Search results

Scope definition and certification costs

1. In the institution, we have a core business system, which interacts and it is projected to link with other systems, so I am analyzing whether it is feasible to obtain the ISO 27001: 2013 certification only for said system and the entire infrastructure, processes, resources, and assets surrounding this management information system. Is this feasible? No implementation is required for the entire organization.

The main point when considering this approach is the effort required to keep the ISMS scope separated from the rest of the organization's elements (for small and mid-sized organizations many times the effort is not worthy, and it is better to include all the organization in the ISMS scope)

These articles will provide you a further explanation about the scope definition:- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/ 

2. The certificate logo can be used on the homepage of the management system (for an institutional presence issue).

3. I understand that you sell the documentary package, but I would like to know the approximate cost of the audit to obtain the certification.

These articles can provide you more information:- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project

Audit stages

First, it is important to note that stages 1 and 2 refers only to certification audits. Internal audits do not need to follow this approach (all activities described below are performed in a single "stage").
Considering that, ISO 27001 Stage 1 certification audit is also called "Documentation review" - the auditor will evaluate whether you have all the mandatory documentation.

You can find the list of mandatory documents in this blog post: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

Regarding stage 2, the auditor goes around your company, speaks to your employees, looks for logs and other records, observes the effectiveness of your safeguards (the controls stated as applicable in the Statement of Applicability - SoA), etc.

Learn more about it in this webinar: ISO 27001/ISO 22301: The certification process https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

This article will provide you a further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

EU GDPR applicability

1. Is the GDPR applicable only to companies or private persons as well?

The EU GDPR applies to the processing of personal data wholly or partly by automated means and to manual processing if the personal data form part of a filing system or are intended to form part of a filing system so you can see that there is no exclusion of private individuals. However, there are certain Supervisory Authorities ( e.g Romanian Supervisory Authority) that mentioned that GDPR only applies to companies.

2. Where do I need to publish my privacy policy?

It depends about the processing activities you want to describe. You can have a generic Privacy Policy covering the bulk of your processing activities but for very specific ones such as processing data you collect through your website or the data of your employees you need specific Policy/Notice.

3. Do I need to have an inventory of activities that I do?

Companies or institutions with fewer than 250 employees are exempt from keeping a record, if the processing is not likely to pose a risk to the rights and freedoms of the data subject, if no special categories of data are processed or if the processing is done only occasionally, as is indicated in Art. 30(5) GDPR. In practice, this exemption is rarely applicable.

4. Can I use GPS to monitor my sales agents?

You could use GPS but not to track your agents but rather the vehicles they are using. However you need let then know that this is happening via a Privacy Notice. You can find out more about Privacy Notices I from our free webinar “Privacy Notices under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).

5. Do I need the consent from my sales agents?

This depends on the jurisdiction where you are registered. You should check the Supervisory Authority website in if the country were you are registered. However, most EU countries do not require registration after the GDPR entered into force last year.

Identifying the scope of QMS

First, remember that determining the scope of a QMS is not a technical decision, is a management decision. The scope sets the boundaries of your QMS. 

Consider a company that both manufactures products for its own brand and as subcontractor for brands from other companies. That organization may decide that they will only certify its QMS for the subcontracting operations.

Imagine a hotel with restaurant, pool, spa, and other services. Top management may decide to certify only the room part of the business.

Normally, organizations describe its QMS scope in a management review meeting record or include it in the QMS manual.

The following material will provide you with more information about scope, context and implementation:

- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/

- I believe this Case study for ISO 9001:2015 transition in a construction company will be helpful for someone starting in the field - https://info.advisera.com/9001academy/free-download/case-study-for-iso-9001-2015-transition-in-a-construction-company

- Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- Enroll for free course – ISO 9001:2915 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/

- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Analisis de contexto

En Advisera no contamos con contenido específico para determinar el contexto de una central hidroeléctrica o completar un análisis DOFA para este tipo de organizaciones. No obstante, voy a guiarle para poder completar el análisis de manera satisfactoria.

Respecto al contexto interno debe de tener en cuenta cuestiones internas como la cultura organizacional; las capacidades de la empresa entendidas en términos de recursos y conocimientos (personas, capital, tiempo, etc.); las relaciones contractuales de la organización; guías, directrices y normas adoptadas por la organización, etc. Todo esto puede tener consecuencias negativas en la planificación, construcción y mantenimiento de una central hidroeléctrica.

En cuanto a las cuestiones externas debe tener en cuenta las condiciones medioambientales en las que se encuentra la hidroeléctrica, ya que pueden influir en los riesgos como inundaciones, sequías, etc.; las cuestiones que tienen que ver con los usuarios, proveedores, y competidores; y por último, las condiciones existentes tanto económicas, políticas, legales, sociales en las que se encuentra la central hidroeléctrica. 

