Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Quality manual and interested parties
Answer:
Please, note that with ISO 9001:2015 it is no longer mandatory to have a Quality Manual. So, it is not required to include a list of interested parties within the Quality Manual. Also, ISO 9001:2015 does not require documented information about the interested parties. Besides this, your organization can decide to have a Quality Manual with a content according to your own ideas.
There is no requirement in ISO 9001:2015 to consider a safety manual as a quality document. As a good practice, your organization’s safety manual should be a controlled document.
The following material will provide you information about the documented information:
- ISO 9001 – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Documentation templates for GDPR and ISO 27001
We want to use document templates to help us accelerate our GDPR and ISO 27001 compliance as a small company and we are keen to understand if your product is suitable?
Answer:
As long as you use the documents for your own company and not for commercial use sending certain documents to your customers or suppliers part of your implementation effort won't constitute a breach. Documents such as Data Processing Agreements would need to be negotiated with and signed by your suppliers and of course you would need to share them with your suppliers. Same goes for the Privacy Notices as well, they are meant to be presented to the data subjects.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course// ). -
Mailing list and GDPR
He believes that he may use these lists to establish contact with potential new customers as long as he has an opt out/unsubscribe link in the email.
He may continue to communicate with existing customers as he has a business contract with them.
1. Advise if he can continue to contact those people on the current database that are not current customers or have details in the public domain.
2. Advise if it possible to hold sensitive personal data that identifies their religious beliefs (eg a priest or reverend).
3. Is it possible to proceed with purchasing databases from list brokers to ensure compliance with GDPR?
4. If he is handed a business card at a meeting or event, can the contact’s details be added to the contact database without their written consent?
An swers:
1. If you intend to process personal data for the purposes of direct marketing by electronic means (by email, text, automated calls etc) legitimate interests may not always be an appropriate basis for processing. This is because the e-privacy laws on electronic marketing – currently the Privacy and Electronic Communications Regulations (PECR) – require that individuals give their consent to some forms of electronic marketing.
You can check out our webinar “How GDPR Affects Marketing Practices” (https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/);
2. Processing of sensitive personal data would require explicit consent from the individual as per EU GDPR art. 9 –“ Processing of special categories of personal data” (https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/).
3. Not sure about that, it highly depends on where did the broker received the list from. Regardless if you obtain the data from another source you need to make sure you comply with the provisions of EU GDPR art 14 – “Information to be provided where personal data have not been obtained from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/).
To learn more about Privacy Notices check out or webinar “Privacy Notices Under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/)
4. Usually business cards contain contact information about a representative of a company and these information can be used to communicate and convey B2B messages. If you only use this for B2B communication this only “opt-out” is required.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Management representative and ISO 9001:2015
Answer:
ISO 9001:2015 no longer considers mandatory the appointment of a Management Representative (MR). According to clause 5.1.1 top management is now responsible for what was the MR role. Nevertheless, an organization can keep that role working in close relationship and under the supervision of top management. If the role of MR exists it should have a Job Description.
The following material will provide you information about the management Representative role:
- ISO 9001 – What will be the destiny of the management representative in the new ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
- What is the job of the Quality Manager according to ISO 9001? - https://advisera.com/9001academy/blog/2016/08/23/what-is-the-job-of-the-quality-manager-according-to-iso9001/
- How to comply with new leadership requirements in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-comply-with-new-leadership-requirements-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Stakeholders and risk assessment
Answer:
An organization determines their relevant interested parties and their relevant expectations. For example, imagine a company that considered subcontractors as one of their relevant interested parties. They are important because they perform part of the production and allow flexibility and increased responsiveness.
When assessing risks, the company considered their relevant interested parties as an input information. Regarding their subcontractors they identified one risk and one opportunity. A major factory producing the same kind of products as the subcontractors closed, there is the risk of losing negotiating power with the subcontractors once other companies, former clients of the now closed factory can start looking for alternatives. As an opportunity, the same company realized that the owner of one of their subcontractors is very old and has no sons or daughters to continue the business, they decided to study a financing project to bu y the subcontractor operation and make him an offer.
The following material will provide you information about the risk-based approach and interested parties:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Facebook Marketing
The customer is advertised on Facebook and clicks on a link to buy the product. He will be redirected to a website displaying the desired T-shirt. IMPORTANT: I just create the designs and uploaded them to the website from a third party then do the printing and shipping to the customer. That means I'm not a website operator but I'm solely responsible for developing the designs and promoting the online shop with the design of a FACEBOOK FANPAGE customer to then receive commission.
