Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO standard selection
1. Government Ministries
2. Small, Medium and Large business places.
Answer: The selection of an ISO standards depends on many factors, such as:
- Laws and regulations that must be followed
- Business (private or governmental) that must be achieved
- Customers / Users needs to be fulfilled
So, without more detailed information it is not possible to recommend specific ISO standards.
But it is important to note that ISO standards are designed to be implemented by organizations of any sector or size.
See this article for more information:
- Is ISO 27001 among the top ISO standards? https://advisera.com/27001academy/blog/2013/09/09/is-iso-27001-among-the-top-iso-standards/ -
ISO 27001 and ISO 20000
Answer: Besides a customer requirement, you also have to evaluate these two aspects:
- if there is any legal requirement such as laws or regulations that demands for this certification;
- if the benefits related to the ISO 20000 certification will be greater than the effort to implement it and maintained it.
If there is no applicable legal requirement, then you should consider if the benefits for your organization to certify against ISO 20000 to meet this client needs will be greater than effort and cost involved in the implementation and operation of a certified system.
These articles can help you evaluate your options:
- 5 key benefits of ISO 20000 implementation https://advisera.com/20000academy/blog/2016/02/09/5-key-benefits-of-iso-20000-implementation/
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/ -
Management systems integration
2. Do we have separate documents or record for each or combined, eg Internal audit program and Audit reports. Can non- conformities discovered in 9001, 14001 and 45001 be recorded in a single template.”
Answer:
The most logical approach for an integrated management system is a common policy and whenever possible common documents like internal audit, audit report, corrective actions, and so on. Your organization can try a single template for non-conformities. In working with some organizations I have used a single template and worked, but I must confess that sometimes it does not work because some organizations want to keep simple templates and trying to answer to all standards and recording what is relevant about the context of the non-conformity is not easy.
The following material will provide you information about management systems integration:
- ISO 9001 – How to implement integrated management systems - https:// advisera.com/27001academy/blog/2015/10/05/how-to-implement-integrated-management-systems/
- How to integrate ISO 14001 and ISO 9001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
- Integrated Management System Manual - https://advisera.com/9001academy/documentation/ims-manual/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Audit or Gap Analysis?
Answer:
If there is no QMS defined yet perhaps at this stage a Gap Analysis will more useful. Please check the links bellow where you can find a free checklist for a Gap Analysis and where Gap Analysis is compared with audits.
The following material will provide you information about the Gap Analysis tool:
- ISO 9001 – Gap analysis vs. internal audit in ISO 9001 - https://advisera.com/9001academy/blog/2015/02/17/gap-analysis-vs-internal-audit-iso-9001//
- Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
- Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Risk assessment methodologies
Answer: First it is important to note that ISO 27001 does not prescribe any specific methodology for an ISMS, so organizations are free to choose the methodology that best fits their needs.
The most used approach is the asset-based risk assessment. Regarding FMEA, it is a good approach when you have a clear understanding of the processes being assessed.
These article will provide you further explanation about risk assessment approaches:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
These materials will also help y ou regarding risk assessment approaches:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Transfer data to countries outside the EEA
Our company and order management system is located Finland.
1. Do we need to fill and sign 06.3_Annex_2_Standard_Contractual_Clauses_for_the_Transfer_to_Processo rs_EN with those companies?
2. Do we need to inform our customers registered to order management system about personal information transfer outside EU?
Answers:
If you are transferring data to Thailand and India you need to sing the Standard_Contractual_Clauses_for_the_Transfer_to_Processors with each of your processors. You need to inform your customers that you may transfer data to countries outside the EEA and point out which are those countries.
To find out more about data transfers make sure you do n’t miss our webinar “How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/ -
Unstructured data
Answer:
If the unstructured data cannot be linked to an individual that the EU GDPR does not come into play. However, just to make sure you can use a data discovery solution to check if your archives contain personal data.
If they do you need to check if you have a legal ground to keep the data and if not you need to delete it.
If you want to find out more about your obligation to delete data you can check out our free “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course// -
Management Representative after ISO 9001:2015
Answer:
The role of Management Representative has been removed from ISO 9001:2015, responsibilities went to top management. Not being mandatory is not the same as forbidden. So, your organization can keep the role of Management Representative, or of QMS Manager to the person who drives the whole process.
The following material will provide you information about the Management Representative:
- ISO 9001 – What will be the destiny of the management representative in the new ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/ se/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Organization knowledge and Customer Specific Requiremnets
Answer:
When it comes to the organizational knowledge, the standard is rather vague. This allows organizations freedom id deciding how to identify the knowledge and provide access to it for the relevant people. For example, consider one process from your company. Then, list all activities performed in that process. For each activity, identify which function perf, list what kind of knowledge someone on those functions has to have in order to perform those activities competently. That knowledge can include things like:
- knowing work instructions;
- having a professional certificate considering the person as a professional welder;
- knowing how to operate certain machines;
- knowing how to control the quality of certain parts;
- Knowing how to identify, segregate and manage nonconformance parts.
When you identify organizational knowledge y ou do not consider any person in particular, you are using abstract thinking. What kind of knowledge s hould have anyone performing that function.
Then, look at the actual performance of the process and to the actual persons performing those functions. Do they have the right amount of knowledge? Are they competent enough? Remember, you can have competent people working in a process and because your company becomes more demanding at performance, perhaps those some people become non-competent.
For more information, please take a look at the following materials:
- Article: How to manage knowledge of the organization according to ISO 9001 https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
- free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
When it comes to requirement 7.5.1.1.d) the easiest approach is to create a matrix where in one column you will list your processes and in the second column you can put relevant CSRs for each process. In addition you can put responsible person for compliance with each of customer specific requirements. The main input for this matrix is identification of interested parties and their needs and expectations, if it is done properly, you can use list of interested parties and their needs and expectations to meet this requirement. Basically the CSR matrix is more detailed examination of needs and expectations of one group of interested parties - customers.
Here you can find free preview of our List of Interested Parties and Customer Specific Requirements https://advisera.com/16949academy/documentation/list-of-interested-parties-and-customer-specific-requirements/ -
EU GDPR article 28
1. If a systems builder installs several workstations with different applications at a customer and needs to log information on those systems (not per se an audit trail) to be able to debug what went wrong between these systems, and the customer is happy to provide these logs or even (continuous) access to the systems to have things debugged, but the logs may contain privacy related information, then what do you do? Warn systems users that their actions are logged?Demand that customer anonimifies the logs / State we uphold privacy and use logs only for debugging our systems and not for audit trail? Do we need a processor agreement for that? Who provides it?
2. Do processor agreements need to be signed by both parties?
3. Do you need to actively request a website visitor to accept cookies and read the privacy statement even if you do not use personal information that is collected, e.g. by google analytics and similar 3rd party tools? Or is it enough just to link to a disclaimer or legal statement on these pages…
Answers:
1. If the users are having access to personal data you need to ensure that they are bound by the duty of confidence. This is a requirement of EU GDPR article 28.(3)e – Processors (https://advisera.com/eugdpracademy/gdpr/processor/). You can also have a pop up message to the users that they are about to access personal data.
2. If possible the customer should try to anonymize the personal data and if is not possible a Data Processing Agreement should be signed by you as the data processor and your customer as the data controller. This need to be legally binding agreement and need to be signed or agreed by both parties.
3. Is the ePrivacy Directive, which requires websites to gain consent from readers if they want to use cookies to track them. You should have a separate Cookie Policy that need to be accepted by the users. Also, the users must be informed about how they can set up their browsers not to accept cookies.
If you want to find out more about the processors obligations you can check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course//