Search results

EU GDPR Policies and procedures

What is mandatory to have public are the Privacy Notices that need to be available to the regarding data subjects. Regarding making available the Policies and procedures to other companies my view is that only you should comply only when the requestor acts as a data controller.

SPC

When you are doing GR&R analysis you are taking the same sample/same lot for every operator or machine you are testing for.

Data gathering for kindergartens and schools parties

1. Are there any specific things that I need to include in the contract?

Yes, as long as you are processing personal data you should have some specific wording in the contract to cover the part where you are processing personal data. Usually, this is a separate addendum to the commercial contract called a Data Processing Agreement

2. According to the GDPR what is my company a controller or a processor?

Based on your description you seem to be acting as a data processor as you do not determine the means and purposes of the processing but rather the entities that contract you. If you want to find out more about controllers and processors check out this article EU GDPR controller vs. processor – What are the differences? (https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/)

3. Do I need to register somewhere if I process personal data?

The registration to local Supervisory Authorities is not required under the GDPR however, this can be regulated by local legislation. I would advise you to check the website of the Supervisory Authority where your company is registered.

4. Are there any specific requirements for handling data of children?

There are some specifics that involve the permission of the parents or legal guardians. However, since you are acting as a processor as long as you process the data on the instructions of the controllers you should not be concerned.

5. During the events sometimes my crew takes pictures and posts it on social media. Are there any restrictions?

I would advise blurring the faces of the children when posting pictures on social media. Alternatively, you could obtain consent from the parents of the children in the photo.

6. How much time do I need to keep the lists whit the children`s names and age?

I would delete the data right after using it during the show. You do not need it afterwards and keeping it would expose you to unnecessary risks.
 

If you want to find out more about the EU GDPR check out this EU GDPR Foundation Course (https://advisera.com/training/eu-gdpr-foundations-course//)

Getting ISO 13485

If I have understand it correctly, you are supplier of critical parts to other medical device companies. Therefore, there is no strict regulation that you need to be certified according to the ISO 13485:2016, and from quality management system perspective norm for a manufacturer can be ISO 9001.

Can you explain what you meant by „with an emphasis on ISO 13485“?

However, I would like to point out the following. According to the ISO 13485:2016 in requirement 4.1 is stated that when the organization chooses to outsource any process that affects product conformity to requirements, it shall monitor and ensure control over such processes. Then, in requirement 4.1.6 is stated that organization that subcontracts the activity remains responsible for it.  

With MDR, from May 2020, the notified bodies will take more attention to critical suppliers and there is a possibility that notified bodies will audit certain critical suppliers, according to their risk assessment.  Therefore, you must be prepared that there is a chance that the notified bodie will audit your manufacturing process as part of the medical device manufacturer's audit.

External documents

External documents are any documents not owned or controlled by an organization that are required to its operation, either mandatory or voluntarily adopted. Examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself), and documents and records from customers, suppliers, and partners (e.g., contracts, service agreements, product/service specification, operation manuals, etc.)

These materials will also help you regarding control of documents:
- Free video tutorial that you received as part of your toolkit: How to Write ISO 27001/ISO 22301 Document Control Procedure

Route to implement an ISMS

Good afternoon. I would like to know what is the best route to implement an ISMS in a company dedicated to the turn of advertising in XYZ.

Regardless of the industry, the first step is to obtain management support for information security initiatives, because without this, you won't have the minimal resources and engagement to implement the required controls. Second, you have to establish a systematic approach for the implementation, because you have to coordinate several people to perform dozens of activities, and without a methodology, you will finish inside a huge mess with no security at all. Finally, the start of your journey has to define what you will protect and what you will not, i.e. the information security scope, so you can focus on what really matters.

