Search results

KPI vs Quality Objective

Quality objectives are overall goals or targets stated by the organization in order to achieve improvement within the QMS. A key performance indicator (KPI) is a metric used to evaluate factors that are crucial for the objective to be fulfilled. So, each objective can have one or more KPI. For example, objective can be to have highly educated employees. KPI's for this objective can be a percentage of employees actually trained in a given period, the number of certificates awarded to them, or the number of publications and conference contributions published by employees of the company. 

Quality objectives have a strategic role in carrying out the quality policy and its implementation through a quality management system and provide a means to assess whether the QMS achieves its goals. There is no prescribed how many objectives you need to have, it is totally up to the management decision. Standard goals can be: meeting customer and regulatory requirements, achieving the improvement of the QMS and its products, and enhancing customer satisfaction. 

In this article, you have more information about setting good quality objectives:

Setting good quality objectives for ISO 13485 https://advisera.com/13485academy/knowledgebase/setting-good-quality-objectives-for-iso-13485/ 

Although these articles are related to ISO 9001, they can help you to understand the differences between objectives and KPIs:
How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
How to write good quality objectives: https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/

Process element

1.I would start by gathering a group of people, that know the organization, and drawing a model of how the organization works.

2.For each process I would consider its purpose and undesired results to determine process objectives

3.Based on expected and undesired results I would determine a set of risks and opportunities.

Please consider watching this free on demand webinar - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ - where I show how to do steps 1 and 3 (slides 12 and 14). On another free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015- https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/ - I show how to do step 2 (slide 10).

The following material will provide you more information about processes and risks:

- How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Data Privacy Notice & Inventory of Processing Activates

1. Do we need a special privacy notice for all kinds of contact sources (website, email, etc..) or is one enough?

If the personal data collected and the purpose for which it is used are the same you can have just one privacy notice. However, within the notice, you need to mention what are the sources from where you collect the personal data.

2. In the Data Retention Policy - are the retention periods defined within this document?

Retention periods are usually mentioned in local laws such as Tax Law or Labor Law. If you cannot find a retention period is local laws you can establish them yourself taking into account the data minimization principle.

3. In the Inventory of Processing Activities - are there some examples of those processing activities given, or is this maybe covered with the email support - for example, if we ask the expert to give advice for that?

The Inventory of Processing Activates in the GDPR Documentation Toolkit has some comments embedded to help you understand what you need to fill in. Also, there is also a guidance document included in the toolkit. If you decide to purchase the toolkit, depending on the version you buy, you get also some consultancy hours as well as documents reviewed by our experts. More details on the GDPR toolkits may be found at https://advisera.com/eugdpracademy/pricing/ Just click on “See details”.

4. What is the maximum amount of time to respond to data subject requests?

The standard response time to a request is one month however if the request is complex the deadline can be prolonged by 2 more months.

Límites en la determinación de los aspectos ambientales

Efectivamente si el auditor entiende que no se han considerado todos los aspectos ambientales de los procesos incluidos en el alcance de su sistema de gestión ambiental puede elevar una no conformidad. Recuerde que debe de realizar un análisis del ciclo de vida de sus productos o servicios e incluir tanto aquellos procesos que controla como aquellos en los que puede influir, desde la adquisición de las materias primas hasta la eliminación del producto o servicio. 

Los siguientes materiales pueden ayudarle a saber más sobre la identificación y evaluación de aspectos ambientales:

- Artículo: 4 pasos en la identificación y evaluación de aspectos ambientales - https://advisera.com/14001academy/es/knowledgebase/4-pasos-en-la-identificacion-y-evaluacion-de-aspectos-ambientales/
- Artículo: Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
- Webinar gratuito - Free webinar - ISO 14001: Identificación y evaluación de aspectos ambientales - https://advisera.com/14001academy/es/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
- Atienda gratis este curso –  Curso de Fundamentos ISO 14001:2015 - https://advisera.com/training/es/course/curso-fundamentos-iso-14001/
- Libro – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Risk and opportunity in ISO 45001

Probably the best way to present risk and opportunities in a training session would be with examples. Both risk and opportunities are the effect of an uncertain outcome, with a potential negative or positive outcome. For instance, if a supplier notifies you that they will stop making a chemical you use, with the only know replacement chemical being more hazardous to your employees, this is a risk that you will want to try to address (such as finding a new supplier). If a supplier comes to you with a new chemical that they have developed which is less hazardous then this is an opportunity you can choose to go after by seeing if you can indeed use the safer chemical.

You can find out more about these requirements in ISO 45001 in the article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/ 

ISO 9001 Design and Development exemption

Let us consider the possibility of a customer requesting your organization an expert to provide the service X. What the customer expects from your organization is the selection of competent people able to work with them. So, perhaps the service that requires certification is not what the person does for the customer, but the service of identifying the customer's needs and hiring/assigning the right person for the project. 
I find it odd that a company providing engineering consulting services considers clause 8.3 not applicable. If I were in your position and with doubts I would contact one or two certification bodies and ask their opinion. Remember, after all, they are your suppliers, and they want to win a customer. So, they have all the motivation to answer you.

Risks and Opportunities in the HIRA register

Risks and opportunities in the ISO 45001:2018 standard are looking at top level risks rather than individual risks posed by specific job functions. For instance, a top-level risk may be posed by a supplier of a chemical notifying you that they will no longer make this chemical after a certain date. This is not the risk from a direct hazard, but rather a risk to future processing. These do not need to be recorded in the HIRA register (in fact the ISO standard does not use this term) and you can keep records in any fashion you see fit.

You can find out more about the new risk and opportunities requirements in ISO 45001 in the article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/

Design and development

what type of documents do I need to fulfil the requirements of clause 8.3

Answer:

Please check this article about the mandatory documents required by ISO 9001:2015 - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ there you can check that only records are mandatory. However, I recommend that organizations develop a procedure about the good design and development practices that need to be followed and authorities and responsibilities.
 

can I have any such formats for Planning, input, controls, outputs and changes?"

Answer:

Yes, you can have a format for each topic, or for two or more topics simultaneously.
 

The following material will provide you more information about design and development:

- The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- Procedure for Design and Development - https://advisera.com/9001academy/documentation/procedure-design-development/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – (where I use the process approach this way) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Supplier Security

Based in your attached document, I'm assuming you are referring to a document similar to a "Confidentiality Statement" (the term “Order data protection agreement” does not exist in the standard, nor it is a common term).

Considering that, please note that for ISO 27001, you only have to implement a "Confidentiality Statement", or similar document like the ”Order Data Protection Agreement”, or any other type of control, if:
- the results of risk assessment require the implementation of such document
- there are legal requirements (e.g., laws and contracts) which require the implementation of such document
- there is a top management decision for implementation of such document

If none of the above mentioned situations occur, then you do not need to implement a "Confidentiality Statement", or ”Order Data Protection Agreement”.

Considering our toolkit, we have a "Confidentiality Statement" template, located on folder 08 Annex A Security Controls >> A.7 Human Resource Security, that you can evaluate if it can fulfill your needs. It contains the minimum required for compliance with the standard (for further security you should consider seeking expert legal advice because we are not legal experts).

Regarding your document, it seems fine as a "Confidentiality Statement", with more clauses than our "Confidentiality Statement", but again we recommend you to seek legal advice.

Another way to handle this situation is by including a security clause in your service agreement with those parties working with you.

This article will provide you a further explanation about control selection and security clauses:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

Quality control statement

I don’t know if I understand correctly your question. Organizations have the authority to decide what makes sense to include in a SOP. So, there is no compulsory requirement to add a quality control statement.

The following material will provide you more information about documentation:

- How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/