Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Identifying and documenting the context


    Answer
    Clause 4.1 of ISO 9001:2015 is about determining those internal and external issues that can be relevant to influence your organization’s future. You can think about political, economic, social, technological, environmental and legislative as external issues, and about performance, complaints, experience, market presence as internal issues. For example, can you think about technological trends that can influence your organization’s economic sector? Consider banks vs the financial internet startups. As an example of political trends imagine that your organization is in France and exports to the UK. Will Brexit influence sales?
    Clause 4.2 is about determining who are the relevant interested parties for your organization’s business ecosystem: customers; customer’s customers; regulators; influencers; universities; suppliers; unions; competitors, employees (please check ISO 9001:2015 Annex A3 – it is up to your organization who are the relevant interested parties and what needs and expectations are considered relevant)
    Documenting this topics is not required by ISO 9001:2015. So, organizations are free to develop their own methods. Normally, when working with organizations during the implementation of the QMS I document these in meeting minutes and management review records.

    The following material will provide you more information about context and interested parties:
    - (This case study has a clear example) Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf
    - How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
    - How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
    - (This webinar gives some of examples) Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
    - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Software development and calibration


    Answer
    Let us focus just on what is mandatory in ISO 9001:2015. Calibration is mandatory just for those resources that are used to decide if the final product/service is according to specifications. So, go back to your organization’s outputs, the applications, and check if there is any specification that needs to be tested with some monitoring and measurement resource. Let me speculate. If your organization’s application gives GPS coordinates with some stated degree of error, for professional services, perhaps you should calibrate that. If your organization’s application gives temperature readings or measures light intensity, or moisture level… as important attributes, then perhaps calibration should be needed. Other examples of calibration needs can be around biometrics as facial recognition and fingerprint reading in order to be aware of performan ce and error levels. And perhaps tests with different hardware to set the borders as a function of hardware used and your applications. Since we are entering a “Star Trek” world, with more and more use of non-invasive ways to diagnose situations. This will be the future.

    The following material will provide you more information about calibration:
    Monitoring and Measurement Equipment Control - https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/
    - Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
    - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Risk assessment and risk treatment methodology


    Answer: For Threat and Vulnerability scales you can adopt this scale: Impact: 0 to 4, Threat: 0 to 2, Vulnerability: 0 to 2 - this way the impact is balanced with the likelihood (likelihood consists of threat and vulnerability).

    2. How do I draft a Process/Service based Risk Assessment process? How it differ from the attached document?

    Answer: The general process is the same as for asset Risk Assessment process. The difference is that for a Process/Service based Risk Assessment you focus on steps or activities, instead of assets. For example, in a payment process you focus on steps like validating payment data and what could go wrong in this step, regardless of any asset involved.

    This article will provide you further explanation about alternatives to asset based risk identification:
    - ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification ht tps://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/

  • Questions on EU GDPR

    1. Are there any limitations to the applicability of the GDPR?
    The EU GDPR applies to all companies processing personal data regardless of their size. There are however some exemptions for small companies.

    For example, you only need to keep an inventory of your processing activities according to art. 30 y if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offenses.
    2. Do all companies need to register to the data protection authority?
    Registering to the Supervisory Authority is now subject to local laws because the EU GDPR leaves this to the Member States. Depending on where your company is located you should check the website of the Supervisory Authority.
    3. What are the security requirements for personal data?
    The GDPR applies the same broad security obligation as the old Data Protection Directive, requiring controllers and processors to take appropriate technical and organizational measures to protect their systems.
    This broad obligation is supplemented by additional obligations to take the following steps, where appropriate: a) the pseudonymization and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of its information technology systems; b) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and; c) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

    These are not mandatory obligations. Instead, they only apply “where appropriate” thus indicating they may not be needed in all case.

    If you want to learn more about security measures check out this Security Awareness Training (https://advisera.com/training/awareness-session/security-awareness-training/).
    4. Are there any company certifications available for compliance with the GDPR?
    According to the EU GDPR, it is possible to demonstrate compliance by signing up to a Code of Practice or becoming Certified. The Supervisory Authorities are the ones that need to approve such codes of practice and certifications however, there are none available yet.

    If you want to find out more about the EU GDPR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).

  • Alcance y contexto de la organización

    Ahora desea también certificar la empresa en la iso 9001:2015, mi pregunta es: Implemento la iso 9001, a cada servicio? , la política de calidad es la misma para ambos servicios, de ahí, el contexto organizacional sera diferente, lo mimo todos los requisitos de la norma aplicables? Gracias .Lógico la certificación, es a los procesos y será: Certificación de la iso 9001:2015 a la empresa XYZ en los servicios de Alquiler de Linea amarilla, Movimiento de tierras?

    Respuesta:

    La implementación de la norma se hace en base a un alcance determinado. En su caso y por la información que proporciona el alcance incluye los dos servicios que ofrece su empresa. Por lo tanto, como menciona, la certificación afectará a ambos servicios, y en consecuencia la política de calidad y otros procesos del sistema de gest ión de calidad serán los mismos, como por ejemplo, la determinación del contexto de la organización.