This general method is applicable to any company:

1.- Obtain management support
2.- Treat is as a project
3.- Define the scope
4.- Write an ISMS Policy
5.- Define the Risk Assessment methodology
6.- Perform the risk assessment & risk treatment
7.- Write the Statement of Applicability
8.- Write the Risk Treatment Plan
9.- Define how to measure the effectiveness of controls
10.- Implement the controls & mandatory procedures
11.- Implement training and awareness programs
12.- Operate the ISMS
13.- Monitor the ISMS
14.- Internal audit
15.- Management review
16.- Corrective and preventive actions

This article will provide you additional information:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

And this diagram can help you to start the implementation of the standard in your organization “Diagram of ISO 27001:2013 Implementation (PDF)”: https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/

Finally, these materials will help you to know more about how to implement the standard:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

Auditing ISO documents

An audit is not an 100% inspection. An audit is always based on a sample. The findings based on that sample when compared with the audit objectives allow the audit team to draw the audit conclusions. It is a good practice to include this kind of disclaimer in the audit report. An extreme case would be if the audit objectives establishes the rule that all documents and records should be audited.

The following material will provide you information about document control:

- ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- ISO 9001 blog – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Free online training ISO 9001:2015 Internal Auditor Course
– https://advisera.com/training/iso-9001-internal-auditor-course/  
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
 

Toolkit content

The main difference between these three documents are:
- Risk Assessment and Risk Treatment Methodology Cloud covers not only requirements for ISO 27001, but also specific requirements applicable for cloud environments defined by ISO 27017 and for Personal Identifiable Information PII) defined by ISO 27018.
- Risk Assessment and Risk Treatment Methodology Premium covers not only requirements for ISO 27001, but also specific requirements applicable for business continuity defined by ISO 22301.
- Risk Assessment and Risk Treatment Methodology Integrated covers not only requirements for ISO 27001 but also specific requirements applicable for the protection of personal data defined EU GDPR.

You can see the specific requirements covered in each document in its own section 2 - Reference Documents.

Please note that these are slightly differences included to ensure the right references are included for each document, related to cloud, business continuity, and GDPR, but they practically do not have an impact on the methodology itself.

Surveillance audits

1. Does the external auditor have to do complete surveillance for all controls in the SOA the same as the first year of certification?

Only during certification audits, all controls in the SoA must be audited. During each surveillance audit, the auditor can cover only part of the controls, provided that all controls are audited during the certification cycle (e.g., if you have 3 surveillance audits between certification audits, all controls must be audited at least once in these three audits).

This article will provide you further explanation about surveillance audits:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

2. How long does it take to complete the surveillance audit with regard to the initial certification audit duration?

The total days to complete a surveillance audit will depend on the defined ISMS scope (e.g., number of locations, number of employees, etc.), so without detailed information, we cannot provide a precise answer for your case.

As a general example, we can say that if the certification audit took 5 days to be performed, the surveillance audits will take between 2 to 3 days.

Laboratory accreditation

Yes, ISO 17025 is generally the most appropriate standard for veterinary testing laboratories to develop and implement.  If however, a laboratory performs human medical and veterinary diagnostic testing, e.g. infectious diseases that can be spread from animals to humans, they could choose ISO 15189 (which is based on ISO 17025). 

The intergovernmental organization responsible for improving animal health worldwide, The World Organization of Animal Health (OIE), require veterinary testing laboratories to design and maintain an appropriate quality management system, irrespective of any requirement for formal accreditation. National legislation and regulatory body policies will regulate the need for accreditation, which is mandatory for laboratories that conduct tests for infectious animal diseases. Veterinary testing laboratory accreditation bodies align their requirements for accreditation with the World Organization of Animal Health (OIE) standard “Management and Technical Requirements”, as it contains the specific requirements unique to veterinary testing laboratories.

The following articles may be of interest:

• Six key benefits of ISO 17025 implementation - https://advisera.com/17025academy/blog/2019/10/18/six-key-benefits-of-iso-17025-implementation/
• Maintaining and improving quality management in laboratories according to ISO 17025:2017 -https://advisera.com/17025academy/blog/2019/08/30/iso-17025-maintenance-and-improvement-in-laboratories/

For some useful tools for planning ISO 17025 accreditation, have a look at:

• Project Plan for ISO/IEC 17025 implementation - https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation
• Checklist of ISO 17025 implementation steps - https://advisera.com/17025academy/blog/2019/08/28/checklist-of-iso-17025-implementation-steps/