditor

If your purpose is to perform internal audits in your company, or audits in other organizations on behalf of your company, then the ISO 27001 Lead Auditor certificate is enough. On the other hand, if your purpose is to perform certification audits, the ISO 27001 Lead Auditor certificate is only one of the mandatory elements you need to be qualified as a certification auditor.

These articles will provide you a further explanation about lead auditor:

• What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
• How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/

ISMS and SaaS solutions

1. How shall I deal with SaaS solutions such as Office365 and Gitlab.com when it comes to controls related to backups and business continuity. I don't think it is feasible to build an on-premise DR site for such a solution.

ISO 27001 controls identified as applicable to a SaaS provider must be handled by means of contractual clauses in your service agreement with the provider, where you establish that such controls must be implemented by the provider. If you are a small user of such SaaS service, then instead of service agreement you will agree with their terms and conditions which should state which kind of backup they are using.

Normally SaaS providers have multiple sites and they implement backups and business continuity by mirroring data and operation on these sites (of course, you have to verify which solutions your provider can offer).

A simple way of backing up smaller amounts of data is to save them on local computers - this is feasible for e.g. MS Office documents produced on individual PCs.

For more information, see:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

2. Also, do we have to keep a backup of our emails or does it depend on the risk assessment and whether we accept such risk?

If you had accepted the risks for which backup of your e-mails would be the treatment, then you do not need to implement the backup.

Please note that backup is a control, and considering ISO 27001, you need first perform risk assessment, which helps you identify which risks need treatment, before deciding if you are going to implement a control or not.

For more information, see:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

EU GDPR Data

First of all, you must consider that GDPR is a regulation technology-neutral, which means that all obligations apply to any data processing no matter what technology you decide to use. Regarding the topic you asked, I will split my answers.

Usage, Collection, Processing, and Storage of CCTV Data  

CCTV is mostly ruled by Member States legislation, so you need to verify the internal requirement in order to comply with it. Many Member States require to avoid workers’ video surveillance, to explicit the security reasons to adopt CCTV and to not shot the public path unless authorized by public authorities. 

You must ensure that monitor displaying the images of CCTV are not accessible and viewed only by authorized staff, that data retention periods are clearly established with automatic cancellation of previous videos.

Collection, Processing, and Storage of Biometric Data

Biometric Data are considered a special category of data under article 9 GDPR (the so-called sensitive data), like health, sex, ethnics, politics or religious orientation, because they can constitute a threat to freedom of individuals. Therefore, some additional precautions are required.

Article 9 GDPR requires consent of individuals as a legal ground to process biometric data along with the other cases listed in letters from "b" to "j" in article 9 GDPR. GDPR also explains that “Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.”

 A Data Protection Impact Assessment (DPIA) and a Data Protection Officer (DPO) are required if biometric data are processed on a large scale.

You should make sure you determine 

• the purposes of biometric data processing (why you are collecting those data)

• the legal ground (consent or other cases listed in article 9 GDPR)

• data retention policy

• DPIA in order to identify the risks the processing presents to data subjects and implementing measures tailored to mitigate those risks.

• Hiring a DPO

• Check for additional requirements from the Member States.

Here you can find some information: 

Article 9 GDPR: https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/

5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

The role of the DPO in light of the General Data Protection Regulation: https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/

How to hire the right DPO:

https://advisera.com/eugdpracademy/blog/2018/08/27/how-to-hire-the-right-dpo/

Checklist of Mandatory Documentation Required by EU GDPR:

https://info.advisera.com/eugdpracademy/free-download/checklist-of-mandatory-documentation-required-by-eu-gdpr/

This course can also be of help:

EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Template content - DRP

These are examples to consider for these fields:

• Minimum required capacity: 50% of users will have full access to the service right after plan activation; 30% of normal Internet bandwidth will be available right after plan activation.
• Restoration period: Normal operations must be resumed 48 hours after the plan was activated.

This article will provide you a further explanation about elaborating a DRP:

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

ISO 9001 and hospitality

ISO 9001:2015 clause 9.3.2 is very detailed about preparing the inputs for a management review. We do not have any hospitality example to give you, but you can follow ISO 9001:2015. For example, a hospitality organization in Europe or Asia may be considering in its context analysis the impact and consequences of the coronavirus situation on the tourism industry. For example, a hospitality organization can use customer ratings from travel metasearch engine for lodging reservations as inputs about customer satisfaction and opportunities for improvement.

You can find more information about management review in the following links:

- How to make Management Review more useful in the QMS - https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/
- How to Make Management Review More Practical - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/
- Free webinar – How to perform management review according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-perform-management-review-according-to-iso-9001-2015-free-webinar-on-demand/
- ISO 9001 document template: Procedure for Management Review - https://advisera.com/9001academy/documentation/procedure-management-review/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

ISO 17025 Accreditation

Answer: 

As an ISO 17025 accredited testing laboratory you will define the range of activities for which you conform to the standard. The laboratory is responsible for all quality aspects or tasks which are a part of such an accreditation activity.

The significance and quality risk of the situation needs to be evaluated. If the performance of the equipment in manufacturing could influence a laboratory result or activity, then the laboratory must ensure that the ISO 17025 requirements for equipment and calibration are met.

