Search results

ISO 9001 certification vs accreditation

There are two important words in your question: certification and accreditation.

There are four actors in your question: IAF, the accreditation body, the certification body and your organization.

First what is the difference between certification and accreditation.

- Certification is when a certification body issues a certificate stating that a company is compliant with a standard.

- What is the accreditation, then? In order for certification bodies to be able to perform the certification audits and issue the certificates, they need to get a license – and this license is called accreditation. So, certification bodies are getting accredited, while companies are getting certified. (The certification body needs to be compliant with the standard ISO 17021 if they want to get accredited for certifying management systems.)

There is usually only one accreditation body for each country (e.g., UKAS for the United Kingdom), while there are several certification bodies operating in each country.

Have you ever wondered if a company claiming to be certified is really certified? I always recommend: Look for the certification body name. Then, look for the name of the accreditation body that accredited that certification body. Then, look to see if that accreditation body is included in the International Accreditation Forum (IAF) list. 

The following material will provide you information about certification and accreditation:

- Accreditation vs. certification vs. registration in the ISO world - https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/
- Accredited ISO certification versus non-accredited: What it means and why it matters - https://advisera.com/blog/2019/09/16/accredited-iso-certification-versus-non-accredited-what-it-means-and-why-it-matters/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

Quality Agreement template

No, unfortunatelly we do not have Quality Agreement template in our Toolkit. The purpose of Quality agreement is to define all obligations and responisibilities between manufacturer of medical devices  and supplier. However, obligations and responsibilities differ from supplier to supplier (it is not the same whether it is a supplier of critical raw material, some service or some consumables), and therefore it is difficult to unify it. If you tell me which supplier it is, I can help you with the specifics of the contract. As part of the toolkit, you can schedule a call with our ISO 13485 expert, and there you can discuss what you should include in such an agreement.

ISO 9001 certification for individuals

What kind of certification are you thinking about?

An ISO 9001 certification as for companies is not very useful, unless you have a one-person business and think about certifying that business.

A certification as Lead Auditor or as Lead Implementer might be useful for developing your activity as auditor or consultant.

The following material will provide you information about certification and courses:

- ISO 9001 – ISO 9001 Certification - https://advisera.com/9001academy/iso-9001-certification/
- ISO 9001 – Free online training courses - https://advisera.com/training/iso-9001-courses/

Information labeling

Here are the answers:

1. Is the classification of information based on confidentiality and integrity?

ISO 27001 control A.8.2.1 allows you to classify information according to legal requirements,
value, criticality and sensitivity - therefore, you are not limited to confidentiality and integrity. However, in most cases, companies classify information based on confidentiality. 

See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

2. What's the purpose of information labeling? Is that just for informing internal employees?

The purpose is to inform anyone who gets in contact with classified information about the level of classification. Without the users knowing what the level of classification is, the classification itself wouldn't make sense. 

3. Is it necessary to label all physical and electronic information?

You can declare the control A.8.2.2 Labelling of information as inapplicable if there are no related risks nor legal or contractual requirements.

Even if you declare this control as applicable, you can define the level of classification for particular type of information (e.g. applications) through a policy, so that labelling of such information is not needed. 

ISO 27001 6.1.1 Allgemeines

ISO 27001 clause 6.1.1 does not require you to document how you manage opportunities (i.e. no written policy or procedure is needed), it only requires you to plan to address risks and opportunities. 

In Advisera's toolkit, you will find the document "Risk treatment plan" placed in folder "07 Implementation plan" - there you should list all activities through which you address both risks and opportunities (since opportunities can be considered as "positive risks"). 

This article will give you a couple of examples of what opportunities are: How to address opportunities in ISO 27001 risk management using ISO 31000 https://advisera.com/27001academy/blog/2018/04/13/how-to-address-opportunities-in-iso-27001-risk-management-using-iso-31000/ 

ISO 14001 approach?

My first advice is about making a Gap Analysis to have an idea about what needs to be done. Then, you can develop your implementation plan.

