Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Audit plan versus audit program
Answer:
An audit program is a set of one or more audits planned to occur within a specific time frame and with common purpose, prepared by the Quality Manager or Audit Manager. For example, consider an organization that intends to perform three internal audits in 2019 to evaluate the conformity of its quality management system. The audit program plans: what will be the scope of each audit (what clauses and/or processes); when will each audit take place (the first can be in February, the second in May and the third in October); sometimes organizations even identify who will be the internal auditors for each audit. One important thing is that an audit program approved by top management is a way of transmitting authority to the internal auditors to perform the audit.
An audit plan is prepared by the auditor(s) before each audit and aims to inform auditees about the audit objectives, audit scope, audit criteria, auditors, date and schedule of activities. For example, i f an audit includes auditing the Commercial Department, and audit plan informs, proposes, that the audit to that department occur between 10h00 and 11h00. An audit plan allows auditors to agree with auditees on a schedule.
The following materials will provide you more information about internal audits:
- Article - What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
- Creating an ISO 14001 internal audit plan - https://advisera.com/14001academy/blog/2017/01/16/creating-an-iso-14001-internal-audit-plan/
- Free course - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/ -
GDPR - the right for erasure
1. Is such a customer considered an anonymous?
2. In case of a deletion request - does the phone number need to be deleted?
3. What about activity logs and CDRs where the phone number appears?
4. As for our paying customers - we have their personal details on receipts, do we need to "anonymize" those details from receipts in case of such a request?
Answers:
1. Based on the definition provided in art. 4 of the EU GDPR, personal data “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” ( h ttps://advisera.com/eugdpracademy/gdpr/definitions/) . As you can see an identification number such as a telephone number is considered personal data and not anonymous data thus it falls under the provisions of the EU GDPR.
2. Yes, if you receive a request for deletion you need to delete the phone numbers.
You do not need to comply with such requests if the processing you are performing is:
- necessary for rights of freedom of expression or information;
- for compliance with a legal obligation under Union or Member State law;
- in the public interest or carried out by an official authority;
- for public interest in the area of public health;
- for archiving or research; or
- for legal claims.
3. Activity logs and CDRs as long as they can be associated with a specific user they also fall under the EU GDRP unless you can strip them of any identifiable data.
4. Payment details are usually required to be kept for longer periods of time (between 5 and 15 years depending on the jurisdiction) so you actually are required by law to keep those even if the data subjects requires their deletion.
To learn more about data subject rights check out our webinar “Data Subject Rights under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/) -
(B)ring (Y)our (O)wn (D)evice and GDPR
Now I am left with either one of these options:
- application wrapping
- sandboxing
Is there an easier way to be GDPR conform and allow BYOD?
Answer:
There is no mention in the EU GDPR or any other legal provision for that matter about forbidding the use of employees own devices to have access to a company email.
The only thing to be considered is how to keep the access to that data secure as not to be subject of a data breach based on the vulnerability of the employees device on one hand and the degree of monitoring of the employees devices.
I think that the latter is more important as there is usually the tendency to over–monitor a user’s device even if is not justified taking into account the data that is usually passed via email. In this case I would recommend to perform a DPIA to check if the monitoring is proportionate.
To learn more about DPIAs check out our webinar Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR (https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/). -
Definición del alcance
Respuesta:
Para determinar el alcance correctamente de la clínica tendrá que tener en cuenta los siguientes factores:
- Las cuestiones internas y externas del contexto de la organización
- Las obligaciones de cumplimiento
- Las distintas unidades, funciones y límites físicos de la organización
- Las actividades, productos y servicios que se ofrecen en la clínica
- La autoridad y la capacidad de ejercer control e influencia
Recuerde que es obligatorio mantener información documentada sobre el alcance del SGA y que debe de encontrase disponible para las partes interesadas.
Estos materiales pueden ser de utilidad para comprender el alcance del sistema de gestión ambiental:
- Artículo - How to determine the scope of the EMS according to ISO 14001:2015 (disponible en inglés): https://advisera.com/14001academy/blog/2016/02/01/how-to-determine-the-scope-of-the-ems-according-to-iso-140012015/
- Libro - The ISO 14001:2015 companion (disponible en inglés): https://advisera.com/books/ the-iso-14001-2015-companion/
- Curso gratuito en línea - Fundamentos ISO 14001:2015: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/ -
Regulatory compliance
Answer.
The environmental regulations that may apply to your company will depend on your location, the region, state, country, etc. but also the activities that you perform. There will be even other international laws that can apply to the activities that you conduct within your industry/sector and have an impact to the environment. Usually the access to this information is easy through government institutions in your region, and also they often provide local or nationwide online resources to ensure that applicable legislation is available.
To learn more about regulatory compliance in ISO 14001:2015:
- Article - How to achieve regulatory compliance in ISO 14001:2015: https://advisera.com/14001academy/blog/2015/06/15/how-to-achieve-regulatory-compliance-in-iso-14001/
- Article - Compliance requirements according to ISO 14001:2015: what has change d: https://advisera.com/14001academy/blog/2015/09/14/compliance-requirements-according-to-iso-140012015-what-has-changed/
- Book - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- ISO 14001:2015 Foundations Course: https://advisera.com/training/iso-14001-internal-auditor-course/ -
Use of Toolkit's documents
Answer:
You can use one document for both standards with no problems. In the list of documents file that comes with your toolkit you can identify which documents can be used for both standards (e.g., List of Legal, Regulatory, Contractual and Other Requirements, and Risk Assessment and Risk Treatment Methodology).
These materials will provide you additional information about integrated implementation:
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/ -
Integrated implementation
Answer: For information about ISO 27001 and ISO 9001 integration, I suggest you to see these materials:
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/
2 - Additionally, can you tell me what would trigger a re-audit by an ISO auditor? After our initial audit and certification, do we need to be re-audited every time we update to a new version of a document that is part of the ISMS?
Answer: As part of the certification process, the certification body plans surveillance audits to b e performed periodically after a successful certification audit (normally they are performed annually), so there is no need to perform a re-audit every time the ISMS is updated. Another event that may trigger an additional audit is if the certification body receives a complaint from an organization's customer reporting a significant failure on the organization's ISMS.
For more information see:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
Lead Auditor course and ISMS certification
Answer:
Only auditors working for certification bodies (certification auditors) can certify business as ISO 27001 compliant.
The lead auditor course is the first step to become a certification auditor.
The process to become an ISO 27001 Lead Auditor, and a certification auditor, is the same all around the world, and this article will provide you further explanation about becoming a certification auditor:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
Quality manual and ISO 9001:2015
Answer:
Two things:
First, just because ISO 9001: 2015 no longer requires the existence of a quality manual does not mean that its existence is not allowed. All the companies I have worked with have maintained the quality manual despite the transition to ISO 9001: 2015. You can keep your quality manual after updating it.
Second, you can create a Formats/Records register, a kind of master list of all Formats/Records in use in your organization
The following material will provide you information about the quality manual:
- ISO 9001 – The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
- free online training ISO 9001:2015 ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ nal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Internal auditor requirements
Answer:
Each organization has the authority to set the requirements for their internal auditors. Only your organization has the legitimacy to set the requirements applicable to your internal auditors. Even ISO 19011 removed the word competence from the definition of auditor. That said, it is wise to set as minimum requirements for internal auditors that they should know the standard (ISO 9001:2015) and they should know auditing practices. Your organization can ask for any evidence that they know, or studied ISO 9001:2015.
The following material will provide you information about internal audits:
- ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ ernal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/