Search results

OH&S hazard identification address the hazards identified

I can understand how it can be time consuming to identify which hazards need to be addressed, but this can help to ensure that you are at the right level of the hierarchy of controls identified in clause 8 of ISO 45001. What I mean is, if you have a hazard that does not pose that big of a risk, it is not required to address this at the top of the hierarchy by elimination or engineering control. However, for hazards that pose the biggest risk will want to have more than just PPE control (the lowest level) to address this risk. While an FMEA type approach is not required, it is one way to come to these risk assessments.

As for convincing when the higher levels of control are needed, this should be justified by the risk assessment. If the assessment shows a high level of risk, and the assessment method is accepted (which can be a big problem), then the decision should be obvious as to why you need to use the control level identified. The biggest problem is overcoming this questioning of the method; get it agreed first and then the high risk assessment should lead to high levels of control.

You can read more on the entire process of hazards, risks and opportunities in ISO 45001 in the article: The basics of ISO 45001 hazards, risks, and opportunities, https://advisera.com/45001academy/blog/2021/02/22/the-basics-of-iso-45001-hazards-risks-and-opportunities/

SMS Policy in Management Review

This requirement ensures that SMS policy, as well as other policies are continually applicable to the organization, its purpose, SMS objectives and contribute to the continual improvement of the SMS and the services.

To ensure that appropriate activities have been taken, you need to:

• Check whether there are some business-related changes which have implication on the SMS or SMS policy
  Check whether there are changes in some requirements which were not addresses in scope of the SMS and its activities (e.g. some important customer requirements)
  Check whether continual improvement is in place, e.g. check improvement related activities, records, etc.
  Check whether other policies have been followed, e.g. change management policy, incident management policy
  Check any other item defined in your policy

See the article “What should be on the SMS management review agenda according to ISO 20000?” https://advisera.com/20000academy/blog/2016/05/03/what-should-be-on-the-sms-management-review-agenda-according-to-iso-20000/ for more details.

Appendix 1 – List of Legal, Regulatory, Contractual and Other Requirements

"As SaaS provider located in Europe, the main regulation we have to comply with is GDPR.
In the table listing all requirements, does it mean that :
1) I have to add a specific line based on our customers locations or is it based on our SaaS infrastructure location(s) ?

The Article 3 GDPR applies to all organizations based in the EU, for all their processing of personal data carried out worldwide. Therefore, for all your customers based in the EU you need to add only one line related to EU GDPR.

 2) I have to add a specific line per GDPR topic (like each specific users' right) ? If this is the case, I suppose your GDPR toolkit would help me fill in this document ?"

In the List of requirements you do not need to list each GDPR article (nor section) because this would make a very long list - as mentioned before, you can refer to EU GDPR in one line only. Regarding to GDPR implementation, our GDPR Documentation Toolkit will provide all the steps and documentation to get compliant - see all the details here: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ 
 
Here you can find more information about how to start implementing EU GDPR:
What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/

If you need to understand how to implement EU GDPR in your organization, you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/ 

How to start using the ISO 27001 / ISO 22301 Toolkit

1 - As objectives for our ISO 27001 certification, I added some details as follows:

To implement the Information Security Management System in accordance with the ISO 27001 standard by June 30, 2022 at the latest.

Achieving the ISO 27001 standard certification is a must to:

·        Comply with many customers’ requirements that purchase services through SaaS platforms. This is a business enabler;

·        Protect our customers by minimizing the scope and potential impact of security threats: 

o   Loss of data

o   Sensitive data exposure

Is this a good practice to do so ? Is it sufficient ?

As a SaaS provider, should I add more details and/or reasons ?

Answer: I’m assuming that you mean these objectives for the Project Plan, section 3.1 (Project objective). 

Regarding the objectives, they are well written, because they clearly define measurable objectives (e.g., customers’ requirements, minimizing the scope, and potential impact).

Regarding sufficiency and detail level, this should be evaluated considering the target audience (e.g., customers, project team, project sponsor, etc.). If these are ok from their point of view, then the document is fine.

2 - My second question is about a new location we'll add around February next year.

Our goal is to get certified by end of June 2022. 

In February, we'll probably open a new sales office in the US.

What would be the impact of opening this new site from an ISO 27001 certification standpoint ?

