Search results

GDPR Implementation Duration

The duration would also be influenced by factors like the type and category of personal data processed if the data is shared with third parties processors etc.

My guess this would take around 3 to 6 months provided you are given full support from the management of the company.

Consider also that only publishing some policies and procedures does not mean that an organization is compliant with the EU GDPR you also need the processes to back up the documents.

Corrective Action Reports

I must admit that your previous message made me suspect of that. 

Yes, not all occurring non-conformities require a corrective action.

Yes, all occurring non-conformities need to be recorded. If your quality management system internal rules required that non-conformities be recorded on a corrective action request, you have to do it and copy the corrective action from the first one. 

Consider the possibility of simplifying your quality management system internal rules by separating recording of non-conformities from recording of corrective actions. Please consider this article - ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/

Differences between Event, incident and problem management

Event is defined as a change of state. E.g. Port was up, now – it's down / server was alive, now it's not / door were closed, now they are open / etc. Change of state refers to configuration item (CI) or service and it helps to (proactively) maintain services and related CIs. I'm sure you got some kind of alert on your screen -> that's event. Event management process manages events throughout their lifecycle (from when they are raised until they are resolved).

Incident is unplanned interruption (or reduction in quality) of an IT service. Incident management is a process which handles (record, diagnose, resolve) incidents throughout their lifecycle.

Problem is cause of one or more incidents, where root cause of the problem is (usually) not known when problem is raised. Problem management is responsible to find root cause of (one or more) incident.

Here are articles that can help you further:
Incident – „Incident Management in ITIL – solid foundations of operational processes“ https://advisera.com/20000academy/blog/2013/05/21/incident-management-itil-solid-foundations-operational-processes/
Event –  „ITIL Event Management – Entry point of Service Operation“ https://advisera.com/20000academy/blog/2015/03/10/itil-event-management-entry-point-of-service-operation/
Problem – „ITIL and ISO 20000 Problem Management – Organizing for problem resolution“ https://advisera.com/20000academy/blog/2014/07/29/itil-iso-20000-problem-management-organizing-problem-resolution/
And, free webinar „ITIL Incident Management Process Demystified“ https://advisera.com/20000academy/webinar/itil-incident-management-process-demystified-free-webinar-on-demand/

You can see Service Desk as a „window“ to your organization, that's frontline towards your clients and users. Here is more about Service Desk – „Service Desk: Single point of contact“ https://advisera.com/20000academy/knowledgebase/service-desk-single-point-contact/

By infrastructure operation center, I assume you mean IT Operations (at least, according to ITIL). They perform daily activities (contrary to Service Desk who is actively involved in incident resolution).

Learn more in this article „IT Operations Management Function in ITIL“ https://advisera.com/20000academy/knowledgebase/operations-management-function-itil/

Manual de la calidad

 En esta versión de la norma, ISO 9001:2015 no es necesario crear un Manual de Calidad, sino que es la propia organización la que decide si escribirlo o no. Muchas veces las empresas deciden conservarlo si han implantado versiones anteriores de la norma ya que sirve como guía para la implementación, sin embargo, no se trata ya de un documento obligatorio.

Aquí puede encontrar más información sobre los documentos obligatorios en ISO 9001:2015:
-  Lista de documentos obligatorios requeridos por la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

Aspectos ambientales

1. Se tienen que identificar todos los aspectos ambientales de la organización incluso cuando sea en cantidades de generaciones muy pequeñas? Por decir, supongamos que en nuestro proceso generamos acrílicos cada que se reemplazan los pizarrones (una vez cada 2 o 3 años) lo ideal es identificar que generamos acrílicos con una generación mínima o la identificación de aspectos ambientales no es tan especifica?

Lo importante es realmente el impacto que vayan a tener esos aspectos ambientales en el medio ambiente. Por ejemplo si se trata de una cantidad muy pequeña pero es una sustancia muy nociva para el medio ambiente aunque la frecuencia sea pequeña va a ser necesario tenerlo en cuenta. Tiene que fijarse en los criterios que establece su organización para determinar si el aspecto ambiental es significativo o no. Es cierto que no es necesario evaluar absolutamente todos los aspectos ambientales, sino aquellos que tienen el potencial de generar un impacto significativo en el medio ambiente. 

