Search results

ISO 27001 package question regarding risk assessment

If you already have implemented controls you need to take them into account when analyzing the risks, so your understanding is correct. In the Risk Assessment Table, in the last column, you can describe which controls are already implemented.

For further information, see:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

This material will also help you regarding risk assessment:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

PESTEL analysis in ISO 14001

Organizations are not closed systems. External issues are relevant topics that can influence the future of an organization. For example, governments can issue legislation that will affect the activity of an organization. Social trends can influence consumers' or clients’ priorities. You can use the PESTEL analysis to help in systematically determining external issues. After the PESTEL analysis, I recommend collecting positive external issues as opportunities and negative external issues as threats and organizing the information in a SWOT matrix that allows us to determine potential risks and opportunities. Please check these two free webinars where I demonstrate the use of the technique (they are about ISO 9001, but applicable also to ISO 14001):

• ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
• How to perform management review according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-perform-management-review-according-to-iso-9001-2015-free-webinar-on-demand/ 

The following material will provide you with more information:

• Determining the context of the organization in ISO 14001 -https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/
• Enroll for free in the course - ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Conciliation between Iso 13485 and EU MDR

Cloud services auditability

Implantación SGC

No, any mandatory documents and records from a clause not applicable to an organization are not relevant to that organization’s quality management system. For example, if clause 8.3 is not applicable, no records from that clause are required.

Please check the following information:

• List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
• What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/
• How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
• Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Does Zoom need to be considered as a processor

Whenever a call on Zoom is initiated, Zoom Video Communications, Inc. processes personal data. Mp4 of all video, audio, whiteboard, captions and presentations, audio transcript files, attendee information (screen name, join/leave time), etc, they are all personal data according to the definition of personal data that can be found in Article 4 (1) GDPR: “any information relating to an identified or identifiable natural person”. Zoom Video Communications, Inc. processes personal data on behalf of its customers and acts as a Data Processor according to the definition from Article 4 (8). Since Zoom Video Communications, Inc is a US-based company, the new EU Standard Contractual Clauses should be signed. Zoom Video Communications, Inc, offers a Data Processing Agreement which also includes EU Standard Contractual Clauses requirements, at https://explore.zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf

You can find more details at these links:

• Article 4 GDPR, Definitions: https://advisera.com/gdpr/definitions/
• Chapter V GDPR, Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

Risk assessment Vs SoA

Please note that the risk assessment, risk treatment, and elaboration of the Statement of Applicability have very different steps, so you do not repeat the same activities. And you cannot go directly to the controls because the standard requires all defined steps for risk assessment and risk treatment to be performed.

In risk assessment you identify, analyses and evaluate risks. As output you have a prioritized list of risks, and which ones require treatment or not.

In risk treatment you define treatment options, applicable controls, elaborates the SoA and the risk treatment plan, approves the risk treatment plan and the accept the residual risks.

Statement of Applicability is different from risk treatment because there you need to take into account (besides the results of the risk assessment) also legal and regulatory requirements, as well as management decisions. On top of this, SoA keeps track of the implementation method and implementation status - these are not mentioned in the risk treatment.

In Conformio, the Statement of Applicability is created automatically based on the results of the Risk Register module. You only need to add some items up in case of need, like justifications based on legal and contractual requirements, or management decisions, or specific information about implementation methods.

For further information, see:
- How to automate the creation of the Statement of Applicability https://advisera.com/conformio/blog/2021/01/20/how-to-automate-the-creation-of-statement-of-applicability/

How to set safety objectives

Setting OH&S objectives in ISO 45001 has not changed much from the OHSAS 18001 OH&S objectives. The objectives are still meant to be objectives for improvement in the system, and are intended to have a target for improvement and a timeline. So, an OH&S objective to “reduce near miss incidents from 10 per month to 5 per month in the next 12 months” is the type of objective that the standard is looking for.

What is new to ISO 45001 is the requirement to actually have a plan in place for each objective that says who needs to do what, by what time, with what resources, and what method to use to tell the steps are adequate. This change is to try to solve the fact that many companies had OH&S objectives with the previous system, but had never made a plan to achieve them so they were never met.

You can read more on OH&S objectives in the article: How to define ISO 45001 objectives and plans, https://advisera.com/45001academy/blog/2018/12/04/how-to-define-iso-45001-objectives-and-plans/

About the IT security Policy and some documents mentioned as "implementation method" in the SOA

ISO 27001 does not specify roles to handle spam, so organizations can define what better fits them, from creating a new role to designating an already existent role for the task. A common approach is blocking the origin of email identified as spam from reaching the organization, and in this case, some role from the IT staff that can authorize such procedure can be defined as the person responsible (e.g., IT head, system admin, etc.).