Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ITIL and ISO 20000
Answer:
There is a free download on our web page. Please check this whitepaper:
ITIL vs. ISO/IEC 20000: Similarities and Differences & Process Mapping https://info.advisera.com/20000academy/free-download/itil-vs-iso-iec-20000-similarities-and-differences-process-mapping -
Environmental aspects and risks
I have a question about ISO 14001:2015 – item 6.1.1 and 6.1.2
In accordance with the 6.1.2:
1. Define Aspects
2. Estimate them by established criteria and I received Significant Aspects
And that is all.
There is Note: that significant aspects CAN result risk and opportunities.
During the certification audit – Auditor requires THAT: To each aspect MUST BE added risk and opportunity in accordance with the 6.1.1. I do not agree with that Auditor interpretation. In my opinion:
In accordance with 6.1.1 I must prepare managing of the Environmental Processes (a little bit like 4.4 of ISO 9001:2015 – eg. Turtle Diagram). To that Environmental Process – I prepare risk and opportunities which ARE to environmental activities – estimate etc.
Is above clear? What is your opinion? – to what I must prepare risks and estimate them?
Answer:
The standard requires organization to determine risks and opportunities related to environmental aspects, compliance obligations and other issues and requirements regarding the context and interested parties. This doesn't mean that every environmental aspect needs to have risk and opportunity.
It is not enough to identify risks and opportunities related only to the environmental activities, because the standard requires organization to identify risks and opportunities to ensure effectiveness of the QMS, prevent, or reduce desired effects and achieve continual improvement. This includes determining risks and opportunities related to environmental aspects. For most of the significant environmental aspect you can identify risk related to not establishing or not following operational controls. But you don't have to do this for every environmental aspect you have.
For more information, see: ISO 14001 risks and opportunities vs. environmental aspects https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/ -
Mandatory external training
Answer:
The standard does not require external training for internal auditors or certifications. All the standard requires is for training to be conducted by competent trainer and for organization to maintain records on the trainer competency.
The trainer competency can be demonstrated either through various relevant certificates the trainer possesses, or by work experience that qualifies the trainer to perform the training.
For more information, see: Requirements for competence of IATF 16949 internal audi tors https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/ -
EU GDPR questions
2. Can you please attach an agreement template between a data processor and sub-processor?
3. Does the privacy notice need to be displayed by the data controller to his customer? Or by us to each individual user?
4. The same as 3 but regarding the use website cookies
5. Users rights – does the right to be forgotten/deleted/export should be available to the end user or should it only be controlled by the “data controller”? Seeing we are the data processors, do we need to allow end users this right?
6. Data retirement – We are storing data for reporting and operational purposes, for example, a traveler can view his past trips, are we obligated to retire data after a certain period of time or should this have controlled by the “data controller”?
7. Personal data encryption – We are using user email address as our username to access the site, and this field can’t be encrypted, is this acceptable? Also, user first name and last name can’t be encry pted.
please advise what’s the best course of action
Answers:
1. The content providers for flights, hotels, cars, ground transportation, and rail (nor the providers of the services themselves such as airlines, hotels, car rental companies etc.) would be your sub processors as you well pointed out. These providers should be instructed by you how the personal data they receive should be processed and protected. Usually, as you are processor you would receive instructions from your customers acting as controllers. The instruction you receive from your customers (data controllers) would need to be “back to back” with the ones you impose on your sub processors.
2. Unless you receive specific requirements from your respective controllers you could use the attached document as a template. Is basically the same Supplier Data Processing Agreement but tweaked a little bit to accommodate the processor – sub processor relation.
3. The Privacy Notice would need to be provided to the end user by the controller. The Notice could be presented similar to the way you would present the Terms & Conditions of your product.
4. The Cookie Policy should be the responsibility of the controller using the cookies to collect and process personal data. If you are the entity collecting and using the personal data captured by the cookies you should be the one presenting the Cookie Policy to your website visitors. Be aware that cookies are regulated by the ePrivacy Directive as well as the EU GDPR.
5. The controllers are the ones responsible for making sure that the data subjects can exercise their rights. You as a processor need to inform the controller if you receive such requests form the data subjects as well as to provide the controllers the means of complying with those requests. Basically you just need to enable the controllers to analyze and decide on the requests and only if specifically instructed you may answer them on behalf of the controller.