Para más información puede ver los siguientes materiales:

- Artículo – Cómo identificar el contexto de la organización en ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/

- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

- Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

BCR, DPO and judicial data

1. Can you please explain a bit if having BCRs in place we will be compliant with the GDPR?

Binding Corporate Rules are internal rules for data transfers within multinational companies. Binding corporate rules are like a code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection. So, they are only useful when it comes to performing intragroup data transfers.

2. Are any specific requirements on how to process data about the health of our contractors?

Health data is special category data and you can only process it in your case if you have a legal obligation dictated by the health and safety maritime laws. For example, you can ask the staff you employ as sailors to bring proof that their health condition allows them to perform specific tasks.

3. How about judicial data? We are required to ask for the criminal record of the crew before hiring them.

The same rules apply to judicial data as well. However, you should only ask for a criminal record but not for documents pertaining to the specific offenses that a person committed.

4. Do we need to have a data protection officer?

Depending on the size of the company and also if you are your core activities consist of processing sensitive personal data on a large scale (including processing information about criminal offenses) you may need a DPO. Since I know that your company is not so big and your core business does not consist in processing sensitive data would say you don`t need a DPO.

5. Do we need to register as processing health and judicial data?

This is dependent on where your company is registered. As far as I know, Greece does not require companies that process personal data to register to the Data Protection Authority.  

SOP naming conventions

First, I would like to point out that you do not need to change your documentation to meet the structure and terminology of the AS9100 Rev D standard. This is clearly outlined in Annex A1 which states “ there is no requirement in this international standard for its structure and terminology to be applied to the documented information of an organization’s quality management system&rdquo. It goes on to clearly state that “Organizations can choose to use terms which suit their operations (e.g. using “records”, “documentation” “protocols” rather than “documented information”…). So, in short, the standard clearly states that you do not need to re-number procedures or change your terminology to comply with AS9100 Rev D.

My advice to you would be to not re-align your documentation to the numbering of the standard, and instead go with your thought of e.g. OPP001 is for purchasing. You can then number them in any order that makes sense for you (such as in the order that they appear in your overall process flow), and file them again in an order that makes sense (not even aligning to the standard if this does not help you). The idea of the standard is not to force you to confuse your staff with numbering and terminology changes that do not make sense to them, but to allow you to make the system work for you, yet make it flexible enough that any organization can use it. It is also a good time to purge any documents that are really not helping your QMS succeed if it is no longer a requirement of the standard.

To make sure you are not missing any mandatory documents from AS9100 Rev D, see the whitepaper: AS9100 Rev D List of Mandatory Documents, https://info.advisera.com/9100academy/free-download/as9100-rev-d-list-of-mandatory-documents

Processing biometric data

First advice will be not to use any biometric data. Considering the scope of the processing namely loyalty cards I would strongly advise you not to process any biometric data.

If you still want to proceed you would need the express consent of the users as well as performing a Data Processing Impact Assessment.

If you want to find out more about the EU GDPR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).

Evidence of failure of the error-proof device

Error-proofing devices have a simple objective to make products or process without any defects. If there is a defect of any kind, then the error-proofing devices are not achieving its objective. Then it is a failure.

You can make evidence on the paper report of device performance or using software to have it recorded. Most error-proofing devices have their software that is generating reports about performance. Those reports are fine evidence.

For more about error-proofing please read the article: 

How to establish an error-proofing process according to IATF 16949 https://advisera.com/16949academy/blog/2017/10/11/how-to-establish-an-error-proofing-process-according-to-iatf-16949/

Validating Conformio software

Yes, it is necessary to validate Conformio software. Conformio is verified by our internal testing. The simplest way for a client to validate Conformio is to create a list of the functionality and behaviors it expects from Conformio and check them in software. Of course, each client will have their own specific requirements. Here are some specific points that can be covered:

Data integrity - can the data be changed inadvertently? Or if inadvertent changes occur, are they flagged &/or detectable?
Document metadata has a full history in Conformio, and document data changes are tracked by Word’s Track changes feature. Each separately saved version of the document can be accessed, there is full history and older versions are kept. The user can choose to overwrite the existing version, though (this is a must-have requirement from some other customers).
Files can be locked from later changes (status Approved), and for Word documents, Track Changes can be turned on (but can be turned off by the user). Currently, track changes can be turned off and can be 'accepted' by users, without a record of what changed.
Access to data/files

There are several levels of access to Conformio:
Accessing the Conformio platform: through username and password
Accessing the specific project: the account administrator defines the project access through Project Settings or through the Users module; also, the Project Manager on the project can allow access to a user through Project Settings
Accessing folders/files: the folder Owner, Admin or Project manager can grant access to a user.
Audit trails
Changes in documents metadata are shown in the Notification bar and in the Overview tab.
Changes on tasks (changing the Assignee, due dates, etc) from projects and Compliance modules are shown in the Overview tab...