2. Sobre los aspectos ambientales regulados por alguna dependencia gubernamental mencionas que se vuelven aspectos ambientales significativos y de estos debemos tener un control; mi duda es que si para estos tenemos que generar un objetivo ambiental con métrico como tal? Ya ves que en la norma en el punto 6.2.1 menciona que la organización debe establecer objetivos ambientales teniendo en cuenta los aspectos ambientales significativos de la organización.

Efectivamente debe tener en cuenta todos los aspectos ambientales significativos a la hora de planificar sus objetivos ambientales. incluidos los que establecen las entidades gubernamentales, como bien indica en su pregunta. A la hora de su medición puede establecer los llamados KPIs, indicadores clave de desempeño para saber si se han alcanzado tales objetivos

Para más información sobre los aspectos ambientales en ISO 14001:2015 vea los siguientes materiales:

-  Artículo - Environmental aspect indetification and classification: https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/

- Artículo - 4 steps in identification and evaluatin of environmental aspects: https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/  

- Catalogue of environmental aspects: https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/- Libro – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/

- Curso gratuito en línea – Fundamentos de la norma ISO 14001:2015 : https://advisera.com/training/es/course/curso-fundamentos-iso-14001/

ROSH requirement

Only if your organization manufactures in, or exports to, the European Union, will RoHS will be a compliance obligation to be met by your organization or by your representative in the European Union. 

The following material will provide you more information about compliance obligations:

Article - Compliance requirements according to ISO 14001:2015 – What has changed? - https://advisera.com/14001academy/blog/2015/09/14/compliance-requirements-according-to-iso-140012015-what-has-changed/
Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Systems Audit and Compliance Audit

A Compliance Audit is used to conclude if within the scope of an audit there is compliance with established standards. So, it answers to the question: are rules being followed?

A System Audit can also be a Compliance Audit if the audit objective is to verify compliance. A System Audit can also be a different kind of audit, like an audit to verify effectiveness. In that case, it answers to the question: are rules helping us in meeting our objectives?

My answer is based on the world of quality management systems. I know that “Systems Audit” is also used for audits used to validate the integrity of information and data stored in information systems.

Adding AS9100 after implementing ISO 9001 and ISO 13485

The AS9100 Rev D standard includes all of the ISO 9001:2015 requirements with the addition of specific aerospace requirements (and nothing taken away); so, the answer is yes, if you have AS9100 you also have ISO 9001 (and many of the certifications include both standards printed on the certification. You do not need to have a separate QMS for the AS9100, and can integrate these additional requirements into your existing QMS for ISO 9001 and ISO 13485. You are correct, some of the requirements are similar between the two standards as aerospace and medical devices are both highly regulated and might have similar legal restrictions.

If you want a better understanding of the AS9100 Rev D requirements to compare to your QMS, see the whitepaper: Clause-by-clause explanation of AS9100 Rev D, https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d

Controls for BYOD

First, it is important to note that no controls or technologies are mandatory by ISO 27001. You can apply those you consider will resolve particular risks.

Considering that, both RDP (Remote Desktop Protocol) and MDM (Mobile Device Management) are good and common applied solutions to help protect the organization's information on employees' personal devices.

Now, considering you are referring to personal devices, the main topics to support this decision are legal requirements regarding privacy and labor relations your organization has to follow. Our suggestion is for you to seek expert legal advice on these matters to understand the risks related to the application of these controls and see if by implementing them you will not be incurring on risks higher than the ones you are trying to mitigate regarding your own information.

This article will provide you further explanation about BYOD:
- How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

Consent for taking pictures and videos

I would strongly recommend that you delete all the pictures or videos from the event or alternatively get back to the participants and ask for their consent.

If you want to find out more consent check out this free webinar "How to handle consents under GDPR" (https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/).