Search results

Register of Requirements and scope

To identify in the register of requirements module which requirements would be applicable to the cloud service host, in the field “To what area is this requirement related?” you need to select the option “Managing security with suppliers and partners”. Additionally, you can write this information in the description field, together with the description of the requirement.

This way, it would be clear that the requirement is applicable to the cloud host.

Please note that when you define that something is in the scope, you can only “let it for later” if you accept all risks related to that element in the scope.

Controls in the SoA that so not show up in the Risk Assessment

You can consider a control applicable in the SoA even if it is not related to the results of risk assessment and treatment if:

• it is required because a legal requirement (e.g., law, regulation, or contract) demands its implementation
• it is required by top management as a good practice

NPI project for IATF

In the new product introduction process (NPI), you should comply with the requirements of clause 8.3 of the IATF 16949:2016 standard. All requests on this subject are specified in sub-items 8.3 and 8.3.

I have listed a few conditions that should be followed on this subject below, but I recommend that you review these relevant articles in detail.

• If you are designing products, design FMEA
• Process FMEA
• Control Plan
• Project Plan
• Feasibility analysis
• Design validity test plan and tests
• Prototype control plan
• Product and process validation records
• MSA and SPC studies
• All PPAP requests
• Customer-specific requirements about it, etc.

• Handling termination and change of employment

  The handling of termination and change of employment can be found in the Statement of Applicability Module, in the Implementation method for control A.6.5 (in case this control is marked as applicable).

  The implementation method in the SoA describes how the company will handle termination and change of employment (a text is suggested, but you can edit it according to you needs).

  In general, conditions that remain valid after the termination or change of employment are defined in the agreements with suppliers and partners, and in the confidentiality statements signed with employees. The clauses for this purpose can be found in the template Security Clauses for Suppliers and Partners. You can find this template in Conformio by clicking the link Documents in the left panel, then clickling in "Templates for Manual Editing".

  For further information, see:

  • What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

  • Risk/ Supplier - what happens if a supplier ceases trading.

    Yes, you are right. If the manufacturer goes bankrupt and you do not have support for the product, you have to see the risk that something with the medical device went wrong, how can you answer to your client. This means that if you have some simple product that you do not have so far complaints, maybe you can sell this kind of medical device until the certificate expires. However, if your medical device is complex, needs service or installation, or has some complaints where you have to ask for a spare device from the manufacturer, it will be very hard for you to sell that product further on.  

  • ISO 14001 How to define environmental aspects

    “Finding: the normal, abnormal, and foreseeable emergency situations related to the aspect defined within the Environmental Aspect and risk register has not been defined.”

    When implementing an Environmental Management System, we must determine the environmental aspects associated with activities, products, and services, taking into account, to the extent reasonable, the life cycle perspective..

    Environmental aspects should be determined considering situations of normal operation, abnormal operation, and emergencies.

    I will consider a brick manufacturer for construction as an example.

    Examples of Normal Environmental Aspects:

  • Raw Material Consumption: The extraction and use of raw materials such as clay, sand, and water in brick production can impact local ecosystems and deplete natural resources.
  • Energy Consumption: The energy used for firing and drying bricks can contribute to greenhouse gas emissions and air pollution.
  • Air Emissions: Dust, particulate matter, and gases released during the firing process can affect air quality in the vicinity of the manufacturing facility.
  • Water Consumption and Discharge: The consumption of water in brick production and the discharge of wastewater can impact local water resources and aquatic ecosystems.
  • Waste Generation: The production process generates waste materials such as broken or defective bricks, which need proper management to minimize environmental impact. 

  Examples of Abnormal Environmental Aspects:

  • Equipment Malfunctions: Malfunctions of machinery or kilns could lead to increased emissions, energy waste, and potential safety hazards.
  • Spillage or Leakage: Accidental spillage of raw materials, such as clay or chemicals, can contaminate soil and water sources
  • Workplace Incidents: Accidental releases of dust, particulates, or other pollutants due to equipment failures or human errors could occur.
  • Noise Generation: Increased noise levels due to malfunctioning equipment can impact the surrounding community and wildlife. 

  Examples of Emergency Environmental Aspects:

  • Fires: Fires in kilns, storage areas, or other parts of the facility could lead to air emissions, release of hazardous substances, and potential danger to employees and nearby communities.
  • Chemical Spills: Accidental spills of chemicals or fuels used in the manufacturing process can lead to soil and water contamination.
  • Power Outages: Power outages could disrupt operations and result in issues such as incomplete brick firing or increased emissions upon restarting.
  • Natural Disasters: Natural events like earthquakes, floods, or hurricanes could damage facilities, disrupt operations, and lead to potential environmental contamination.
  • Structural Failures: Failures in storage structures, kilns, or other equipment could result in spills, emissions, and other environmental impacts.

  It's important for the manufacturer to identify and assess these environmental aspects and develop appropriate measures to mitigate potential negative impacts. This includes implementing pollution prevention strategies, disaster preparedness plans, and emergency response procedures to ensure the protection of the environment and the safety of employees and the surrounding community.

  You can find more information on the following links:

  • Catalogue of environmental aspects - https://advisera.com/14001academy/knowledgebase/catalogue-of-environmental-aspects/
  • Environmental aspect identification and classification - https://advisera.com/14001academy/knowledgebase/environmental-aspect-identification-and-classification/
  • How does product life cycle influence environmental aspects according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/

  • Calibration and Testing

    ISO 17025 is applicable to all testing and calibration laboratories.

    For flow meter calibration, this will include specifying the specific type of fluids and range in the scope – e.g. Water, Air, Liquid Carbon Dioxide (CO2).
    For storage tank calibration, you would include the service and type of tanks that are being measured (volume or dimensions), plus calibration technique and procedure must be specified – e.g. volume and density of Industrial volumetric equipment and bulk storage tanks using Scanning length measurement.

    Depending on the country and industrial sector, there may be additional requirements. For example, the American Petroleum Institute. 

    For more information on ISO 17025 refer to  Advisera ISO 17025 – Where to Start? at https://advisera.com/iso-17025/

  • Process map according to ISO standard

    There is no generic model based on the process approach that is valid for all companies. The best models are those designed specifically for each company and using language that people in the company understand. I recommend watching the free on-demand webinar called The Process Approach - What It Is, Why It Is Important, and How to Do It - where I try to explain how to design a model.

    Another possibility is to participate in this Live Virtual Training.

  • Risk assessment Guidance

    1 - is there a tool to help with risk assessment coverage from ISO 27k to 9k/20k?

    Need to update Risk assessment and wanted to know if there is set Guidance and or tool to assist

    Please note that risk assessment for each standard has different purposes and different assessment criteria, so it is not common to find a single tool to cover these at the same time.

    2 - is there set policy or regulations for doing a risk assessment to include these additional ISO's?

    On these links, you will find demos for risk assessment documents for each standard, so you can evaluate if they can help you:

    • ISO 9001:2015 Risk Management Toolkit https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
    • Risk Management Policy (ISO 20000) https://advisera.com/20000academy/documentation/risk-management-policy/
    • ISO 27001/ISO 22301 Risk Assessment Toolkit https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/