Be sure to invest your time in determining and evaluating environmental aspects and impacts, they are very important for the foundation of your environmental management system (EMS). Consider also this article with a checklist for implementing an EMS - List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/

The following material will provide you more information about aspects and impacts:

- ISO 14001:2015 Gap Analysis Tool - https://advisera.com/14001academy/iso-14001-gap-analysis-tool/
- Project Plan for ISO 14001:2015 implementation - https://info.advisera.com/14001academy/free-download/project-plan-for-iso-140012015-implementation-ms-powerpoint
- Free webinar on demand - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
- Free webinar on demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
- Book – ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

GDPR and personal data handling

1. What is the difference between consent and explicit consent?

Based on the EU GDPR consent is a freely given, specific, informed and unambiguous indication of the individual’s wishes. The controller must keep records so it can demonstrate that consent has been given by the relevant individual. This would be consent in general.

Consent must be explicit if you are processing special category personal data or transferring personal data outside the EU. This entails a degree of formality, for example, the individual ticking a box containing the express word “consent”.

Explicit consent cannot be obtained through a course of conduct. If you want to find out more about consent check out this free webinar How to handle consents under GDPR: https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/

2. What is the time and usual procedure when receiving a deleting request? What are the limitations regarding the time to respond to a request?

The time to answer a request from a data subject is usually one month but it can be prologued with another two months if the request is complex. If you want to find out more about answering requests check out this free webinar Data Subject Rights under the EU GDPR: https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/

3. Do emails containing personal data need to be encrypted?

Not necessarily, however, if you are sending large quantities of personal data or special categories of personal data you should consider encryption or other measures to secure the transfer.  

4. If I want to make a complanit because my data is being used abusively where do I need to go?

You can find a full list of contact details of all Supervisory Authorities in the EU at https://edpb.europa.eu/about-edpb/about-edpb/members_en

GDPR compliance and data protection

1.There is some suppliers like couriers that want to sign DPAs with us. Is this ok? Are couriers processors?

Couriers act like independent data controllers so you need to sign a Controller to Controller Agreement. You can find such an Agreement in this EU GDPR Premium Documentation Toolkit: https://advisera.com/eugdpracademy/pricing/

2. Also since we want to start from January to work on our implementation how much time do you think we need? How about resources?

Both the time and resources depend on various factors such as the size of the company and the activities it performs. We have developed some tools that allow you to calculate the duration and the costs of becoming compliant. Check out this tool: https://advisera.com/eugdpracademy/eu-gdpr-compliance-duration-calculator/ .

3. Being a shipping company do we need to register?

As far as I know, this requirement no longer exists. However, you should check out the website of the local Supervisory Authority as this is a local decision.

4. When we provide the notices to the crew members we are recruiting do they need to sign it?

Privacy notices need to be made available to the data subjects but not necessarily signed. You can make them available on your website for example.

5. Are we allowed to keep the CVs for possible future arrangements?

Based on your legitimate interest or the candidate consent you can keep the CV longer. You need however to decide and asses which lawful ground would suit you best. You can find out more about Privacy Notices in this free webinar “Privacy Notices under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ .

6. And if yes is there a time limit?

The GDPR does not provide specific retention principles however, based on the minimization principle personal data should not be kept more than needed to achieve the purpose for which it was collected. My suggestion is not to keep CVs for more than 1 year.

Performance Evaluation

The most common way is to define process KPI in Turtle diagram. Also, you can use some strategy approach as Balanced Scorecard. 

In the document where you have defined process, also, you can set KPI for each of them.

For each process, you can set the quality objective and KPI should be aligned with it.

For more information, please read our article: „How to write IATF 16949 Quality objectives“ https://advisera.com/16949academy/knowledgebase/how-to-write-iatf-16949-quality-objectives/

GDPR and impact assessment on data protection

So we have this software where people make recommendation for friends to buy goods, and in the process of buying with credit card's etc customer information is disclosed. how can we make sure people don't use those info; to hack or etc other customers?

If credit card data is processed you need to ensure that you are PCI compliant or that you use a third party that it is PCI compliant.

Regarding the use of other personal data besides credit card data, you need to follow the GDPR principles and apply adequate security measures as per art. 32.

In summary: like how do we protect customer data when a project went live.?

Another thing you need to consider is having adequate Terms and Conditions so the users have a clear view of what they can do and what is forbidden.

I would advise you to perform a Data Protection Impact Assessment before going live.

You can find out more about Data Protection Impact Assessment from thus fee webinar Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR: https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/