Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Implementation sequence
Answer
I would start the implementation of a management system by:
Assembling a project team;
Developing a project plan with a timetable;
Basic training on ISO 9001 for project team members;
Define the scope of the management system;
Perform a Gap Analysis;
Determine internal and external context;
Determine interested parties;
Map your processes;
Define quality policy, objectives and plans to meet them;
Determine risks and opportunities and define action plans to act upon the most important;
Document your processes;
Start measuring performance;
Perform internal audits;
Do a management review and decide if you are ready for certification.
The following material will provide you information about implementing a management system:
- Article – Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Defining controls
Answer:
According to ISO 27001, you only have to implement physical isolation, as well as other types of controls, in the following situations:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with, that demands the application of the control
- There is a management decision to implement the control, by considering it as good practice.
If none of the above conditions happen, there is no need to implement a control.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Documenting roles and responsibilities
We have listed the roles, responsibilities and authorities in the job description maintained by the HR team for each functions. These roles, responsibilities and authorities are also mentioned as part of the individual process documents of each function. They are very much in line with the JD maintained by HR. Is it mandatory to list down the roles and responsibilities in the individual process documents as its a mandatory section.
Answer:
ISO 9001 and ISO 27001 only require that roles, responsibilities and authorities are assigned and communicated (documenting them is not mandatory), so the organization is free to document them the way it is best for them (as a good practice).
But it is important to note that job description and process documents have different purposes, and by not listing down the roles and responsibilities in the individual process documents may affect process performance, so you should evaluate this modification before m aking a decision.
These articles will provide you further explanation about documenting roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/ -
GDPR Data Controller or Data Processor
Answer:
The controllers are the ones that need to perform DPIAs and in the case you have described you are acting as a data processor on behalf of the companies that are using your product.
If you want to find out more about DPIAs check out this free webinar Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR (https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/) -
GDPR and Transparency
Answer:
Of course the GDPR does not cover such particular situations and the reason for not disclosing the mail address is that it is not grounded on the GDPR. My suggestion is for the Association to issue a Privacy Notice informing all the members about what personal data is processed for what purposes and what are the lawful grounds for doing that. In your case the most suitable will mostly be “legitimate interest”.
If you want to find out more about privacy notices see this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/) -
GDPR Consent Forms
Answer:
You may chose to rely on consent or legitimate interest. This should be clarified in the Privacy Notice you need to provide to the candidates.
You can find out more about consent and legitimate interest from this article: Is consent needed? Six legal bases to process data according to GDPR (https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/). -
EMS training needs in a QMS
Answer
I miss the context of the situation to give a straight answer. There is no requirement in ISO 9001:2015 that makes mandatory the implementation of an EMS. What can happen is that your organization may have customers that require that their suppliers have an EMS. In that case the auditors’ comment is understandable. Another possibility is that your organization developed internal environmental practices that are not being followed and that is why auditors said that you need to train employees about your environmental practices.
The following material will provide you information about integrating management systems:
- Article – How to implement integrated management systems - https://advisera.com/articles/how-to-implement-integrated-management-systems/
- Free webinar – How to integrate ISO 9001:2015 and ISO 14001:2015 – https: //advisera.com/9001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Dos o más organizaciones bajo el mismo certificado
para al documentación de estos procesos de apoyo dentro del alcance se puede dejar establecido que se brinda apoyo para la empresa No.2 ?
o se debe hacer ese mismo procedimiento dos veces uno para la empresa 1 y otro para la empresa 2 teniendo en cuenta que los recursos provienen directamente de la empresa No. 1
Answer:
La opción de tener dos sistemas de administración separados es solo una de las opciones disponibles. Es posible tener dos o más organizaciones bajo el mismo certificado, incluso si son entidades legalmente independientes.
El siguiente material le proporcionará información sobre la subcontratación:
- Artículo – Understanding outsourcing according to ISO 9001: A case study - https:// advisera.com/9001academy/blog/2019/03/19/understanding-outsourcing-according-to-iso-9001-a-case-study/
- Curso gratuito – Curso Fundamentos ISO 9001:2015 - https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Libro - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Risk Assessment Table template
What is supposed to be in the "impact column"?
Answer: The value reflecting the effects of an incident that has occurred must be inserted in column G "Consequences" (from the perspective of ISO 27001 "impact" is the same thing as "consequences"), and to know what to include in this column, I suggest you this article:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
By the way, included in your toolkit you have access to a video tutorial that can help you fill in the Risk Assessment Table, using real examples. -
AS9100 Product safety requirements
Answer:
Product safety is defined in clause 3.4 as the product being able to perform its function without causing unacceptable risk or harm to persons or damage to property. So, by this definition product safety is about not causing injury to people or damage to property. Keeping this in mind when you read clause 8.1.3 for the requirements of product safety, we see that AS9100 asks that we put in place controls to assure product safety throughout the lifecycle of the product, or in other words ensure that the product behaves in a way to reduce or eliminate the risk of injury or property damage until it is disposed of at the end of life.
There is a list of examples that may be included in your proce ss, such as assessing hazards, reporting on events, communication and training of safety hazards, etc. If you have a product that does not have any safety risks, then just doing this assessment is enough since there is nothing to control. However, if you have safety risks you may need to identify this through the process. For example, if you had a product that held an electrical charge that could injure workers or damage property either at your facility or after delivery, you may need to have safety warning labels on the product or in the installation instructions as a control.
For your example of connectors, it is the safety aspects of the connectors through the lifecycle. How are not responsible for the safety aspects of products where your connector is used. If someone using your connector on a product where your connector becomes a contact point for power, this is up to them to determine and control. Your connector has no safety considerations by itself.
For a better understanding of the aerospace definitions in AS9100 Rev D, see the article: Five special aerospace terms in AS9100 Rev D, https://advisera.com/9100academy/blog/2017/05/01/five-special-aerospace-terms-in-as9100-rev-d/