6. The controllers are the ones that determine the retention period in most cases. For your particular situation I would advise you to leave this up to them meaning the controllers should be able to delete the data whenever they want. Here I am referring to your travel agents and company customers not necessarily the individuals doing the travel as they unless the travel agents or company customers (controllers) instruct you to provide this choice to the individuals (end users).
7. Encryption means in this case for securing your communications for example using https instead of http for the account authentication page. Also, the database where you store the travel related information could be encrypted to prevent unauthorized access. Consider also implementing strong passwords to protect you against brute force attacks.
8. Yes, you can grant access rights to a limited number of employees for specific purposes. Make sure that you log all the actions they perform to be used as a proof that there was no tampering with the data in storage.
You can get more knowledge about the EU GDPR by accessing our free online training GDPR Foundations Course: https:…less…Like -
EU GDPR toolkit
Answer:
The EU GDPR toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ is designed to be used by both controllers and processors and most of the document reflect this. However, there are certain sections that are less relevant for processors such as the Managing Data Subjects Rights and the Data Protection Impact Assessments because these are more controller oriented.
Bear in mind that any company established in EU is unlikely to be only a processor regardless of its business activities, if it has employees it will act as a controller in terms of processing their data . -
Sub-processors
Answer:
You are correct, if Zendesk would be hosting the data of your customers they should be considered your sub-processors based on the description you provided.
To learn more about processors and sub-processors see this free online training GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// -
Quality objectives and roles, responsibilities and authorities
Answer:
About quality objectives, the most important is to start by considering the quality policy of your organization. Quality objectives are a way of translating the words of the quality policy into precise and measurable challenges. Quality objectives must be about relevant requirements about products and services. For example, If your organization has a statement in its quality policy to exceed customer expectations about delivery time then it could have a quality objective that relates to on-time delivery.
About roles, responsibilities and authorities, besides those particular situations mentioned in the standard about authorities (for example, to release products and services, or decisions about nonconforming outputs) there is no mandatory requirements for documented information. People need to know what are expected from them, what they must do (re sponsibilities), what they can decide (authorities).
The following material will provide you information about quality objectives:
- ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
-
What is the job of the Quality Manager according to ISO 9001? -
- https://advisera.com/9001academy/blog/2016/08/23/what-is-the-job-of-the-quality-manager-according-to-iso9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Safety and ISO 9001:2015
Answer:
ISO 9001:2015 per se has no safety requirements incorporated. Please check clause 0.4 of ISO 9001:2015 where you can read “This International Standard does not include requirements specific to other management systems, such as those for environmental management, occupational health and safety management, or financial management.”
The following material will provide you information about ISO 9001:2015:
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
External and internal context and interested parties
Answer:
I assume that your organization’s purpose is to sell lubricant’s quality control results.
Internal issues:
Any issues about Lab. overall performance (capacity OK? Non conformities? Delivery dates?) Or infrastructure (do you need new equipment? Or to many equipment breakdowns? Any needs for new competences? – Things that keep coming in conversations about the Lab performance or day to day (remember weaknesses and strengths of your organization)
External issues:
Any issues about opportunities and threats in the context of your organization. Things like: how are your customers going? How is the economy going? Are there any regulatory news that affect customer’s life and requirements? Are there any technological trends that will affect the Lab business?
Your organization sells quality control results to customers, t hey are an interested party. Why do they choose your Lab? Because it is the cheapest? Because it is the fastest? Because it is the most reliable? Because it is recommended by the customers’ customers? Are regulators an interested party? Are customer’s customers an interested party? Why will they recommend your lab to their suppliers (your customers)? Are there any critical suppliers that you can consider as an interested party? What do you want from them and what do they expect from you? Are there knowledge centers that are interest parties? Universities, Petroleum and Lubricants institutes? What do they want from your Lab and what do your Lab want from them? And workers, are they an interested party? What do you want from them and what do they require from your Lab?
The following material will provide you information about internal and external context, and interested parties:
- How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- Understanding needs & expectations of interested parties in ISO 9001:2015 - https://advisera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Cross reference between 27001 and GDPR
Answer:
No I am afraid not, there is no such document in the EU GDPR Toolkit or the EU GDPR & ISO 27001 Integrated Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/
However, you can find some interesting comparison between ISO 27001 and EU GDPR in our article “Does ISO 27001 implementation satisfy EU GDPR” https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/