Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Response to AS9100 certification NC
Answer:
While it is true that AS9100 does not specify a timeline that you need to close a corrective action, certification bodies do have their own rules about responding to non-conformances found in certification audits. They are not able to certify your company if they have found a problem and you have not completely fixed that problem (i.e. closed the corrective action); if you only have a plan to fix the problem they cannot grant certification. An expectation to have the certification audit non-conformances fixed and closed in 30 days is a standard timeline from certification bodies, I have not seen expectations that give m ore time.
I would recommend looking at this 9001Academy blog post on how to proceed once a corrective action is identified as it is applicable to the AS9100 QMS as well: https://advisera.com/9001academy/blog/2016/09/20/how-to-proceed-once-qms-corrective-action-is-defined/ -
Benefits of ISO 27001
Answer: You need to show to your director what are the benefits of ISO 27001, which basically are 4: Compliance, Marketing edge, Lowering expenses and putting your business in order. To know more about these benefits, please see this article “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
This free webinar can be also interesting to know how to obtain the management support “ISO 27001 benefits: How to obtain management support” : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/ -
Documenting risks and opportunities
2. How do we document risk and opportunities from environmental aspect?
Answer:
1. You don´t need to document risks and opportunities at department level, you just have to identify the risks and opportunities that are present for your EMS, decide which need to be addressed, and keep documentation of the risks and opportunities you will address.
2. You can create a formal Risk Register within the EMS where identification, discussion, actions, outcome, and monitoring can all be listed and results clearly evaluated. Again you just need to document those risks that arise from environmental aspects and need to be addresed.
These materials can help you with the risks andopportunities:
- Article - Risks and opportunities in ISO 14001:2015: what they are and why they are important: https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
- Article - ISO 14001 r isks and opportunities vs environmental aspects: https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/
- Book - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- ISO 14001:2015 Foundations Course: https://advisera.com/training/iso-14001-internal-auditor-course/ -
Inventory of processing activities
1. Do we need a separate inventory for Processing activities for data of our clients (As Processor)? If so should we adapt this document or is there a separate document.
2. Does processing of employee data (of our own employees) also need to be added to the inventory?
Answers:
1. The “Inventory of Processing Activities” has two separate sheets. The controller sheet is to be used to capture the processing activities where you act as a data controller and the processor sheet should be used for the processing activities where you act as a data processor. Art. 30 - Records of processing activities (https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/) requires that under certain circumstances both controller and processors keep these kind of records.
2. Processing activities related to your own employees such as recruitment, onboarding, payroll, time management etc. need to be captured in the “Inventory of Processing Activities” in the controller sheet. -
Lawful grounds for processing employee biometric data
There is no need for the employees to sign the Privacy Notices, it is enough for you to send an email with the Privacy Notice enclosed or provide a link to the Privacy Notice. It would also be advisable for you to publish the Privacy Notice on your intranet page to be available to all employees. -
An expanding scope
Answer:
In principle, what your client requests is feasible. The scope of a quality management system (QMS) is not necessarily equal to the scope of a company’s activities. Sometimes organizations do it like this: they start with a QMS with a limited scope and certify it. Later, they update the scope and include new activities in the QMS. In your situation, I would document the different scopes and transition schedule and would speak with the certification body, even before starting the implementation project. Certification bodies can help with those issues.
The following material will provide you information about quality management scope:
- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
AS9100 Certification Fees
1. Inspectors site visit,
2. Certification cost etc.?
Scope of work:
· Aircraft Spares Depot
· Abu Dhabi, United Arab Emirates.
Answer:
In general, for any QMS in any location, you will hire a certification body to audit your QMS and provide your certification. The fees for the process typically cover a three-year period: Year 1 – Documentation audit, Certification audit and certification, Year2 – Surveillance audit, Year 3 – Surveillance audit. These fees will differ between certification bodies and might include travel costs as well for each on site audit. They should not include any consulting services since the certification auditors are not supposed to consult on any QMS they will be auditing. It is best to check with a couple different certification bodies in your area to see the differences in fees.
This downloadable checklist includes the implementation and certification steps you will need fo r yoru AS9100 implementation: https://info.advisera.com/9100academy/free-download/project-checklist-for-as9100-rev-d-implementation -
ISO 17024 online ISO 20000 Lead Auditor training
Answer:
I wouldn't point to particular organization, but there are some accredited training institutions that are quite popular and accredited, like: PECB, IRCA, Exemplar Global (formerly RABQSA), etc.
This article provides more information about accreditation:
"Accreditation vs. certification vs. registration in the ISO world" https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/ -
How to comply with EU GDPR as a data processor
Answer:
The question is much too broad to provide you with an exhaustive answer.
The key for a processor to be compliant with the requirements of the EU GDPR is to make sure that it takes into account the obligations set forth in article 28 – Processors (https://advisera.com/eugdpracademy/gdpr/processor/).
As a processor you also need to :
Process only personal data on the instructions of the controller unless required to process for other purposes by Union or Member State law (but not foreign law, such as US law. This will be a major headache for many foreign processors);
To keep a record of processing carried out on behalf of a controller (see Record keeping obligations);
To cooperate with the supervisory authorities;
To implement appropriate security measures ;
To notify the controller of any personal data breach without u ndue delay;
To appoint a data protection officer in certain cases ;
To comply with the rules on transfers of personal data outside of the Union.
To learn more about processors obligations check our free webinar “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Managing personal data
1. They receive offer request from new customers via mail. For example, dear XXXX we would like to have a proposal for 100 pieces of this material with this shape. Are you able to make it? These are my details: Name, Surname, Phone number, email, VAT number.
2. The same request may arrive via phone.
In this 2 cases, they receive personal data from new customers. My question is, do they need to reply automatically via mail saying, “dear customer, thanks for your email….. we will collect your personal data in order to prepare the proposal and we will keep the data for 60 days after that time, data will be deleted. Data will not be shared with 3rd parties….." The same automatic message can be inserted inside the voice message where the customer needs to press button X to talk with sales department. This is m andatory or do they can prepare the offer and sent via mail that the offer was prepared since a previous contact existed and they will keep the data for 60 days…..?
Answers:
1. When receiving/collecting personal data from a data subject you should comply with the requirements of Article – Transparent information, communication and modalities for the exercise of the rights of the data subject ( https://advisera.com/eugdpracademy/gdpr/transparent-information-communication-and-modalities-for-the-exercise-of-the-rights-of-the-data-subject/ ) and Article 13 – Information to be provided where personal data are collected from the data subject (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/).
2. There is no need to have a prompt automatic answer but they just need to be informed about this in due time, let's say 30 to 60 days or so, or when the customers are contacted to be provided with an offer.