Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Data usage
It depends on your internal privacy policy mostly.
The Company should establish a clear policy to obtain sick leave (who has the right, requirements, documentation, how many days, etc.) and to ensure that HR department does not handle employees’ medical information more than necessary (i.e. medical certificates, death certificates, pregnancy certificates, etc.). Therefore, if your employer answered your question and shared the email with the HR department and medical service, for example, it could be justified, because those people already knew your data. Your data could be shared also with your legal office if your employer considers it a potential legal claim. Other cases should be considered an infringement of your rights (such as if your employer shares your email with other colleagues of your same level or department).
You can find more information in our article:How the GDPR could impact your HR department: https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/
-
Compliance checklist and mapping controls
ISO 27001 can help you with ca 50% of GDPR compliance, while PCI DSS is more focused on protecting credit card transactions so it is not as helpful with GDPR.
While the GDPR provides you guidance on what needs protecting but does not provide guidelines, the PCI DSS and ISO 27001 details clearly what you need to reach those security standards.
Here you can find some useful documentation to map controls and check the documentation:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- Free Whitepaper What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help
- EU GDPR & ISO 27001 Integrated Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/
- Free Whitepaper on GDPR Checklist of mandatory documents: https://info.advisera.com/eugdpracademy/free-download/checklist-of-mandatory-documentation-required-by-eu-gdpr
- PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences: https://advisera.com/27001academy/knowledgebase/pci-dss/
- PCI-DSS vs. ISO 27001 Part 2 – Implementation and Certification: https://advisera.com/27001academy/knowledgebase/pci-dss/
-
SGA
Antes de hacer la RAI y matriz legal entiendo que ya cuenta con el apoyo de la dirección que es quien proporciona los recursos necesarios para llevar a cabo el proyecto de implementación de la norma. Así mismo es igualmente importante que antes de la matriz de aspectos e impactos haya definido claramente el alcance del sistema de gestión ambiental que va a delimitar el sistema, así como otrs elementos como la política ambiental.
Otro de los nuevos requisitos de la norma ISO 9001:2015 es determinar el contexto de la organización y de las partes interesadas, y esto es mejor llevarlo a cabo antes de la evaluación de los aspectos ambientales, y nos va a ayudar en la identificación de los riesgos y las oportunidades, que pueden derivar de ese contexto.
En la matriz de los aspectos ambientales y impactos tiene que considerar el ciclo de vida de su producto o servicio, para poder analizar de forma correcta dónde están dichos aspectos ambientales y su impacto, es decir en qué proceso o procesos, para que una vez evaluados los aspectos ambientales significativos pueda llevar las acciones necesarias específicas para cada actividad. Para poder evaluar cada uno de los aspectos encontrados lo puede hacer mediante una serie de criterios y asignando una puntuación, como puede ser la severidad, probabilidad, etc. También deberá de identificar aquellos riesgos asociados a los aspectos ambientales así como las oportunidades y realizar las acciones oportunas para mitigar dichos riesgos.
Estos serían los primeros pasos a seguir, pero en estos materiales puede obtener más información sobre la implementación de ISO 14001:
- Artículo - Lista de paasos para la implementación de la ISO 14001: https://advisera.com/14001academy/es/knowledgebase/lista-de-pasos-para-la-implementacion-de-la-iso-14001/
- Webinar gratuito - Identificación y evaluación de los aspectos ambientales: https://advisera.com/14001academy/es/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
- Curso Fundamentos ISO 14001:2015: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/
- Libro - The ISO 14001 companion: https://advisera.com/books/the-iso-14001-2015-companion/
-
Integrating ISO 27001 and ISO 9001
First is important to note that ISO 27001 does not require an "information security manual", so in this specific case, you do not need a separate document.
Considering that, ISO 9001 and ISO 27001 share many similar requirements that allow the use of a single document for both systems (e.g., document control procedure, internal audit, etc.). Other required documents defined specifically for each standard, such as security policies and quality plans, can be kept separated without risks to create inconsistencies.
These articles will provide you further explanation about integrating management systems:
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
- Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
To see how ISO 27001 documents look like, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
This course can also be of help:
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
-
Environmental scope
If an organization has more than one location, the scope should include the activities or processes involved, the products or services considered, and the name and addresses of each location. Each location has to comply with legal and regulatory requirements applicable to its own location.
-
Humidity Control
There is no strict requirements from the ISO 13485:2016 standard about humidity. In requirement 7.5.11 Preservation of the product is descibed that it is organization resposnibility to protect product from alteration, contamination or damage when exposed to expected conditions.
Therefore, it is manufacturer resposnibility to define under which humidity level medical device must be stored. Usually, this data are obtained during stability study which is one of the main requirement from Medical Device directive.
-
ISO 27018 versions
Thans
Regards
-
ISO 27001 new version
Please note that ISO 27001:2013 was last reviewed and confirmed in 2019, so the 2013 version remains current, without alterations, and you can use the documents of the toolkit without a problem.
The document released in 2018 was ISO 27000, which is a supporting standard, covering Information Security vocabulary.
-
Acceptance media
The AS9100 standard does not give you the rules for acceptance stamps because the standard describes what you need to do, but not how to do it. The standard states that you need to have a process in place for acceptance stamps, if you are going to use them, but it does not dictate the rules. So, for your question of if a person can be trained in 2 different processes and have a stamp for each this will not be dictated in AS9100 since this may differ in different areas of aircraft, space and defense. If your customer requirements and legal requirements do not state that this is unacceptable, you can do so.
You can find out more about acceptance media in the article: Acceptance authority media (AAM) in AS9100 Rev D, https://advisera.com/9100academy/blog/2019/06/20/as9100-acceptance-authority-media-aam-in-rev-d/
If you are looking for some help to implement AS9100, check out our book: Applying AS9100 Rev D, https://advisera.com/books/applying-as9100-rev-d/
-
Defining job roles
The AS9100 audit of the QMS will not only include the standard, but also how you have implemented the processes of the QMS in order to provide products and services that meet customer needs. This will include all customer and legal requirements that are applicable to your ability to provide products and services as they are included into the QMS. So, if you have a customer or legal requirement to define the aircraft certification roles, then this is part of your QMS and therefore part of the AS9100 audit of your QMS.
You can read more about documenting roles in the QMS in the article: How to document roles and responsibilities according to AS9100 Rev D, https://advisera.com/9100academy/blog/2018/08/28/how-to-document-roles-and-responsibilities-according-to-as9100-rev-d/
If you are looking for a guide to implement the standard, our book might help: Applying AS9100 Rev D, https://advisera.com/books/applying-as9100-rev-d/