Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
GDPR serving citizens abroad
Answer:
Based on the description provided it seems that you will be acting as a processor for the entities using the software.
Your company would need to sign a Data Processing Agreement with the entities using the software.
Because you are in Canada and Canada received adequate status from the EU Commission there is no issue with the data transfer.
You can find readily available Data Processing Agreements in our EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/) -
GDPR and consent
1. Must the processor take the consent off all participating athletes in every game they give?
2. Must the processor take the consent of their parents in every game their kids are participating in the game?
3. Does the processor has any legal basis for recording this actions?
Answers:
Just to clarify, the academy will be acting as a data controller and not a data processor. Regarding the CCTV system, if the system was set up for security reasons then it is quite unlikely that it can be used to record the games because of the different positioning of the cameras. However, if there is another CCTV system meant to record the games then everyone that is going to be filmed should be made aware about the presence of the CCTV and the purposes for which it is installed and this is usually done via a Privacy Notice.
I will start answering your question with the last one as it is the most relevant.
3. You can rely on Legitimate Interest for the CCTV system but in this case, you would need to perform a Legitimate Interest Assessment;
1. If you decide to rely on legitimate interest then consent is not needed. However, you need to make sure that everyone knows about the CCTV and its purpose;
2. The same applies to minors although in this case, you need to ensure that the parents are aware of the CCTV;
If you want to learn more about Privacy Notices check out this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/) -
QMR requirements
Answer
ISO 9001:2015 no longer requires a Quality Management Representative (QMR). Nevertheless, many organizations decide to keep that position because they recognize its value.
Once ISO 9001:2015 no longer mandates a Quality Management Representative, organizations have more freedom to define authorities and responsibilities for such a function. It was not required that the QMR knew all about the organizations’ programs.
The following material will provide you information about the QMR function:
- Article – What is the job of the quality management representative? - https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/
- Choosing the best person for the job of quality management representative - https://advisera.com/9001academy/blog/2014/06/03/choosing-best-person-job-quality-management-representative/
- What will be the destiny of the management representative in the new I SO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Information classification policy
Answer:
ISO 27001 does not prescribe which categories to implement, so organizations are free to define the ones that best suit their needs, and these can either be based on legal requirements the organization must comply with (e.g., laws or regulations which define or recommend lists of categories), based on a framework developed by the organization itself, or based on market best practices. Examples of classification levels are:
- Secret and Top secret
- Unclassified
- Non sensitive
For further information about information classification, see: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
To see how an Information Classification Policy looks like, I suggest you to take a look at the free demos of our Information C lassification Policy at this link: https://advisera.com/27001academy/documentation/information-classification-policy/ -
Pre-certification audit
Many thanks Rhand.
Kind Rgds. -
Agrobusiness certification
Answer
I saw some Canadian studies about the impact of ISO 9001 in agrobusiness. Their conclusions are that ISO 9001 offers supply chain management benefits.
Even non-certified organizations reported using the standard to formalize their monitoring procedures and improve planning, sourcing, manufacturing, and delivery efficiency. Those that gave the extra step of certification reported improvement in their customer/supplier relationships and offered tools to monitor internal processes. Both certified and non-certified reported increased customer satisfaction, market share and inventory turnover, and reduced lead times, rework, waste, and customer complaints.
The following material will provide you information about ISO 9001 implementation:
- Article – Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- free course ISO 9001:2015 Lead Implementer Course – https://advisera.com/training/iso-9001-lead-implementer-course/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Certification of an extra hotel facilities
Answer
Currently I’m working as a consultant with a hotel in implementing a quality management system according to ISO 9001:2015 in order to get its certification. The hotel quality manager previous experience was with the certification of an extra hotel facility. ISO 9001:2015 is applicable to any organization.
The following material will provide you information about ISO 9001 applicability:
- Article – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Implementation sequence
Answer
I would start the implementation of a management system by:
Assembling a project team;
Developing a project plan with a timetable;
Basic training on ISO 9001 for project team members;
Define the scope of the management system;
Perform a Gap Analysis;
Determine internal and external context;
Determine interested parties;
Map your processes;
Define quality policy, objectives and plans to meet them;
Determine risks and opportunities and define action plans to act upon the most important;
Document your processes;
Start measuring performance;
Perform internal audits;
Do a management review and decide if you are ready for certification.
The following material will provide you information about implementing a management system:
- Article – Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Defining controls
Answer:
According to ISO 27001, you only have to implement physical isolation, as well as other types of controls, in the following situations:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with, that demands the application of the control
- There is a management decision to implement the control, by considering it as good practice.
If none of the above conditions happen, there is no need to implement a control.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Documenting roles and responsibilities
We have listed the roles, responsibilities and authorities in the job description maintained by the HR team for each functions. These roles, responsibilities and authorities are also mentioned as part of the individual process documents of each function. They are very much in line with the JD maintained by HR. Is it mandatory to list down the roles and responsibilities in the individual process documents as its a mandatory section.
Answer:
ISO 9001 and ISO 27001 only require that roles, responsibilities and authorities are assigned and communicated (documenting them is not mandatory), so the organization is free to document them the way it is best for them (as a good practice).
But it is important to note that job description and process documents have different purposes, and by not listing down the roles and responsibilities in the individual process documents may affect process performance, so you should evaluate this modification before m aking a decision.
These articles will provide you further explanation about documenting roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/