    Respecto al contexto de la organización, éste se refiere a las cuestiones internas y externas que son relevantes para el correcto funcionamiento del sistema de gestión de calidad, y al ser 2 servicios prestados por la misma organización dichas cuestiones internas y externas deberían de ser las mismas, a excepción por ejemplo, de si se realizan en diferentes países y por lo tanto las cuestiones externas podrían variar. Sin embargo, las cuestiones internas sí que serían siempre las mismas, ya que el servicio lo ofrece la misma empresa. Por ejemplo, la cultura organizacional sería la misma.

    Para más información sobre el alcance de la organización, vea el siguiente artículo – Cómo identificar el contexto de la organización en ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/

    Para más información sobre el alcance de la organización, vea el siguiente artículo – Cómo definir el alcance del SGC de acuerdo a la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-definir-el-alcance-del-sgc-de-acuerdo-a-la-iso-90012015/

    Estos materiales pueden ayudarle a entender el contexto y el alcance de la organización:

    - Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • About sending project proposals


    After sending a project proposal, you should wait for an answer.
    - True
    - False

    For me, I would wait for 3-4 days(at least), just to give them time to go through and understand. They may not be just sitting to receive my proposal(and have other priority work as well). So, I would choose "True" which is actually wrong according to you. So, I would send reminder after 3-4 days or may be after 5-7 days( depending on the culture of the company as well). That is how personally I feel.

    Answer:

    Maybe in this case you have misinterpreted the question. "Waiting for an answer" means to do nothing until the potential customer answers, and your thinking is exactly the opposite to that: wait only an amount of time to not seem annoying and contact them, corresponding to the "False"answer.

    However please note that we will improve the question to avoid this ambiguity.

  • AS9100 Design Requirement Application


    Answer:
    Clause 8.3, Design and development of products and services, is intended to be the process that you use for planning the products and services you provide in order to meet all the requirements for those products and services. So if your service is, for instance, to “design drawings” then this is the service you provide and if this service is already developed you could exclude clause 8.3 from your QMS. You are simply providing a service that is part of another company’s design and development process. The process that you use to provide the “design service” would be controlled under clause 8.5, Product and service provision.

    2) The same American company is also selling design service in form of hours to an OEM in US. Using the OEM's design system. If it is mil itary parts, are the rules that the selling site has to have an US citizen manager? The engineers doing the work are US citizens.

    Answer: This is a legal requirement that is outside of the AS9100 Rev D requirements. For this answer you would need to ask the customer what legal requirements they are imposing on the service you provide. If the legal requirements is ITAR related, there can be limitations on the citizenship of those working on the service, but your customer would need to clarify this.

    For a simplified explanation of the AS9100 Rev D requirements, see the whitepaper: Clause-by-clause explanation of AS9100 Rev D, https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d

  • GDPR in podcasts and video interviews

    Also, I would like to know if there is a need in any type of consent from the place owner where we make shooting. F.e. I would like to shoot in WU University Campus, which document I can provide to them to agree to not to have any problems later on.
    Your advice would be really great, I started to read anything I could find about this topic and got very lost and confused.

    Answer:

    Unfortunately, we only deal with the EU GDPR requirements so I am afraid I can not provide any information on US or Asian data protection laws.

    Coming back to the EU GDPR, in order to be able to share personal information of your guests you will need to get their consent.

    You can find readily available consent forms in our GDPR Consent & Data Subject Rights Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-consent-data-subject-rights-toolkit/).

  • EU GDPR


    1. Can you give me some info sources for the formulation of such a contract, if I do not have the personal names?

    Answer:

    Personal Data is any information which is related to an identified or identifiable natural person. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data so, as you can see is not only limited to names.

    The document you are referring to is commonly referred to as a Data Processing Agreement in and is required under art. 28 of the GDPR.

    You can find readily available templates for such a document in our EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/).

    2. Does the data processing itself only guarantee that my application treats the data in accordance with DSGVO or does it run as I claim?

    Answer:

    You as the owner of the app and as a processor of personal data need to ensure that you are processing personal data in a way that is compliant with the EU. This is the purpose behind a Data Processing Agreement to give comfort to the data controller that you will be processing data in a compliant manner.

    3. Do I have to protect the software itself as I would have to protect data?

    Answer:

    You need to ensure that your software has adequate safeguards in place to protect the personal data that is being processed. The safeguard will vary depending on the types and categories of personal data. Article 32 of the GDPR provide some examples such as anonymization and pseudonymization.

  • Production data in 8.2.1 Feedback


    Answer:
    The following production data can be collected as part of a feedback: any non-conformities from the prodution process or any other issues seen by the production staff during manufacturing, measuring different production elements related to production optimization, monitoring of production parameters (eg line speed, percentage of scrap, equipment failure time due to failure and the like). You are responsible for what parameters will be monitored for this purpose.

    If you need some more detailes how to implement requirement 8.2, please read the art icle on the following link.
    https://advisera.com/13485academy/blog/2018/09/20/how-to-comply-with-section-8-2-monitoring-and-measurement-in-iso-134852018/
Page 517-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +