Search results

Identifying the scope of QMS

First, remember that determining the scope of a QMS is not a technical decision, is a management decision. The scope sets the boundaries of your QMS. 

Consider a company that both manufactures products for its own brand and as subcontractor for brands from other companies. That organization may decide that they will only certify its QMS for the subcontracting operations.

Imagine a hotel with restaurant, pool, spa, and other services. Top management may decide to certify only the room part of the business.

Normally, organizations describe its QMS scope in a management review meeting record or include it in the QMS manual.

The following material will provide you with more information about scope, context and implementation:

- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/

- I believe this Case study for ISO 9001:2015 transition in a construction company will be helpful for someone starting in the field - https://info.advisera.com/9001academy/free-download/case-study-for-iso-9001-2015-transition-in-a-construction-company

- Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- Enroll for free course – ISO 9001:2915 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/

- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Analisis de contexto

En Advisera no contamos con contenido específico para determinar el contexto de una central hidroeléctrica o completar un análisis DOFA para este tipo de organizaciones. No obstante, voy a guiarle para poder completar el análisis de manera satisfactoria.

Respecto al contexto interno debe de tener en cuenta cuestiones internas como la cultura organizacional; las capacidades de la empresa entendidas en términos de recursos y conocimientos (personas, capital, tiempo, etc.); las relaciones contractuales de la organización; guías, directrices y normas adoptadas por la organización, etc. Todo esto puede tener consecuencias negativas en la planificación, construcción y mantenimiento de una central hidroeléctrica.

En cuanto a las cuestiones externas debe tener en cuenta las condiciones medioambientales en las que se encuentra la hidroeléctrica, ya que pueden influir en los riesgos como inundaciones, sequías, etc.; las cuestiones que tienen que ver con los usuarios, proveedores, y competidores; y por último, las condiciones existentes tanto económicas, políticas, legales, sociales en las que se encuentra la central hidroeléctrica. 

Para más información puede ver los siguientes materiales:

- Artículo – Cómo identificar el contexto de la organización en ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/

- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

- Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

BCR, DPO and judicial data

1. Can you please explain a bit if having BCRs in place we will be compliant with the GDPR?

Binding Corporate Rules are internal rules for data transfers within multinational companies. Binding corporate rules are like a code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection. So, they are only useful when it comes to performing intragroup data transfers.

2. Are any specific requirements on how to process data about the health of our contractors?

Health data is special category data and you can only process it in your case if you have a legal obligation dictated by the health and safety maritime laws. For example, you can ask the staff you employ as sailors to bring proof that their health condition allows them to perform specific tasks.

3. How about judicial data? We are required to ask for the criminal record of the crew before hiring them.

The same rules apply to judicial data as well. However, you should only ask for a criminal record but not for documents pertaining to the specific offenses that a person committed.

4. Do we need to have a data protection officer?

Depending on the size of the company and also if you are your core activities consist of processing sensitive personal data on a large scale (including processing information about criminal offenses) you may need a DPO. Since I know that your company is not so big and your core business does not consist in processing sensitive data would say you don`t need a DPO.

5. Do we need to register as processing health and judicial data?

This is dependent on where your company is registered. As far as I know, Greece does not require companies that process personal data to register to the Data Protection Authority.  

SOP naming conventions

First, I would like to point out that you do not need to change your documentation to meet the structure and terminology of the AS9100 Rev D standard. This is clearly outlined in Annex A1 which states “ there is no requirement in this international standard for its structure and terminology to be applied to the documented information of an organization’s quality management system&rdquo. It goes on to clearly state that “Organizations can choose to use terms which suit their operations (e.g. using “records”, “documentation” “protocols” rather than “documented information”…). So, in short, the standard clearly states that you do not need to re-number procedures or change your terminology to comply with AS9100 Rev D.

My advice to you would be to not re-align your documentation to the numbering of the standard, and instead go with your thought of e.g. OPP001 is for purchasing. You can then number them in any order that makes sense for you (such as in the order that they appear in your overall process flow), and file them again in an order that makes sense (not even aligning to the standard if this does not help you). The idea of the standard is not to force you to confuse your staff with numbering and terminology changes that do not make sense to them, but to allow you to make the system work for you, yet make it flexible enough that any organization can use it. It is also a good time to purge any documents that are really not helping your QMS succeed if it is no longer a requirement of the standard.

