Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risks, opportunities and mandatory documentation
Answer:
ISO 9001:2015 does not mandate any documented information about risks and opportunities. Your organization can perform a meeting where a brainstorming session about risks and opportunities is held. Then, in the meeting minute you can record the risks and opportunities determined, their evaluation, and what was decided about the most important.
The following material will provide you information about mandatory documentation:
- ISO 9001 – List of Mandatory Documents for ISO 9001 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Quality plans and ISO 9001:2015
Answer:
Well, ISO 9001:2015 in its Bibliography page still continues to mention ISO 10005. So, I believe it is still relevant.
The following material will provide you information about quality plans:
- ISO 9001 – Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Assessment criteria
1= marginal, 2= acceptable, 3= high, 4= catastrophic
We were questioned about the difference between marginal and acceptable.
Answer: The term "marginal" refers to an event that is barely registered, with an impact so small that is considered not worthy to act upon, while the term "acceptable" refers to an event that has a perceivable impact, but which the organization has chosen to not act upon. -
Policies approval
Answer: In general the Company Director (or the highest position in the company) signs the high level policies (those policies that have overall impact through the organization, like the Quality Management Policy and the Information Security Policy), while other directors or managers sign the remaining policies (known as low level or second level policies), according to their scope (e.g., IT director signs the Password and Backup policies, and the Purchase manager sings the Supplier Management Policy).
This article will provide you further explanation about management responsibilities:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
This material will also help you regarding do cument management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Management review according to ISO 14001:2015
1. We have an Management review procedure in place, what are the important elements that we need to add or remove to align with the new requirements.?
In additions to management review inputs and outputs defined in the previous version of the standard, new version requires consideration of:
- context of the organization relevant to the environmental management system
- the needs and expectations of interested parties
- risks and opportunitties
For more information, see: The importance of management review in the ISO 14001:2015 process https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/the-importance-of-management-review-in-the-iso-140012015-process/
2. Do we need to remove the term MR (Management representative) or his or her roles and responsibilities in all of our revised documents?
No, it is not necessary. Although the standard no longer requires MR as a mandatory role, the companies can decide to keep this role as a part of the EMS. If your organization decides not to keep MR as a role within the EMS, MR's roles should be transferred to other people or other roles, in this case you will have to revise the documents and change them accordingly.
For more information, see: Is the management representative still the best option to coordinate EMS according to ISO 14001:2015? https://advisera.com/14001academy/blog/2016/02/08/is-the-management-representative-still-the-best-option-to-coordinate-ems-according-to-iso-140012015/
These materials will also help you regarding management review:
- Book THE ISO 14001:2015 COMPANION https://advisera.com/books/the-iso-14001-2015-companion/
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ -
Storing backup and server image data
Answer:
If by providing the service you described your company might have access to personal data stored by the customer you would have to comply with the requirements that the EU GDPR sets for data processors. These requirements are set forth in the GDPR regarding the processor obligations:
- To appoint a representative if based outside of the Union - art. 27 (https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/ );
- To ensure certain minimum provisions in contracts with controllers – art. 28(3) (https://advisera.com/eugdpracademy/gdpr/processor/ );
- Not appoint sub-processors without specific or general authorization of the controller and to ensure there is a contract with the sub-processor containing certain minimum provisions - art. 28(2) & (4) (https://advisera.com/eugdpracademy/gdpr/processor/ );
- Only to process personal data on t he instructions of the controller unless required to process for other purposes by Union or Member State law (but not foreign law, such as US law) – art. 29 ( https://advisera.com/eugdpracademy/gdpr/processing-under-the-authority-of-the-controller-or-processor/) ;
- To keep a record of processing carried out on behalf of a controller – art.30 (https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/)
- To co-operate with the supervisory authorities – art. 31 (https://advisera.com/eugdpracademy/gdpr/cooperation-with-the-supervisory-authority/) ;
- To implement appropriate security measures – art. 32 (https://advisera.com/eugdpracademy/gdpr/security-of-processing/ );
- To notify the controller of any personal data breach without undue delay – art.33 (2) ( https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/ ) ;
- To comply with the rules on transfers of personal data outside of the Union – art. 44 ( https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/)
All of these requirements need to be put in your contracts with your customers, and are already included in the Supplier Data Processing Agreement that you can find in our EU GDPR implementation toolkit (https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/). -
Implementation of the EU GDPR
Answer:
One of the quick wins would obviously be having the comfort that if under investigation from a Supervisory Authority you would have the means to prove accountability as set forth in the EU GDPR. Also, compliance with the EU GDPR would also prove to your customer and business partners your commitment for doing your business in a compliant way, not to mention that if your business is actually to provide services to other companies and in that sense processing personal data on their behalf (you acting as a processor) you would be expected by the companies (acting as controllers) to be EU GDPR compliant.
The decision to use internal or external resources is entirely up to you, so you can go both ways. However, this matrix that we have developed https://advisera.com/eugdpracademy/comparison/ might help you take th e right decision.
The time frame highly depends on the complexity of your business and your processing activities. Usually for SMEs is anywhere between 3 to 6 months. Also please consider that once established the EU GDPR framework needs to be maintained, so it is not just a one time job. -
Cursos en México
Desde mi punto de vista, ambas entidades (BCI y DRII) tienen una buena reputación internacional, por lo que mi recomendación es que selecciones la entidad dependiendo de tus necesidades. Ejemplo: ¿Necesidad un curso online? BCI. ¿Necesitas una entidad que esté basada en USA porque estás pensando trabajar y vivir en USA? DRII -
Scope and exclusions
Answer:
About the application of clause 8.3 to “Sourcing and placing suitable candidates (Permanent & Freelance) for the construction industry”, I would consider its exclusion once you already have your product defined and as long as you don’t need to change it. Your clients provide your organization with the service characteristics, the specifications, needed for you to plan the service provision processes. I don’t believe you need to change your scope.
The following material will provide you information about scope and exclusions:
- ISO 9001 – What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/ to-define-the-scope-of-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
EU GDPR courses
Answer:
Currently we are working on two courses meant to help participant improve their knowledge and skills in the filed of data protection of course with a focus on GDPR. There will be two available courses, one GDPR Foundation Course and the other would be a DPO course. The two courses will be available within the next two week, so follow the Advisera webpage.