Search results

Nature of impact

While implementing an environmental management system an organization determine its environmental aspects:

Environmental aspects are the ways an organization interacts with the environment.

For example, consider from the example above the environmental aspect related with wastewater discharge.

Organization A discharges wastewater in a river, after treatment in a wastewater treatment facility, and the wastewater quality is according to legislation and permit.

Organization B discharges wastewater in a river, without treatment in a wastewater treatment facility, and the wastewater quality is not according to legislation and permit.

Same environmental aspect, different consequences for the environment. An environmental impact considers the consequences of a particular aspect for the environment.

You can find more information below:

• How does product life cycle influence environmental aspects according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
• Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Security of information that pertains to computers only

ISO 27001 aims to protect information wherever it is, and in any format, so it covers all media where information can be.

These articles will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
• Why is ISO 27001 applicable also for paper-based information? https://advisera.com/27001academy/blog/2019/01/21/why-is-iso-27001-applicable-also-for-paper-based-information/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Control mapping document

Even though ISO 22301 lists no controls, upon results of the BIA and business continuity risk assessment, practically all controls described in ISO 27001 Annex A may be applicable to ISO 22301 business continuity plans (the exact mapping will depend upon results of the BIA and business continuity risk assessment).

ISO 27001 Annex A has a specific section to ensure the continuity of information security management during adverse situations, as well as the availability of information systems (controls from section A.17).

For more details on this subject, please take a look at these articles:

• Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
• How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
• How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/

These materials will also help you regarding ISO 27001 and ISO 22301:

• ISO 27001 vs. ISO 22301 matrix Download a free matrix (PDF) https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-22301-matrix
• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Should we go for ISO 17025 compliance?

If you are referring to pharmaceutical product testing, or equipment calibration, then ISO 17025 is applicable. There are two important considerations. Firstly the regulatory authority in the country / region may have supplementary, mandatory requirements in addition to ISO 17025. Secondly, the companies in the retail sector have been expanding their services, so it will depend on what services you plan to offer them.

Besides usual main-stream medicines (e.g. scheduled drugs) and complementary health products (e.g. vitamin supplements); many retail pharmaceutical stores have clinics that administer vaccines. There is a need for calibration testing for vaccine storage as well as temperature monitoring equipment by ISO 17025 accredited calibration laboratories.  If you are referring to onsite diagnostic testing point-of-care testing (POCT), where rapid tests are used (ranging in complexity form dipsticks to more complex benchtop analyzers), accreditation to ISO 22870:2016 Point-of-care testing (POCT) - Requirements for quality and competence will be required. The associated standard that is used in conjunction with ISO 22870 is ISO 15189:2012 for Medical laboratories. There are many harmonized (aligned) requirements between these standards and ISO 17025.

I suggest you contact your national accreditation body for more information. For example, in the UK, see https://www.ukas.com/accreditation/standards/poct/. Note that typically, there are additional regulatory requirements for SARS-CoV-2 Point-of-Care and Rapid Testing.

ISO 22301/20000/27001 integration

ISO 27001, ISO 22301, and ISO 20000 have the same general structure, and this makes integrating them a lot easier. In the integration process you should consider two phases:

1 – Integration of the common parts of ISO management systems, e.g., control of documents, internal audit, management review, etc. These have basically all the same requirements, requiring only minor adjustments to refer to all systems covered.

2 – Implementation of elements that cannot be integrated (basically clauses 6 and 8 of each standard). Regarding ISO 27001, this means including in the organizational process the activities related to information security risk assessment and treatment processes, for ISO 22301 this means including in the organizational process the activities related to business continuity, and for ISO 20000 this means including in the organizational process the activities related to IT services management.

These articles will provide you a further explanation about integrating ISO management systems:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
- ISO 27001 vs. ITIL: Similarities and differences https://advisera.com/27001academy/blog/2016/03/07/iso-27001-vs-itil-similarities-and-differences/
- What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/

These materials will also help you regarding integrating ISO management systems:
- How to integrate ISO 27001 and IS O 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

ISO 27001 and NIST 800

First, let's understand both NIST and ISO 27001:
- NIST SP-800 series of documents provide detailed information about processes to select and implement controls for computer security
- ISO 27001 provides general requirements for the implementation, operation, control, and improvement of a management system to protect the information, regardless of the environment where it is (e.g., physical reports or digital databases). ISO 27001 provides protection through the selection of security controls described in Annex A, as well other controls that can be added by the organization.  

