Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
QMR requirements
Answer
ISO 9001:2015 no longer requires a Quality Management Representative (QMR). Nevertheless, many organizations decide to keep that position because they recognize its value.
Once ISO 9001:2015 no longer mandates a Quality Management Representative, organizations have more freedom to define authorities and responsibilities for such a function. It was not required that the QMR knew all about the organizations’ programs.
The following material will provide you information about the QMR function:
- Article – What is the job of the quality management representative? - https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/
- Choosing the best person for the job of quality management representative - https://advisera.com/9001academy/blog/2014/06/03/choosing-best-person-job-quality-management-representative/
- What will be the destiny of the management representative in the new I SO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Information classification policy
Answer:
ISO 27001 does not prescribe which categories to implement, so organizations are free to define the ones that best suit their needs, and these can either be based on legal requirements the organization must comply with (e.g., laws or regulations which define or recommend lists of categories), based on a framework developed by the organization itself, or based on market best practices. Examples of classification levels are:
- Secret and Top secret
- Unclassified
- Non sensitive
For further information about information classification, see: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
To see how an Information Classification Policy looks like, I suggest you to take a look at the free demos of our Information C lassification Policy at this link: https://advisera.com/27001academy/documentation/information-classification-policy/ -
Pre-certification audit
Many thanks Rhand.
Kind Rgds. -
Agrobusiness certification
Answer
I saw some Canadian studies about the impact of ISO 9001 in agrobusiness. Their conclusions are that ISO 9001 offers supply chain management benefits.
Even non-certified organizations reported using the standard to formalize their monitoring procedures and improve planning, sourcing, manufacturing, and delivery efficiency. Those that gave the extra step of certification reported improvement in their customer/supplier relationships and offered tools to monitor internal processes. Both certified and non-certified reported increased customer satisfaction, market share and inventory turnover, and reduced lead times, rework, waste, and customer complaints.
The following material will provide you information about ISO 9001 implementation:
- Article – Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- free course ISO 9001:2015 Lead Implementer Course – https://advisera.com/training/iso-9001-lead-implementer-course/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Certification of an extra hotel facilities
Answer
Currently I’m working as a consultant with a hotel in implementing a quality management system according to ISO 9001:2015 in order to get its certification. The hotel quality manager previous experience was with the certification of an extra hotel facility. ISO 9001:2015 is applicable to any organization.
The following material will provide you information about ISO 9001 applicability:
- Article – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Implementation sequence
Answer
I would start the implementation of a management system by:
Assembling a project team;
Developing a project plan with a timetable;
Basic training on ISO 9001 for project team members;
Define the scope of the management system;
Perform a Gap Analysis;
Determine internal and external context;
Determine interested parties;
Map your processes;
Define quality policy, objectives and plans to meet them;
Determine risks and opportunities and define action plans to act upon the most important;
Document your processes;
Start measuring performance;
Perform internal audits;
Do a management review and decide if you are ready for certification.
The following material will provide you information about implementing a management system:
- Article – Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Defining controls
Answer:
According to ISO 27001, you only have to implement physical isolation, as well as other types of controls, in the following situations:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with, that demands the application of the control
- There is a management decision to implement the control, by considering it as good practice.
If none of the above conditions happen, there is no need to implement a control.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Documenting roles and responsibilities
We have listed the roles, responsibilities and authorities in the job description maintained by the HR team for each functions. These roles, responsibilities and authorities are also mentioned as part of the individual process documents of each function. They are very much in line with the JD maintained by HR. Is it mandatory to list down the roles and responsibilities in the individual process documents as its a mandatory section.
Answer:
ISO 9001 and ISO 27001 only require that roles, responsibilities and authorities are assigned and communicated (documenting them is not mandatory), so the organization is free to document them the way it is best for them (as a good practice).
But it is important to note that job description and process documents have different purposes, and by not listing down the roles and responsibilities in the individual process documents may affect process performance, so you should evaluate this modification before m aking a decision.
These articles will provide you further explanation about documenting roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/ -
GDPR Data Controller or Data Processor
Answer:
The controllers are the ones that need to perform DPIAs and in the case you have described you are acting as a data processor on behalf of the companies that are using your product.
If you want to find out more about DPIAs check out this free webinar Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR (https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/) -
GDPR and Transparency
Answer:
Of course the GDPR does not cover such particular situations and the reason for not disclosing the mail address is that it is not grounded on the GDPR. My suggestion is for the Association to issue a Privacy Notice informing all the members about what personal data is processed for what purposes and what are the lawful grounds for doing that. In your case the most suitable will mostly be “legitimate interest”.
If you want to find out more about privacy notices see this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/)