My question is concerning the GDPR ? Since I advertise only on Facebook and sell through a third party are the main actors that have to comply with the GDPR right?
Answer:
If you don't have access to any personal data form of the individuals buying the T-shirts and you are only doing the design then you are out of the scope of the EU GDPR .
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course”https://advisera.com/training/eu-gdpr-foundations-course// -
Maintenance of records
Neither ISO 27001 or ISO 22301 prescribe for how long Recorded Sessions from CCTVs should be kept, but they require an organization to identify applicable legal requirements (e.g., contracts, laws, regulations, etc.) that may define for how long such records must be kept. In case the legal requirements do not specify retention period the organizaton needs to define the retention time based on risk assessment results considering these data and other operational needs.
Regarding PCI DSS v.3.2, clause 9.1.1.c requires that data from video cameras and/or access control mechanisms to be stored for at least three months. -
Information security resources
Besides articles, white papers and other materials in our website, for knowledge about network security you should consider the following sites:
- Sans https://www.sans.org/
- ISC2: https://www.isc2.org/
These articles will provide you further explanation about network security:
- How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/
- Network segregation in cloud environments according to ISO 27017 https://advisera.com/27001academy/blog/2016/09/26/network-segregation-in-cloud-environments-according-to-iso-27017/
- How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
These materials will provide you knowledge related to managing security:
- ISO 27001:2013 FOUNDATIONS COURSE https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/
- What is an Information Security Management System (ISMS) according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/23/information-security-management-system-isms-according-iso-27001/ -
Payments
Answer:
Not much info to work on, but most likely the lawful ground best suited would be “contract obligation”.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Cómo convertirse en auditor
Existen dos tipos de auditores:
Los auditores internos, que son los que llevan a cabo las auditorias internas, y los auditores líder, que trabajan para entidades de certificación y realizan las auditorias de certificación.
Respecto a los auditores internos - no hay requisitos obligatorios para convertirse en un auditor interno, pero ciertas habilidades, competencias y titulaciones pueden ayudar a una persona a convertirse en un auditor interno. Una combinación de conocimiento del proceso interno de ISO 14001: 2015 y la atención al detalle siguen siendo los principales atributos.
En este artículo puede conocer más sobre las competencias de un auditor interno- ¿qué competencias debe tener un auditor líder de ISO 14001: https://advisera.com/14001academy/blog/2016/07/04/what-competences-should-an-iso-14001-internal-auditor-have/#
Puede tambié n asistir a este curso que le ayudará a adquirir el conocimiento necesario - Auditor interno de ISO 14001:2015: https://advisera.com/es/formacion/curso-de-auditor-interno-iso-14001/
Respecto al auditor líder - Para convertirse en Auditor Líder primero, debe tener experiencia en la aplicación de principios, procedimientos y técnicas ISO en auditorías. Lo siguiente que un candidato necesita para convertirse en un auditor líder es aprobar el examen de Auditor Líder Certificado en ISO 14001. Este curso de Auditor Líder en ISO 14001 es ofrecido por muchos organismos acreditados, como organismos de certificación u organizaciones de capacitación aprobadas. El esquema más ampliamente ofrecido por las principales organizaciones de registro de auditores es un esquema de calificación que requiere que pase unas clases de auditor líder de 5 días, demuestre con un currículum que tiene una experiencia laboral de aproximadamente 4 años, que tiene una experiencia laboral más específica de aproximadamente 2 años (por ejemplo, en los sectores ambientales en los que desea auditar) y luego participar en auditorías para demostrar la experiencia de auditoría.
Para conocer más sobre los beneficios y los problemas de convertirse en un auditor líder, vea este artículo - Beneficios y problemas potenciales de convertirse en auditor líder de ISO 9001 (disponible en inglés): https://advisera.com/9001academy/blog/2020/04/10/how-to-become-an-iso-9001-lead-auditor/
Además este libro puede ayudarle a comprender las auditorias internas ISO - Auditoria interna ISO: una guía en un lenguaje sencillo: https://advisera.com/books/auditoria-interna-iso-una-guia-en-un-lenguaje-sencillo/