Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Questions on document management
To establish a process means to define how the process is conducted, what are the inputs, outputs, responsibilities and resources necessary within the process. It can be done in different ways depending on the complexity of the processes and risks of nonconformities emerging in the process. If you have complex processes where lot of things can go wrong, it is better to have documented procedure that explains in details how the process is carried out. If you have simple processes or your employees are very competent, you can define the process just with flowchart or quality plan.
2. Which documents exactly should be recorded or retained?
The standard has significantly decreased the amount of documents that are mandatory, basically only the scope, quality policy and the objectives are considered as a mandatory documents. The focus of the new version of the standard is more on providing evidence on whether something was done in ac cordance with requirements than how it was done.
For more information, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
3. If an organization already has a number of documented procedures but with 2008 reference, how to dispose of them?
You should follow your current procedure for document control and apply rules for document disposal defined by this procedure. If you don't have such rules defined, I would suggest you to mark the documents as obsolete and keep them as a part of the archive.
4. How to determine the required types of mandatory or non-mandatory documents & records based on different types of industries?
The mandatory documents will be the same regardless of the type of industry, this will depend on which requirements of the standard are applicable to your organization. For example, if you exclude design and development, you don't need to have records required by the clause 8.3 design and development.
When it comes to non mandatory documents that will be part of your QMS, you need to make a decision on what documents should be included. Usually for more complex activities or processes you will have more documents simply to ensure they are carried out as planned.
These materials will also help you regarding the documentation:
- Book DISCOVER ISO 9001:2015 THROUGH PRACTICAL EXAMPLES https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
External DPO
Answer:
As regards to the duties of the Data Protection Officer (DPO) you can find a full job description in our EU GDPR consultation toolkit https://advisera.com/eugdpracademy/consultants/ . Among the responsibilities of a DPO I could mention:
- providing and maintaining the necessary documentation to demonstrate compliance with the GDPR;
- monitoring compliance with the GDPR and relevant local laws and regulations;
- ensures that training and awareness is available and delivered to all members of staff involved in the processing of
personal data; etc.
The role of the DPO in light of the General Data Protection Regulation is described also at : https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/. You might find useful to go through Article 29 Working Party Guidelines on Data Protection Officers as well as Art. 39 of the EU GDPR "Tasks of the data protection officer".
Regarding what to be expected from an external DPO, he or she should be performing the same tasks mentioned above, there should be no material differences between an internal and an external DPO. A key point to have in mind is that regardless if the DPO is a employee or an external consultant he/she must report directly to the organization’s management, must be guaranteed a degree of independence and must not be required to take instructions regarding the exercise of his/her functions
What the external DPO would expect from you is a question that I cannot answer since is dependent on the mandate given to him/her. -
KPI for QMS MR
Answer:
If I had to design KPI for a Quality Management System Representative, I would start by the end, by the purpose, by the reason for its existence. What does your organization want from the QMS MR? One important outcome should be to get and maintain certification. Another can be quality and timing of information about the QMS performance, and another can be about customer satisfaction, complains and lost customers as a measure of customer promotion in the QMS.
The following material will provide you information about the Management Representative:
ISO 9001 – What is the job of the quality management representative? - https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/
How to comply with new leadership requirements in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-comply-with-new-leadership-requirements-in-iso-90012015/
What will be the destiny of the management representative in the ne w ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
IT policy development
Answer: According to ISO 27001, the main issues you should consider in the development of policies and procedures are: legal requirements (e.g., laws and contracts), results of risk assessments and top management decisions (e.g., decisions based on strategic or operational plans and objectives).
Considering your specific scenario, you also should consider a cross evaluation of the requirements related to each country involved, as well as the contracts related to cloud providers (e.g., cloud providers may have operations in additional countries that also should be evaluated.
I suggest you to take a look at the free demo of our Operating Procedures for Information and Communication Technology at this link: https: //advisera.com/27001academy/documentation/operating-procedures-for-information-and-communication-technology/
This document will give you an idea on ahat to consider to to ensure correct and secure functioning of information and communication technology.
This article will provide you further explanation about policy development:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
These materials will also help you regarding policy development:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Policies approval process
Answer: First of all, to be sure about which policies the Governance board should approve you need to verify the current set of roles and responsibilities defined to it (e.g., the documented top management decision that established the Governance board). In general, policies can be divided in two types:
- High level policies, which define the organization's approach to broad issues, like quality policy, information security policy and IT security policy.
- Support policies, which define the organization's approach to specific issues, normally related to a high level policy like development polic y, information classification policy and access control policy.
Normally, a Governance board is responsible to approve high level policies, delegating the approval of support policies to specific roles in the organization, such as the HR department head or the IT senior manager.
Regarding how to name the policies, the word "standard" has a general understanding that is different from the purpose of a policy, then you should avoid use it to designate a policy not to cause confusion. A better approach would be to use the word "policy" to refer to high level policies approved by the Governance board and terms like "support policy", "detailed policy" or "complementary policy" to indicate policies that are related to a high level policy.
These articles will provide you further explanation about policies development:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
This material will also help you regarding policies development:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Publishing personal data
Answer:
You can transfer personal data to the US if certain safeguard are in place such as the Model Clauses or consent. In your particular case if you display the birthday dates I would suggest you either to find a legitimate interest to do that or stop showing them. Consent taken from employees is not considered valid consent under most circumstances. -
BS 10012: 2017
Answer:
Currently there are no GDPR certification system in place. The certification bodies are yet to emerge. I would recommend to stick with the GDPR and leave the certifications for the moment when they will be endorsed by the competent EU authorities. -
Performing DIPA in companies
Answer:
Regardless of the size of the company you must perform a DPIA if the processing activity is likely to constitute a high risk to the rights and freedoms of the data subjects. If you don’t have any processing activities that would be considered as a high risk then DPIA won't be necessary. However be careful when assessing which processing activities are of high risk. Our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ has a section dedicated to DPIAs and there you can find guidance as well as templates. -
Right to object
Answer:
The right to object to marketing is an absolute right so no controller cannot deny you that right. Referring to the right to object to other types of processing, any request must be assessed by the controller and if there is no legal ground for the processing activity; for example there is no legitimate interest then the processing activity must cease. However keep in mind that certain services cannot be offered to individuals without processing their data so in this case the services will have to cease being offered.