You stated:

Our company does have ISO9001 accreditation.

If the ISO 9001 certification also covers the laboratory activities sufficiently to meet ISO 17025 clause 8, then you will be able to apply for ISO 17025 accreditation in accordance with Option B. You will not have to implement and maintain requirements of clause 8 within the ISO 17025 documentation.

For more information, have a look at

Maintaining and improving quality management in laboratories according to ISO 17025:2017 https://advisera.com/17025academy/blog/2019/08/30/iso-17025-maintenance-and-improvement-in-laboratories//

What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/

The ISO 17025 document template: Equipment and Calibration Procedure may be of interest to you. It is available for download or free preview at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure//

Data Processing Agreement

Yes, according to article 28 GDPR about the Data processor, it is stated that “The processor shall not engage another processor without prior specific or general written authorization of the controller. In the case of general written authorization, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.”

Consider that the last paragraph of Article 28 GDPR states also “if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.”

I suggest you attaching your DPA draft to your Service agreement in order to demonstrate your compliance and awareness to data protection, control the security measure you can guarantee, and jointly determine the purposes and limits of data processing with the controller. Proposing a draft of DPA can increase the perception of your professional skills.

Here you can find more materials on data processors:

• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
• Article 28 – Processor: https://advisera.com/eugdpracademy/gdpr/processor/
• Supplier Data Processing Agreement: https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/

Machine vs process validation

Process verification is covered in the AS9100 Rev D specification in clause 8.5.1.3, production process verification, and requires that you assess the ability of your processes to meet the product and service requirements by taking a representative item from the first production run to verify that all the production processes to create that item meets all requirements. This is also called first article inspection (FAI), and for more information you can use AS9102 which is referenced in Annex C (remember, AS9102 is a suggested tool, and not a requirement of AS9100). The AS9100 standard does not dictate what forms or records to keep for this, but if you use AS9102 there are forms included in there. The decision of what records to keep are up to your organization and your customers.

As for equipment verification, the AS9100 standard does not include requirements for verification of equipment that you use in your processes outside of the clause above. If you are talking about making equipment, clause 8.3.4.1 of the standard discusses planning tests for validation and verification of the product or service you design. If you were talking about equipment verification as your product or service, then this section talks about the requirements for the test plans and test procedures, but also does not have any requirements for the format of the documentation.

In short, there is no mandated documents to keep on these items, so it is up to you to define this with your customers. For more on the FAI process, see the article: How does First Article Inspection fit into AS9100 Rev D?, https://advisera.com/9100academy/blog/2017/11/07/how-does-first-article-inspection-fit-into-as9100-rev-d/

If you need some help with your implementation, our book may help: Applying AS9100 Rev D, https://advisera.com/books/applying-as9100-rev-d/

Accrediting part of a company

My question is based on ISO 9001 accreditation, is it possible for a division of a company to gain ISO 9001?

Answer:

Certification bodies are accredited by accreditation bodies. Certification bodies certify organizations. Yes, it is possible to certify just a division of a company or even a line of products of a company. We are talking about the quality management system scope definition.

what would be the main requirements for a Quality Management System?

Answer:

A quality management system is a whole. I cannot say that some clauses are more important than others, all clauses are important. What can happen is that the adoption of a certain scope can make some clauses not applicable, in that case those clauses can be excluded.

You can find more information about scope definition in the following links:

- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- What clauses can be excluded in ISO 9001:2015? https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope -
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Liderazgo en la gestión de calidad y medio ambiente

El liderazgo es uno de los requisitos que la organización tiene que demostrar dentro de su SGC y del SGA. Para ello le recomiendo que desde el comiezo presente los beneficios que tiene la implementación de ISO 9001:2015 y de ISO 14001:2015 en los procesos de la organización así como los recursos que van a ser necesarios, no sólo económicos sino de personal para que realmente exista ese compromiso. Puede por ejemplo llevar a cabo una reunión con la dirección en la que realice una presentación con esos beneficios, los recursos y las responsabilidades necesarisas en el proyecto.

Para más información sobre el liderazgo en la gestión de la calidad y medio ambiente puede ver los siguientes materiales: 

- Artículo - Cómo cumplir con los nuevos requerimientos de liderazgo en la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-cumplir-con-los-nuevos-requerimientos-de-liderazgo-en-la-iso-90012015/

- Artículo - Seis beneficios clave de la implementación de ISO 9001: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/seis-beneficios-clave-de-la-implementacion-de-iso-9001/

- Artículo - Seis beneficios clave de la ISO 14001: https://advisera.com/14001academy/es/knowledgebase/6-beneficios-clave-de-la-iso-14001/

- Informe - How can ISO 9001 help your business grow: https://info.advisera.com/9001academy/free-download/how-can-iso-9001-help-your-business-grow

- Informe - How can ISO 14001 help your business grow: https://info.advisera.com/14001academy/free-download/how-can-iso-14001-help-your-business-grow

- Presentación - Why ISO 9001:2015 awareness presentation: https://info.advisera.com/9001academy/free-download/why-iso-9001-2015-awareness-presentation

- Presentación - Why ISO 14001:2015 awareness presentation: https://info.advisera.com/14001academy/free-download/why-iso-14001-awareness-presentation

- Curso gratuito - Fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/