Considering that, you can use the ISO 27001 to implement the overall approach to protect the information, and after the identification of controls, you can use the NIST documents to implement the details for each control. For example, you can use information from SP 800-53 control for contingency plan testing to implement the Disaster Recovery Plan template.

These articles will provide you a further explanation about ISO 27001 and NIST:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/

Budgeting the EU MDR implementation

Let me see if I understand your question properly. You are asking what is the budget for the implementation of the ISO 13485 and Medical device regulation 2017/745 in your department. Considering the ISO 134b5, we can only state the approximate costs of the documentation toolkit. We do not know the prices of the notified bodies, especially now when the prices with MDR are much higher.

So, on the following link you can see what Documentation toolkit packages we are offering and what each package contains (how much time with the consultant in 1 & 1 meeting, how many e-mails, and how many documents we can review):

• ISO 13485:2016 documentation toolkit https://advisera.com/13485academy/iso-13485-documentation-toolkit/
• ISO 13485:2016 & MDR Integrated Documentation toolkit - https://advisera.com/13485academy/iso-13485-eu-mdr-documentation-toolkit/

At the end of each page, under the title NEED MORE SUPPORT? you will see the packages.

Risk Management and ISMS

1. What is the best way to do risk management?

Regardless of the methodology used (ISO 27001 does not prescribe a methodology to be used, only requirements to be fulfilled, so organizations are free to use the approach that better suits their needs), the best way to do risk management is by involving the people which works directly with the processes and information to be protected, because they are the best source of information to help identify and analyze the risks, and also during daily operations they can provide a faster response in case of new risks arise or incidents occur.

This article will provide you a further explanation about risk management:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk management:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

2. How do I raise awareness for information security?

Common approaches for information security awareness are training sessions, the use of newsletters, the use of video tutorials, and meetings between management and staff, which should be performed on a regular basis.

Regarding content, please note that you will have different publics with different interests:

• top management needs to make decisions over issues that many times are not so clear for them, and they do not need deep knowledge about technicalities of security issues (they will be more concerned about how it impacts the business). In these cases, your awareness should be focused on the decisions they need to make.
• technical personnel with operational responsibilities for security needs deep knowledge over technologies, methodologies, and processes, so your awareness should be focused on the procedures and rules they need to follow
• overall personnel needs a basic understanding of security, to properly identify, report, and react to risky situations. In these cases, your awareness should be focused on examples and how to proceed according to the policies and procedures

These articles will provide you a further explanation about awareness:

• What are the benefits of security awareness training for organizations? https://advisera.com/27001academy/blog/2019/03/27/what-are-the-benefits-of-security-awareness-training-for-organizations/
• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
• 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/

These materials will also help you regarding awareness:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

3. How to setup an ISMS which is used with excitement? How do I get colleagues all across the organisation to not only understand the necessity, but also the advantages of an ISMS for their daily work?

The most effective ways to set up an ISMS to get the engagement of people are:

• aligning the ISMS objectives to the objectives people have to achieve in their daily business, so they can perceive the new standard can benefit them, help them achieve their business results
• taking employees opinion into account on ISMS related decisions
• being transparent with employees about what the ISMS are going to do and why
• using the ISMS to help them to resolve conflicts of interest with other areas, searching for mutually beneficial solutions

For further information, see:

• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
• 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/

Contingent Worker Definition

I’m assuming that by “contingent workers” you mean outsourced or non-permanent personnel who are hired on a per-project basis (e.g., freelancers, independent contractors, consultants, etc.).

Considering that, and ISO 27000, which defines the vocabulary for information security management systems compliant to ISO 27001, you can use the concept of “outsourced organization”.

For ISO 27000:

• outsource refers to a situation where an external organization performs part of the organization's duties
• organization refers to a person or group of persons with defined responsibilities, authorities, and relations

Please also note that you can also use other terms like contractors, external parties, because they are present in ISO management standards, although there is no formal definition for these terms in ISO glossaries.

Job description according IATF requirement

As you know, job descriptions should be related to the job for which it is responsible. The main issues to be added according to the qualification of the personnel doing the job and the category of the employee are given below.

• The power to stop production should be defined for the employee at each shift.
• When unsuitable products appear or production becomes unstable; actions to be taken; production, quality, etc. should be defined for employees.
• Customer specific-requirements and customer special characteristics tracking should be defined for the relevant employees

As a note; In addition, IATF 16949: 2016, customer-specific requirements and customer special characteristics training should be given to employees.