Search results

How to set safety objectives

Setting OH&S objectives in ISO 45001 has not changed much from the OHSAS 18001 OH&S objectives. The objectives are still meant to be objectives for improvement in the system, and are intended to have a target for improvement and a timeline. So, an OH&S objective to “reduce near miss incidents from 10 per month to 5 per month in the next 12 months” is the type of objective that the standard is looking for.

What is new to ISO 45001 is the requirement to actually have a plan in place for each objective that says who needs to do what, by what time, with what resources, and what method to use to tell the steps are adequate. This change is to try to solve the fact that many companies had OH&S objectives with the previous system, but had never made a plan to achieve them so they were never met.

You can read more on OH&S objectives in the article: How to define ISO 45001 objectives and plans, https://advisera.com/45001academy/blog/2018/12/04/how-to-define-iso-45001-objectives-and-plans/

About the IT security Policy and some documents mentioned as "implementation method" in the SOA

ISO 27001 does not specify roles to handle spam, so organizations can define what better fits them, from creating a new role to designating an already existent role for the task. A common approach is blocking the origin of email identified as spam from reaching the organization, and in this case, some role from the IT staff that can authorize such procedure can be defined as the person responsible (e.g., IT head, system admin, etc.).

Content of ISO 27001 & EU GDPR Toolkit

I’m assuming the information you provided is from the List of documents file from the ISO 27001 toolkit (ISO 27000 is not a certifiable standard).

Considering that, the Incident Management Procedure document is mandatory only if control A.16.1.5 Response to information security incidents deemed as is applicable.

Considering the ISO 27001 & EU GDPR Toolkit, the document you should look for is the Data Breach Response and Notification Procedure, which covers the same requirements of the Incident Management Procedure, and also GDPR Articles 4(12), 33, 34. This is document 14.A.16, item 85, in the List of documents file from ISO 27001 & EU GDPR Toolkit.

Clean room criteria for ISO 13485

Thank you for the question. There is a lot of things that need to be taken into consideration when wanting to get an ISO 13485:2016 certificate. For the documentation, you can use our Documentation toolkit which has all necessary and required documentation from the standard. Prices and what is contained in the toolkit at the following link: https://advisera.com/13485academy/iso-13485-documentation-toolkit/

More information on the ISO1 3485, you can find on the following links:

• How to get ISO 13485 certified? https://advisera.com/13485academy/iso-13485-certification/
• Checklist of ISO 13485 implementation steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
• Six key benefits of ISO 13485 implementation https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/

• Question about notify body

  If you want to have proper certificate, that will be recognized worldwide, it has to be a certification body.

  For more information on this topic, please see following article:

  • How to choose an ISO certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/</

  • CONTROLS A.18.2.1 AND A.18.2.2

    For control 18.2.1 Independent review of information security, please note that this control is usually done in the form of an internal audit or certification audit.

    In companies very small like yours, the common approach for the internal auditor is hiring an external party for the task, because the organization wouldn’t have enough work to justify contracting a full-time auditor, and a part-time internal auditor would have difficulty keeping his independence over all organization processes for performing his task.

    About certification audits, they are conducted by accredited organizations (the certification bodies) to evidence that an organization is compliant with all requirements of the ISO 27001 standard.

    For further information, see:

    • Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
    • List of Questions to ask an ISO 27001 or ISO 22301 certification body https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-certification-body

    Regarding control 18.2.2 Compliance with security policies and standards, it does not require independence of the reviewed area. In fact, it is quite the opposite (the management is the focus of this control - they have to do the review). So, your current implementation for critical analysis is acceptable to fulfill the control.

    This article will provide you a further explanation about management review:

    • Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

  • What sections of ISO 13485 cover computer systems?

    If you think computer systems that you use for example for: production, for calibration, for service, for warehouse management and similar processes, than managing computer services are under the requirement 4.1.6 which is about the validation of software used in the quality management systems. Such validation must be done prior to initial use, and than after each updated. However, which actions will be taken, how often, which parts of the software will be validated depends on the risks that software have on the quality management system and on the quality of the product. 

    
    There must be a procedure for software validation together with records that proves that validation has been conducted. 
     

     

  • EU GDPR questions

    1. If a company is based in non-European country wants to transfer European data to non-European country, what are GDPR requirements?

    You need to follow the instruction of Chapter V GDPR, which requires verifying if the country of destination benefits from an adequate decision. If so, you can proceed with the transfer. Otherwise, you should verify if you can implement appropriate safeguards like Standard Contractual Clauses or Binding Corporate Rules, or follow in one of the exceptions under Article 49 GDPR.

    2. Does a company need to create binding corporate rules if it has only one branch

    Binding Corporate Rules (BCR) are the long and complicated mechanisms that need to be approved by Authorities. Usually, large groups of companies have BCR, most organizations rely on Standard Contractual Clauses (SCC).

    3. Is there any available approved binding corporate rules approved by authorities to be followed

    Yes, you can find on the internet some BCR approved, but they are customized on the data processing of the company, their asset, and safeguards implemented. There is no standard BCR to customize.

    4. Who should create the data transfer impact assessment the controller or the processor

    The data controller is liable for transfer impact assessment, however, if the export of data is from a data processor to a data sub-processor, the data processor may assess the impact of transfer in order to certify its own compliance with the data controller.

    5. Is there any available Transfer impact assessment template for processor

    No, currently we have the template for the Cross Border Personal Data Transfer Procedure which can be tailored on transfers as controller or processor.

    For more information, see:

    • Cross Border Personal Data Transfer Procedure https://advisera.com/eugdpracademy/documentation/cross-border-personal-data-transfer-procedure/

    6. Where can I find the updated version of the controller-processor  SCCs.

    You can find it on the website of the EU Commission: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

    Here you can find more information about data transfer:

    • 3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
    If you want to learn how to implement GDPR compliance in your organization, you may consider enrolling in our EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

  • Toolkit content

    The toolkit is suitable for any (small to medium) testing or calibration laboratory. It does not specifically deal with any sector or document requirements to meet standards such as ISO 8655. The technical knowhow is the laboratoy’s responsibility as calibration laboratories have additional specific measurement programme requirements to meet, as in your case, for volume.

    Advisera’s ISO 17025 toolkit guides you through the implementation of ISO 17025. The  ISO 17025 document template: Evaluation of Measurement Uncertainty Procedure and related Measurement Uncertainty Checklist and Measurement Uncertainty Record are available as part of the ISO 17025 toolkit to assist you. Especially for calibration laboratories, additional expertise in evaluating measurement uncertainty for your test will be necessary. You will need to produce an uncertainity budget for each volume you are accredited for. For that I suggest you reach out to the Accreditation body and find out what guidelines and technical requirements they have for your programme.

    See the Q&A and links provided at https://community.advisera.com/topic/calculating-uncertainty/, for a similar topic.