Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Processes and hospitals
Answer:
First, the hospital’s top management should decide the scope of the quality management services. I see hospitals that certified only Imaging Services. I see hospitals that certified Radiology, Physiotherapy and Blood Bank. I see hospitals that certified Orthopedic Services, …
Once the scope is decided one can start to draw the processes. For example for a planned hospitalization can be seen as having as the main processes: Reservation; Admission; Treatment; Discharging.
What I see is hospitals with a legal service monitoring legal requirements and obligations.
The following material will provide you information about implementing an ISO 9001 management system:
- ISO 9001 – Would hospitals benefit from ISO 9001? - https://advisera.com/9001academy/blog/2015/07/21/would-hospitals-benefit-from-iso-9001/
- fr ee online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Selection of Quality Manager
Answer:
The quality manager should comply with the following requirements:
- Understanding the needs of interested parties:
- Establishment and continual improvement of the QMS processes
- Customer focus and product conformity
- Responsibility and authority for the QMS
- Monitoring quality objectives
- Internal and external communication
- Release of products and services
- Internal audit planning & management
- Responsible for Nonconformities and corrective actions
Keep in mind that there are no requirements that say you need to have a quality manager in this ISO 9001:2015.
Regarding the processes - Usually process owners know better than anyone in the organization how the process works, so if you find him/her competent in doing so, they can prepair it with the following approval of the top management or quality manager.
These articles can help you to understand the role of a quality manager - What is the job of the quality manager according to ISO 9001: https://advisera.com/9001academy/blog/2016/08/23/what-is-the-job-of-the-quality-manager-according-to-iso9001/
- Additional responsibilities of quality management representatives: https://advisera.com/9001academy/blog/2014/05/27/additional-responsibilities-quality-management-representatives/
Also these materials can help yu to understand better the quality manager responsibilies and procedures within ISO 9001:2015:
- Book - Discover ISO 9001:2015 through practical example: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- ISO 9001:2015 Foundations course: https://advisera.com/training/iso-9001-foundations-course/ -
International data transfers
Based on the description you provided, the best way to move forward is to set up in place an Intragroup Data Transfer Agreement based on Controller to Controller Standard Contractual Clauses. To learn more about international data transfers check out our webinar “How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/ -
Personal Data Protection Policy template
We are a small internet company which mainly develop internet pages for clients (and sometimes do the hosting) with only 2 people (both in the technical and design areas) , So, we don’t have such large list of managers.
Which much worries me is that we don’t have a Data Protection Officer, which is widely referenced in the document, then who will the person in charge of data protection matters?, since as far I know this position is not mandatory for us.
Answer:
The documents are indeed optimized for small and medium size companies and all the job titles are mentioned as examples, you are free to replace the job titles to best suit your organization.
Same goes for the DPO as well, you can have some other employee deal with privacy related matters. The DPO needs to be appointed only if: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or (b) the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the legal entity of processing on a large scale of special categories of data pursuant to Article 9 of the EU GDPR and personal data relating to criminal convictions and offences referred to in Article 10 of the EU GDPR.
If you want to find out more about the EU GDPR check out our EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//). -
Conducting a full desk audit
Answer:
You can follow these steps found in ISO 19011 to conduct an audit:
1 – Initiate the Audit
2 – Review the Documents
3 – Develop Audit Plan
4 – Assign Work to Auditors per Plan
5 – Prepare Working Papers
6 – Determine the Audit Sequence
7 – Conduct Opening Meeting
8 – Review Documents and Communicate
9 – Carry out the Audit
10 – Generate Audit Findings
11 – Present Findings and Conclusions
12 – Formally Distribute Audit Report
13 – Follow Up on Actions / Corrective Actions
You can find more information about how to conduct an audit here:
- 13 steps for ISO 9001 internal auditing using ISO 19011: https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
- Five main steps in ISO 9001 Internal audit: https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- Book - ISO Internal Audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 9001:2015 Internal auditor course: https://advisera.com/training/iso-9001-internal-auditor-course/ -
Documented information in ISO 14001:2015
Answer:
In the following article you will find the mandatory documented information necessary to comply with ISO 14001:2015 requirements, but also some other documentation commonly used during the implementation of the standard:
- List of mandatory documents required by ISO 14001:2015: https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-mandatory-documents-required-by-iso-140012015/
These materials can also help you to undestand the documented information required by ISO 14001:2015:
- Book - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- Free on-line ISO 14001:2015 Foundations Course: https://advisera.com/training/iso-14001-internal-auditor-course/ -
Security requirements for suppliers
We are building an ISMS for an ISO 27001 certification of our entire company. Now the question comes up about the requirements for our data center. Are all these points that are important for certification complete?
- Access protection
- Password policy compliance
- Typical irritant signals: fire loads, dirt or water-bearing cables in data centers or craft materials in server cabinets or unlabeled data carriers lying around.
1. In other words: What are the requirements for our data center provider if we want to certify ourselves as an entire company ISO72001?
Answer: The requirements your datacenter provider must fulfill are practically the same you would have to fulfill if the datacenter belonged to your organization, and without more detailed information abou t your context it is not possible to provide an specific answer. Since your provider is not ISO 27001 certified yet, I'd suggest you to talk to them about performing a risk assessment together to identify which risks the provider must have to treat, so these treatments can be defined as contractual clauses in your service agreement.
These articles can provide you additional information:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
2 . Can we also successfully certify ourselves to ISO 27001 with a data center without ISO 27001 certification?
Answer: Provided that your provider can show evidences that it is handling your security requirements as defined in the service agreement, there is no need for the provider to be ISO 27001 certified, although this certification can prove beneficial to it to minimize compliance costs. -
Filling the Business Impact Analysis questionnaires
Answer: There is no need to figure out different values of working capital for each time frame. In this part of the questionnaire you only have to identify for how much time you will need the working capital available to resume operations. For example, for a just in time operation which needs US$ 500K of working capital, you my decide to mark that this capital is needed immediately or up to 1h after the disruptive event. For an activity that keeps a significant a stock of products, you may mark that this capital is needed up to 1 week.
2. Under ‘External services’ should the top 10 suppliers be named if the list consists of thousands?
Answer: Under ‘External services’ you have to list the most critical suppliers to ensure the cont inuity under the minimum service levels agreed. These can vary from one to several, depending on the scenario you define.
Included in the toolkit you bought, there is a video tutorial that can help you fill in the Business Impact Analysis, using real data so facilitate the understanding. -
Information security standards for medical devices
Answer:
For the protection of personal health information and compliance with medical-related regulations, I suggest you to consider ISO 27001 together with ISO 27299 and ISO 13485.
ISO 27799 has the objective to provide security controls to protect personal health information, presenting guidance for this specific sector.
ISO 13485 has the objective to specify requirements for a Quality Management System where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements.
These articles will provide you further explanation about these standards:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- How ISO 27001 and ISO 27799 complement each other in health organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/
- What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/ -
Performance against management system objectives
Answer:
If I understand correctly the subject, I, as an assessor, would like to see the performance of the organization (the organization is the client of LRQA) against the management system objectives. What are the trends? What is the evolution of the results? Were the action plans implemented? Were the action plans effective?
The following materials will provide you more information about monitoring and analysis:
- Article - How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/
- How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- [free course ] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/