Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Objectives and planning for QMS
My answer:
We do have a procedure for the quality plan which is a documented list of arrangements needed for the creation of the product or service, including the necessary tools, process steps, measurement points and any other necessary information - https://advisera.com/9001academy/documentation/quality-plan/ Also you can find here a separate template for the quality objectives: https://advisera.com/9001academy/documentation/quality-objectives/ Both templates contain several comments in order to help you to best complete it.
For more information about a quality plan you can see the article "Making the best out of ISO 9001 Quality Plan": https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/
In this article you can learn more about how to write quality objectives: https://ad visera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
These materials can also help you with the implementation of ISO 9001:2015:
- Book "Discover ISO 9001:2015 through practical examples": https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
- Conformio - Compliance tool: https://advisera.com/conformio/ -
Swot/Interested Parties
My answer:
You can find an example of a swot analysis for a manufacturing company in this article: https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
Relevant parties are those persons or organizations that will have an impact on your ability to provide products and services which consistently meet the needs of your customers and legal requirements. To determine who is a relevant party in your organization, you can consider the following groups:
- Customers
- Government and non-government organizations
- Employees
- Shareholders
- Suppliers
For more information about interested parties in ISO 9001:2015, see these articles:
- "How to determine interested parties and their requirements according to ISO 9001:2015 ": https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- "Understanding needs and expectations of interested parties in ISO 9001:2015": https://advisera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
These materials can also help you to learn more about the implementation in ISO 9001:2015:
- Book "Discover ISO 9001:2015 through practical examples" - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Conformio: compliance software tool - https://advisera.com/conformio/ -
Procedure for clause 8.4
My answer:
We do have a procedure for purchasing and evaluation of suppliers (Clause 8.4) that includes also the following Appendices:
- Checklist for evaluation of suppliers
- List of approved suppliers
- Registry of complaints about suppliers
- Request and order for purchasing
For more information about this procedure you can see: https://advisera.com/9001academy/documentation/procedure-purchasing-evaluation-suppliers/
You can also learn more about how to evaluate supplier performace according to ISO 9001:2015 in this article: https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/ -
Subject access requests
Answer:
Our EU GDPR Documentation toolkit has an entire folder dedicated to DSARs https://advisera.com/eugdpracademy/eu-gdpr-consent-data-subject-rights-toolkit/ and it contains a procedure that can be used to address DSARs as well as a flowchart https://info.advisera.com/eugdpracademy/free-download/eu-gdpr-data-subject-access-request-flowchart describing the process of answering DSARs and templates bots for data subjects request as well as answers.
To learn more about data subject rights check out our free webinar “Data Subjects Rights under the EU GDPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ -
GDPR - Intercom chat and Facebook Messenger
If you don’t have a signed agreement you need to check intercom's Privacy Notice/Privacy statement and see what their retention period is. However, if you have a signed commercial agreement you need to have a Data Processing Agreement in place with the processor also regulating the deletion of data from their archives.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
The right toolkit
Answer:
Based on the description you would most likely be a data processor and the universities would be the data controllers. There is no specific toolkit version for the data processors because most of the documents are relevant for both controllers and processors. There are some documents that may be less relevant to processors such as the documents related to managing data subjects rights in folder 4 of the EU GDPR Consultation Toolkit.
However, consider that f you are established in the EU you will be a controller as opposed to the data of your employee s.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Processing of the data
1. Is it necessary to request the express consent of the interested party for the transfer of data?
2. Is it sufficient to inform that the data are advanced and at the end of the clause request the express consent for the corresponding purpose?
Answers:
Consent is not required for transferring data outside the EEA if you are using one of the safeguards indicated by the EU GDPR in article 45 – “ Transfers subject to appropriate safeguards” (https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/)
One of the most common and easy to use safeguards are the “Standard contractual clauses” or “Model clauses” which need to be singed by the data exporter and data importer. These standard documents can be found in folder 6 of our EU GDPR Documentation Toolkit.
So, in a nutshell if you use the “Standard contractual clauses” as a safeguard the consent is not needed but the information ab out the intended data transfer needs to be included in the “Privacy Notice”.
To learn more about data transfers don`t miss out on our webinar “How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/ -
GDPR privacy policy
Only EU law -
Controls development and implementation
We received this question:
>Thanks a lot for the support. I read it, but it dosent have answer to points 1to3. Request you to help me with the first 3 points mentioned my questions.
>
>I would like to know what I should keep in content of these? Or like share samples if possible.
Answer: The content of policies and procedures related to information transfer, log on and log off, and publication of public information shall depend of the relevant risks identified in your risk assessment, and legal requirements applicable to your organization, so there isn't a definitive answer for your question.
ISO 27002, a supporting standard for implementation of ISO 27001 Annex A controls can provide you a comprehensive set of guidance's and recommendations that you can use to tailor your documents. You should consider at least these controls:
- 9.1.1 Access control policy
- 9.4.2 Secure log-on procedures
- 13.2.1 Information transfer policies and procedures
- 13.2.2 Agreements on information transfer
- 13.2.4 Confidentiality or non-disclosure agreements
As for templates, I suggest you to take a look at the free demo of these templates:
- Access Control Policy https://advisera.com/27001academy/documentation/password-policy/
- Information Transfer Policy https://advisera.com/27001academy/documentation/information-transfer-policy/
- Confidentiality Statement https://advisera.com/27001academy/documentation/confidentiality-statement/
This material will also help you with ISO 27001 Annex A controls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Inventory of assets
I know have a better understanding of the 'Assets' that should be recorded in the risk register, you did answer a question yesterday for me about listing every server and you suggest to group them together.
So, if I have an asset of a 'Database Server' on the risk register, what would I put in the 'Information Asset Inventory'? I was thinking of then breaking it down to the different applications that use the database server, does that sound correct?
Answer: In the 'Information Asset Inventory' you must include all assets you identified in your risk register. Since the standard doesn't define to which level of details the assets need to be described in the Inventory of assets, you can list servers in general or not only the 'Database Server' but also all the different applications that use the database server that you have identified in your risk register.
This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
This material will also help you regarding inventory of assets:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/