Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11288 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Delayed audit report
Due to difficulty to close out the audit finding by collecting bits and pieces of the auditors report, as I am new to the company, I proposed to reaudit the whole process and deliver the new audit report and finding instead. Alternatively we submit RCA to reasons as to why we could not closed out the NCR raised on the Client Audit finding.
Our client still insisted that to close out the NCR raised during the Client Audit finding, is to submit the complete audit report and its analysis of the previous audit. How should I go about this situation?
Answer: You may try to explain to your client that since a very long time has passed since this audit (almost a year by now), the effort to complete and submit this report may not be worthy, since the condition may have changed and the non-conformity treatment may not reflect the audited situation. Besides that you also may argue that the next audit is close and you can use that audit to cover this gap, avoiding unnecessary costs. -
Documents review criteria
Answer: ISO 27001 does not prescribe which criteria to use to define conditions for document review, so you can use only the review "if necessary" conditions. However, it is a good practice to define a time frame, so you can ensure that documents are reviewed before events that have a time frame defined (e.g., you have to define a time frame for the management review and this review has inputs that can lead to the need of documentation review).
This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Security policy
Answer:
The requirement you refer to is meant to be complied with the data processor that is processing personal data on your behalf so, any of your processors would need to have at least a security policy in place to protect personal data. Of course a supplier can have a whole security framework in place with a multitude of documents.
As for you own security setup you can find a couple of security related policies in folder 8 of our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ , from which you can choose which is most relevant in terms of your business activities. I can also warmly recommend ISO 27001 as a good example of a security framework.
You can find out more about ISO 2700 1 and the EU GDPR in our article “Does ISO 27001 implementation satisfy EU GDPR requirements?” here : https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/” -
Legal grounds
Answer:
There are six legal grounds for processing which can be found a article 7 of the EU GDPR (https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/). These six legal grounds are:
- Consent - The individual has given consent to the processing for one or more specific purposes;
- Necessary for performance of a contract - The processing is necessary for the performance of a contract with the individual or in order to take steps at the request of the individual prior to entering into a contract;
- Legal obligation - The processing is necessary for compliance with a legal obligation to which the controller is subject. Only legal obligations under Union or Member State law will satisfy this condition. However, that law need not be statutory (e.g. common law obligations are sufficient);
- Vital interests - The processing is necessary in order to protect the vital interests of the individual or of another natural person . This is typically limited to processing needed for medical emergencies;
- Public functions (public interest) - The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Those functions must arise under Member State or EU law; or
- Legitimate interests - The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Public authorities cannot rely on this condition.
You can also check out or article “Is Consent needed? Six Legal Basis to Process Data According to GDPR” on https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/ -
Internal audit findings
Answer:
ISO 20000 contains many required records ,documents or other information. So, it's hard to generalize. In e.g. Incident Management or Change Management processes - you will look for tickets related to incidents i.e. changes. Same for Problem Management. Availability or Capacity Management will require measurements - so you'll look for measurement files.
Further on, Configuration Management requires CMDB. So, you need to check whether it exists, in which form, does it fulfill standard's requirements...etc. CIs need to have recorded incidents and changes...so, these are all items you need to check.
Also, see these articles to learn more:
"ISO 20000 internal audit – What is it and why is it important?" https://advisera.com/20000academy/blog/2016/06/07/iso-20000-internal-audit-what-is-it-and-why-is-it-important/
"What is the purpose of the internal audit report in ISO 20000?" https://advisera.com/20000academy/blog/2017/03/07/what-is-the-purpose-of-the-internal-audit-report-in-iso-20000/ -
Cláusula 7.4 de la ISO 22301
Pregunta: He estado trabajado con la documentación que me enviaron, sobre todo con la del BIA, pero ahora necesito abordar el tema de la comunicación cláusula 7.4 de la norma, tienen documentos para este punto, no lo he podido identificar en el pack de documentos. Respuesta: Puedes cubrir todas las cuestiones relativas a las comunicaciones con el Plan de Respuesta a Incidentes, el Plan de Continuidad de Negocio, y el Plan de Recuperación. Por tanto, básicamente no tenemos un documento específico para la cláusula 7.4 de la ISO 22031, pero puedes usar los documentos que he mencionado para cubrir con los requerimientos de esta cláusula. -
Implementation of knowledge management?
Answer:
You should determine the knowledge that your organization needs to operate their processes and make products and services according to requirements.
You should maintain this knowledge and make it available as needed, for example, when new people are contracted.
Consider your current knowledge when making changes, and determine how you will gain additional or updated knowledge if necessary for the changing needs.
The following material will provide you information about knowledge management:
ISO 9001 – How to manage knowledge of the organization according to ISO 9001 - - https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Implementation of risk management
Answer:
There are no mandatory documents required by ISO 9001:2015 to evidence implementation of Risk Management.
So, you are free to decide how to perform and evidence Risk Management. Normally, organizations create a non-mandatory procedure for addressing risks and opportunities, and generate a Risk Registry to keep a list of updated determined risks and opportunities, their evaluation according to action need; the actions performed and the evaluation of their effectiveness.
The following material will provide you information about the risk-based approach:
ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
List of mandatory docum ents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Management system scope change
Answer:
Will the acquired company be merged with your organization with the same brand(s) and logo? If yes, your organization is changing the scope of the management system with a new geography/site. In that case your company should contact the Certification Body to inform them about the change.
The following material will provide you information about the management scope:
ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
How do I get consultancy work?
Thanks. All very good advice and I will follow it up.