Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Quality management system documentation structure
Can you give me an example for hierarchical level document of quality system?'
Answer
ISO 9001:2015 gives a lot of freedom in designing the quality management system documentation structure.
The following material will provide you information about a possible structure:
- Article – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- How to structure work instructions in the ISO 9001 QMS - https://advisera.com/9001academy/blog/2015/06/16/how-to-structure-work-instructions-in-the-iso-9001-qms/
- ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Performance data
Answer:
There is not such requirement of a minimum amount of peformance data in ISO 9001:2015. There are just some mandatory documents that are required by ISO 9001 in order to be compliant with the standard. In this article you can find those mandatory documents - List of mandatory documents required by ISO 9001:2015:
https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
To learn more about requirements of ISO 9001:2015, see these materials:
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Transfer of employee personal data to a third party
Answer:
Usually, for these kinds of processing activities companies rely on legitimate interest rather than consent. Basically what you need to do is to specify in your Employee Privacy Notice the fact that their personal data may be transferred to third party processors that perform payroll and accounting services.
If you want to find out more about privacy notices check out this webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/). -
ISO 14001 - non-mandatory clauses?
Answer:
No, there are no non-mandatory clauses in new version of ISO 14001.
The following material will provide you information about an environmental management system:
- ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Developing checklists
Answer
Certification body auditors don’t have to ask awkward questions. Certification body auditors shouldn’t be fishing non-conformities at all cost.
The following material will provide you information about developing checklists and auditing:
- Article – ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
- ISO 9001 document template: Internal Audit Checklist - https://advisera.com/9001academy/documentation/internal-audit-checklist/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Risk management process
1 - During the risk assessment, can we already take existing controls into consideration to assess the risk level ? and immediately assess the residual risk ?
Answer: In fact you must consider the existing controls when assessing risk, including the information about implemented controls in the last column. In this case the assessed risk will be already a residual risk, which can or can't be acceptable according your risk acceptance criteria.
2 - In the toolkit there is a risk treatment “table” and a risk assessment “plan”
What is the difference between both documents because in my assumption the “table” is already enough as a plan ?
Answer: The Appendix 2 Risk Treatment Table is the document used to select treatment options and controls.
The Risk Treatment Plan is the document where you list all the actions and resources needed to implement the treatment options identified in the Risk Treatment Table, as well as the respective deadlines an d responsible people.
As you can see, from the Risk treatment table to the risk treatment plan, the information becomes more focused on the risks that must be treated. You could have all this information in a single document, but this will make it more complex to handle.
By the way, included in the toolkit you bought you have access to video tutorials that will explain you about these documents and how to fill them in.
This article will provide you further explanation about risk treatment and risk treatment plan:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
Documenting ISO 27001 and ISO 22301 documents
Answer:
ISO 22301 and ISO 27001 share many similar requirements that allow the use of a single document for both systems (e.g., document control procedure, internal audit etc.). Other required documents defined specifically for each standard, such as security policies and continuity strategy, can be kept separated without risks to create inconsistencies.
This article will provide you further explanation about integrating management systems:
- How to implement integrated management systems https://advisera.com/27001academy/blog/ 15/10/05/how-to-implement-integrated-management-systems/
This article will provide you further explanation about document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
BCM template content
1. MSS being a critical service chosen for BCP. However MSS will have multiple inter dependency process like infra, service mgmt, endpoint.
a. So do we have to conduct BIA individually for every inter dependent process too or BIA will be done only for MSS but it takes inputs from inter dependent process”.?
Answer: In fact both approaches are acceptable (a BIA for each supporting process or a single BIA for MSS), and both have their own advantages and disadvantages, and you have to consider them to chose the best approach to your organization:
- Performing a BIA for each supporting process is less complex and will require less people involved in each process (only the people directly involved in the process), but you have to evaluate the results of each BIA all together later, to have a picture for the MSS, and the independent BIAs may hide issues that only can be identified when analyzed together, and you may have to perfor m some BIAs again.
- Performing a single BIA for MSS will provide you a systemic picture of all situations that may cause disruption of MSS (e.g., failures on independent process that together can disrupt MSS), and probably will need to be performed only once, but it is a more complex process and you may have a problem to schedule meetings with all people involved.
By the way, included in the toolkit you bought you have access to a video tutorial that can help you perform BIA, including examples with real data.
For further information, please see: How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
2. Regarding “Business_Impact_Analysis_Methodology_EN”,
a. how do we complete the section 4 “Managing records kept on the basis of this document”?
i. Is the record linked to the specific document? E.g. business impact questionnaire analysis is the record for Business_Impact_Analysis_Methodology_EN”,
Answer: You assumption is correct. The business impact questionnaire analysis is a record for Business Impact Analysis Methodology, and you only have to define who is responsible for this record, where it is stored, controls used to protect this record and for how long you have to keep this record. Detailed information and examples can be found in comments included in the Business Impact Analysis Methodology template.
For further information please read: Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
b. For 3.8 Maximum data loss (RPO), are we able to customize the timing or it is not advisable to do so?
Answer:The template is fully customizable, so you can change the values related to RPO to values that best fit your organization.
For further information please read: What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/ -
GDPR serving citizens abroad
Answer:
Based on the description provided it seems that you will be acting as a processor for the entities using the software.
Your company would need to sign a Data Processing Agreement with the entities using the software.
Because you are in Canada and Canada received adequate status from the EU Commission there is no issue with the data transfer.
You can find readily available Data Processing Agreements in our EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/) -
GDPR and consent
1. Must the processor take the consent off all participating athletes in every game they give?
2. Must the processor take the consent of their parents in every game their kids are participating in the game?
3. Does the processor has any legal basis for recording this actions?
Answers:
Just to clarify, the academy will be acting as a data controller and not a data processor. Regarding the CCTV system, if the system was set up for security reasons then it is quite unlikely that it can be used to record the games because of the different positioning of the cameras. However, if there is another CCTV system meant to record the games then everyone that is going to be filmed should be made aware about the presence of the CCTV and the purposes for which it is installed and this is usually done via a Privacy Notice.
I will start answering your question with the last one as it is the most relevant.
3. You can rely on Legitimate Interest for the CCTV system but in this case, you would need to perform a Legitimate Interest Assessment;
1. If you decide to rely on legitimate interest then consent is not needed. However, you need to make sure that everyone knows about the CCTV and its purpose;
2. The same applies to minors although in this case, you need to ensure that the parents are aware of the CCTV;
If you want to learn more about Privacy Notices check out this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/)