Search results

Legal requirements

First is important to note that the list in the article you've mentioned does not cover all countries nor is fully up-to-date because it depends on voluntary contributions from our readers. To make sure you have the latest list of laws and regulations, when which one applies to specific industries, it would be best to hire a local legal adviser.

Obtaining management support for an ISMS

First is important to note that before go for for the scope of the ISMS, and talk about assets, you need to convince top management to support ISO 27001 in terms of business benefits, like:
- improvement of business opportunities
- decrease of costs with incidents
- decrease of effort to comply with legal requirements
- improvement of internal organization

Considering that, your text for the goal of the project could be rephrased like:
- Information Security Management System applicable to improve business opportunities related to the provision of our IT Services
- Information Security Management System applicable to decrease the costs of incidents related to our IT Services.

As for the ISMS scope it is not enough, becuse the standard requires you to consider also other aspects. For additional information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

 These articles will provide you further explanation about obtaining support of top management:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/

These materials will also help you to have an idea on how to present ISO 27001 to your management:
- Project proposal for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-implementation-powerpoint
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/

Control of non-conformities

Consider the following picture:

Clause 8.7 is not about product non-conformities specifically, that is why the standard uses the word output and not the word product or the word service. So, perhaps what you classify as “The other type of nonconformities” are outputs where clause 8.7 applies.
 
Clause 8.7 applies always, whatever the organization is. What can be very different is what is meant by output.

KPI vs Quality Objective

Quality objectives are overall goals or targets stated by the organization in order to achieve improvement within the QMS. A key performance indicator (KPI) is a metric used to evaluate factors that are crucial for the objective to be fulfilled. So, each objective can have one or more KPI. For example, objective can be to have highly educated employees. KPI's for this objective can be a percentage of employees actually trained in a given period, the number of certificates awarded to them, or the number of publications and conference contributions published by employees of the company. 

Quality objectives have a strategic role in carrying out the quality policy and its implementation through a quality management system and provide a means to assess whether the QMS achieves its goals. There is no prescribed how many objectives you need to have, it is totally up to the management decision. Standard goals can be: meeting customer and regulatory requirements, achieving the improvement of the QMS and its products, and enhancing customer satisfaction. 

In this article, you have more information about setting good quality objectives:

Setting good quality objectives for ISO 13485 https://advisera.com/13485academy/knowledgebase/setting-good-quality-objectives-for-iso-13485/ 

Although these articles are related to ISO 9001, they can help you to understand the differences between objectives and KPIs:
How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
How to write good quality objectives: https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/

Process element

1.I would start by gathering a group of people, that know the organization, and drawing a model of how the organization works.

2.For each process I would consider its purpose and undesired results to determine process objectives

3.Based on expected and undesired results I would determine a set of risks and opportunities.

Please consider watching this free on demand webinar - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ - where I show how to do steps 1 and 3 (slides 12 and 14). On another free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015- https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/ - I show how to do step 2 (slide 10).

The following material will provide you more information about processes and risks:

- How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Data Privacy Notice & Inventory of Processing Activates

1. Do we need a special privacy notice for all kinds of contact sources (website, email, etc..) or is one enough?

If the personal data collected and the purpose for which it is used are the same you can have just one privacy notice. However, within the notice, you need to mention what are the sources from where you collect the personal data.

2. In the Data Retention Policy - are the retention periods defined within this document?

Retention periods are usually mentioned in local laws such as Tax Law or Labor Law. If you cannot find a retention period is local laws you can establish them yourself taking into account the data minimization principle.

3. In the Inventory of Processing Activities - are there some examples of those processing activities given, or is this maybe covered with the email support - for example, if we ask the expert to give advice for that?

The Inventory of Processing Activates in the GDPR Documentation Toolkit has some comments embedded to help you understand what you need to fill in. Also, there is also a guidance document included in the toolkit. If you decide to purchase the toolkit, depending on the version you buy, you get also some consultancy hours as well as documents reviewed by our experts. More details on the GDPR toolkits may be found at https://advisera.com/eugdpracademy/pricing/ Just click on “See details”.

4. What is the maximum amount of time to respond to data subject requests?

The standard response time to a request is one month however if the request is complex the deadline can be prolonged by 2 more months.

Límites en la determinación de los aspectos ambientales

Efectivamente si el auditor entiende que no se han considerado todos los aspectos ambientales de los procesos incluidos en el alcance de su sistema de gestión ambiental puede elevar una no conformidad. Recuerde que debe de realizar un análisis del ciclo de vida de sus productos o servicios e incluir tanto aquellos procesos que controla como aquellos en los que puede influir, desde la adquisición de las materias primas hasta la eliminación del producto o servicio. 

Los siguientes materiales pueden ayudarle a saber más sobre la identificación y evaluación de aspectos ambientales:

- Artículo: 4 pasos en la identificación y evaluación de aspectos ambientales - https://advisera.com/14001academy/es/knowledgebase/4-pasos-en-la-identificacion-y-evaluacion-de-aspectos-ambientales/
- Artículo: Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
- Webinar gratuito - Free webinar - ISO 14001: Identificación y evaluación de aspectos ambientales - https://advisera.com/14001academy/es/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
- Atienda gratis este curso –  Curso de Fundamentos ISO 14001:2015 - https://advisera.com/training/es/course/curso-fundamentos-iso-14001/
- Libro – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Risk and opportunity in ISO 45001

Probably the best way to present risk and opportunities in a training session would be with examples. Both risk and opportunities are the effect of an uncertain outcome, with a potential negative or positive outcome. For instance, if a supplier notifies you that they will stop making a chemical you use, with the only know replacement chemical being more hazardous to your employees, this is a risk that you will want to try to address (such as finding a new supplier). If a supplier comes to you with a new chemical that they have developed which is less hazardous then this is an opportunity you can choose to go after by seeing if you can indeed use the safer chemical.

You can find out more about these requirements in ISO 45001 in the article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/ 

ISO 9001 Design and Development exemption

Let us consider the possibility of a customer requesting your organization an expert to provide the service X. What the customer expects from your organization is the selection of competent people able to work with them. So, perhaps the service that requires certification is not what the person does for the customer, but the service of identifying the customer's needs and hiring/assigning the right person for the project. 
I find it odd that a company providing engineering consulting services considers clause 8.3 not applicable. If I were in your position and with doubts I would contact one or two certification bodies and ask their opinion. Remember, after all, they are your suppliers, and they want to win a customer. So, they have all the motivation to answer you.

Risks and Opportunities in the HIRA register

Risks and opportunities in the ISO 45001:2018 standard are looking at top level risks rather than individual risks posed by specific job functions. For instance, a top-level risk may be posed by a supplier of a chemical notifying you that they will no longer make this chemical after a certain date. This is not the risk from a direct hazard, but rather a risk to future processing. These do not need to be recorded in the HIRA register (in fact the ISO standard does not use this term) and you can keep records in any fashion you see fit.

You can find out more about the new risk and opportunities requirements in ISO 45001 in the article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/