To make sure you are not missing any mandatory documents from AS9100 Rev D, see the whitepaper: AS9100 Rev D List of Mandatory Documents, https://info.advisera.com/9100academy/free-download/as9100-rev-d-list-of-mandatory-documents

Processing biometric data

First advice will be not to use any biometric data. Considering the scope of the processing namely loyalty cards I would strongly advise you not to process any biometric data.

If you still want to proceed you would need the express consent of the users as well as performing a Data Processing Impact Assessment.

If you want to find out more about the EU GDPR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).

Evidence of failure of the error-proof device

Error-proofing devices have a simple objective to make products or process without any defects. If there is a defect of any kind, then the error-proofing devices are not achieving its objective. Then it is a failure.

You can make evidence on the paper report of device performance or using software to have it recorded. Most error-proofing devices have their software that is generating reports about performance. Those reports are fine evidence.

For more about error-proofing please read the article: 

How to establish an error-proofing process according to IATF 16949 https://advisera.com/16949academy/blog/2017/10/11/how-to-establish-an-error-proofing-process-according-to-iatf-16949/

Validating Conformio software

Yes, it is necessary to validate Conformio software. Conformio is verified by our internal testing. The simplest way for a client to validate Conformio is to create a list of the functionality and behaviors it expects from Conformio and check them in software. Of course, each client will have their own specific requirements. Here are some specific points that can be covered:

Data integrity - can the data be changed inadvertently? Or if inadvertent changes occur, are they flagged &/or detectable?
Document metadata has a full history in Conformio, and document data changes are tracked by Word’s Track changes feature. Each separately saved version of the document can be accessed, there is full history and older versions are kept. The user can choose to overwrite the existing version, though (this is a must-have requirement from some other customers).
Files can be locked from later changes (status Approved), and for Word documents, Track Changes can be turned on (but can be turned off by the user). Currently, track changes can be turned off and can be 'accepted' by users, without a record of what changed.
Access to data/files

There are several levels of access to Conformio:
Accessing the Conformio platform: through username and password
Accessing the specific project: the account administrator defines the project access through Project Settings or through the Users module; also, the Project Manager on the project can allow access to a user through Project Settings
Accessing folders/files: the folder Owner, Admin or Project manager can grant access to a user.
Audit trails
Changes in documents metadata are shown in the Notification bar and in the Overview tab.
Changes on tasks (changing the Assignee, due dates, etc) from projects and Compliance modules are shown in the Overview tab...

ISO20000 - Design and Transition of New or Changed Service

Design and Transition of new or changed services is related to other processes, as you noticed. Process description in our ISO 20000 documentation toolkit defines activities related to the process - you can find it here https://advisera.com/20000academy/iso-20000-documentation-toolkit/

Service Catalogue process is not covered in ISO 20000 documentation toolkit, but you can see a preview of the document here https://advisera.com/20000academy/itil-documentation-toolkit/

The following article can help you with design and transition process

“Overview of ISO 20000:2018 structure and requirements” https://advisera.com/20000academy/blog/2019/09/05/iso-20000-requirements-and-structure/

For more about Service Catalogue please read these articles: Service Catalogue – Defining the service” https://advisera.com/20000academy/blog/2014/03/11/service-catalogue-defining-service/ 
Choosing four main inputs for the ITIL/ISO 20000 Service Catalogue to avoid bureaucracy” https://advisera.com/20000academy/blog/2015/09/29/choosing-four-main-inputs-for-the-itiliso-20000-service-catalogue-to-avoid-bureaucracy/

Safe distance for redundant sites

ISO 22301, ISO standard for business continuity management, and most regulations and industry practices do not define any specific distance to recovery sites, because many factors can affect what would be considered a “safe” distance (e.g., type of disaster, access to public services, risk level, etc.). From our experience, I suggest you start a discussion suggesting a distance between 30 miles (50 kilometers) and 100 miles (160 kilometers) away from your primary location and from that analyze your organization's context (a geographic situation, available resources, required investment, etc.).

This article will provide you a further explanation about distance of recovery site:
- Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

This material will also help you regarding the distance of recovery site:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

ISMS awareness

This is one way to evidence awareness, but you should also consider other alternatives, since this document is normally signed at the beginning of work relationship and stored in the employee file.

Like other methods of awareness, you should consider training sessions, and use of newsletters, which can be performed at a regular basis.

These articles will provide you a further explanation about awareness:
- What are the benefits of security awareness training for organizations? https://advisera.com/27001academy/blog/2019/03/27/what-are-the-benefits-of-security-awareness-training-for-organizations/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/

This material will also help you regarding awareness:
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.