Answer: First is important to note that the Information Security Management System scope can be defined as the organization as a whole or as only part of it. 

Considering that, there will be no impact in the certification if you keep only the current office in the ISMS scope. In case you decide to include the new site in the scope, the impact in the certification process will depend on how similar the operations in both offices are. The more different the activities, the more impact you will have, because additional controls may be required.

These articles will provide you a further explanation about scope definition:

- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Third Party Agreement with Cybersecurity clauses

Please note that a Third Party Agreement with Cybersecurity clauses compliant with ISO 27001 must be written based on the results of risk assessment and identification of applicable legal requirements, so a ready-to-use agreement is not available.

For a specific set of information security clauses commonly used in contracts and legal agreements, I suggest you take a look at the Security Clauses for Suppliers and Partners document available in your toolkit, in folder 08 Annex A Security Controls >> A.15 Supplier Relationships.

For further information, see:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

Lab signatures

You asked

is it possible to exclude the lab manager from the signature and add only the lab managers?

Yes, this may be possible. Because forms are documents - meaning they are formatted to contain information that will be filled and become a record;  all forms must be controlled as per your document control procedure. ISO 17025 does not prescribe who has to sign and how many signatures there needs to be. It is the laboratory's responsibility to consider the risk and to what extent your documents need to be managed.  The purpose is to ensure the forms are designed with the correct fields in order to obtain and retain meaningful, required information. Typically, a document has an author (subject knowledgeable or expert), a reviewer (subject knowledgeable or expert), and an approver (authorizer). The reviewer and approver (authorizer) may even be the same person.

For more information on document control, see the ISO 17025 toolkit document template: Document and Record Control Procedure at https://advisera.com/17025academy/documentation/document-and-record-control-procedure.

Are test labs required to have certified lead and internal auditors as a requirement for ISO 17025 Assessment?

If you are referring to the need for auditors to be certified, then no, there is no specified need to be certiifed. Internal Auditors need to be competent to perform internal audits for their facility, meaning have the depth of knowledge and understanding of the purpose of ISO 17025, and have auditing know-how and soft skills on approaching lab personnel.

If you are asking if you need both lead and other auditors, then again, this is not a mandatory reuirement. In a large laboratory there may be teams of internal auditors and then it makes sense to have a lead of the audit team. This person typically plans the audit with the Quality Manager as per the programme (schedule) and ensures that the team has suitable resources (such as the correct checklists and audit scope). It does not necessarily mean that they perform the management audit components as performed by a lead assessor of an accreditation body. arrangements all depend on the size of your laboratory and the competency of available personnel to perform internal audits.  In a large laboratory having lead auditors to do the management (non technical) audits is a practical arrangement for efficiency.

The following will provide more information on Internal Audits:

How to perform an internal audit using ISO 19011 at https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011
ISO 17025 document template: Internal Audit Procedure at https://advisera.com/17025academy/documentation/internal-audit-procedure/
The Five Internal Audit Procedure appendices Internal Audit Program, Internal Audit Checklist, Audit Nonconformity Report, Internal Audit Process Checklist and Internal Audit Report are available separately from the procedure link above; or included in the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/
Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/
Book - ISO internal audit: A plain English guide at https://advisera.com/books/iso-internal-audit-plain-english-guide/

Proactively applying for GDPR compliance

"Do we have to proactively apply for GDPR compliance by proving that we are compliant or we should make our product compliant without showing to any authority.
In short is it enough if I follow the guidelines and make the changes or will I have to apply/show it to some authority"

You must follow guidelines and regulatory requirements, implement changes to your product/organization without showing them to any Authority. However, Article 24 GDPR requires the data controller to be able to demonstrate compliance in case of controls by Supervisory Authority (the so-called principle of accountability).

Here you can find some information about how to implement EU GDPR
9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
If you need to understand how to implement EU GDPR in your organization, you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

ISO 9001 Video work instruction

Great move! Video is a powerful tool as instruction, as a procedure.

According to my experience, be sure to:

• approve videos by someone with authority, before uploading them
• clearly identify the version of the video (sooner or later you will need to review and update the video, better do it at the start to give an early warning to viewers about what they are about to see)
• provide access to the video to those that need of its content
• have a system that confirms that people saw the video and understand it
• have a system in place to warn and record that people saw a future new version