Search results

ISO 9001 and ISO 14001 integration

It is not easy to answer theoretically without knowing the real situation. I would start to determine positive and negative issues from each system to frame what we want to keep, and what we want to avoid in the future integrated system.

Then, I would start integrating those clauses very similar in both standards like 9.3, 9.2, 7.5, 7.4, 7.3, 7.2, 5.2, …

In operations I would use the process approach from ISO 9001 and would try to include as much as possible the environmental operational procedures, instructions and records embedded in the daily life of the operation. Consider the central flow in this picture:

Organizations exist to serve clients. So, I recommend starting with modeling how the organizations serve clients based on the process approach and ISO 9001. Then, I consider other interested parties. Based on ISO 14001 and interested parties requirements I recommend organizations to determine environmental aspects and impacts, compliance obligations and risks.

From here, it is possible to determine what needs to be done to improve the interaction with the environment while serving clients. And what needs to be done can be translated to things like:

• Add work instructions specifically about environmental practices
• Update work instructions from quality with tips and requirements to be followed because of improvement needs relevant to the environment
• Make changes in layouts and visual management in order to help people comply with environmental requirements while doing their work
• Develop action plans to meet quality and environmental objectives

You can find more information below:

• How to integrate ISO 14001 and ISO 9001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
• ISO 14001:2015 integration with ISO 9001:2015 – What has changed? - https://advisera.com/14001academy/blog/2016/02/15/iso-140012015-integration-with-iso-90012015-what-has-changed/
• Free webinar - How to integrate ISO 9001:2015 and ISO 14001:2015 - https://advisera.com/14001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar-on-demand/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

Key to manageable EMS documentation

I like to keep the documentation as much as possible in a digital format. That helps to keep documents and records updated, and easily available for those that need them. I consider it crucial to invest in explaining to users the why for the documentation, and how and when to use it.

You can find more information below:

• Seven elements to control documents in the EMS - https://advisera.com/14001academy/blog/2014/12/10/seven-elements-control-documents-ems/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Relationship between clauses 4 and 6.1

many thanks for your support

Best Regards

Ramin

27001 ISMS Scope Question

Question 1 Scope - Processes and Services

We are an IT company that has 2 cloud-based applications which we own, build and license to our customers. We are responsible for the data in these two systems and they are the reason we are undertaking the 27001 certification. So these two applications are obviously included in the Processes and Services part of our scope.

We also use multiple other cloud based services that contain our customer data including ***, ***, ***, ***, etc.

Am I right in saying that these third party systems can be excluded from our scope because it is the responsibility of the third parties (like ***) to secure the data we store in these systems?

Therefore, is it valid to say that the full extent of our Processes and Services scope should be our 2 applications?

Answer: First is important to note that an ISMS scope compliant with ISO 27001 cannot be defined in terms of systems and technologies. It must be defined in terms of information, processes, or locations to be protected.

Since you want to focus on the applications, you should consider for the scope the development, operation and maintenance processes related to these applications.

Considering that, you can include in the scope only the elements you control.

About third parties, you can exclude third party systems from your scope (e.g., when using cloud servers, you exclude the physical server of the cloud provider). 

These materials will help you regarding scope definition:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/ 
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Question 2 - IT Networks and Infrastructure

Our applications live in an ***. I've read your article on defining the scope with cloud servers. I think we're number 4 in that list. That is: The organization uses a third-party platform (public PaaS). 

2.1 - So in scope would be our two applications and the data within them but all Networks and Infrastructure are out of scope?

Answer: Your assumption is correct (Networks and Infrastructure are out of scope), but please note that the scope definition must be made in terms of the data or processes to be protected, so statement about your scope should be something like:

“The scope are the development, operation and maintenance processes of applications XXX in our PaaS environment”.

“The scope is the data stored and processed by applications XXXX in our PaaS environment”.

2.2. - Have I overlooked something here? Is it valid to limit the scope to the applications we own/build/license to our customers?

Answer: First is important to note that you cannot define the ISMS scope in terms of applications. In this case, you need to define the scope in terms of the process to maintain and operate the applications.

Considering that, you can limit the ISMS scope to only part of your organization, but you need to verify first if the effort to implement this separation is worthy (for small organizations up to 50 employees, defining the ISMS scope as the whole organization is more practical).

This article will provide you a further explanation about scope definition:
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

2. 3 - Thanks for your help. Please also confirm which email address we should address our questions to.

Answer: In the future, if you want to contact us you can use this e-mail: support@advisera.com

ISO 9001 monitoring and measurement equipment

Clause 7.1.5 of ISO 9001:2015 is about:

• Determining the required monitoring and measurement equipment
• Providing the required monitoring and measurement equipment
• Keeping records that evidence that the monitoring and measurement equipment is adequate
• Calibrate or verify the monitoring and measurement equipment
• Validate the calibration or verification results
• Identify the calibration or verification state of the monitoring and measurement equipment 

Unfortunately, I have no experience with mask manufacturing.

You can find more information below:

• Monitoring and Measurement Equipment Control - https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

GDPR Applicability in Canada

Yes, the GDPR applies if your company offers goods or services in the EEA or processes personal data of EU individuals, even if it is located outside the EEA. Being in Canada, your organization can enjoy the adequacy decision of the EU Commission that simplifies the transfer between EEA and Canada.

Here you can find more information about the extraterritorial effect of GDPR

• What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
• Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/

If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//

ISO 9001 KPIs

First, let us answer considering each process in isolation.

It is possible to consider 3 types of indicators:

• Effectiveness indicators;
• Efficiency indicators;
• Quantity indicators. 

For me, the most important is the effectiveness indicators, they measure if the purpose of the process is being met.

For example, for a company that has a strategic direction around innovation and has a process called “Develop new products” one can ask:

• What is the purpose of such a process?
• Quickly develop new products that are market hits.

Effectiveness indicators will measure “Quickly” and “hits”. For example:

• Average time to market
• Revenue from new products
• Average price of new products

Efficiency indicators are the classic QCD indicators:

• Quality
• Cost
• Delivery

For example, for a company that installs wireless networks for telecom companies, with a process called “Install network”, efficiency indicators can be:

• Number of daily nonconformities raised by the customer
• Actual network installation costs versus budgeted costs
• On-time delivery rate 

Quantity indicators give information about the need to manage resources accordingly. For example, a number of incoming calls at a call center is a way of evaluating the need to contract more people to handle more calls without raising waiting time.

Should effectiveness indicators be always the indicators to follow? An organization is made of a set of processes but not all processes contribute in the same way to execute a strategy. Some processes are critical for strategy execution and for those processes’ effectiveness is of paramount importance. Some processes must exist but are not critical for strategy execution. If an organization is excellent at those processes it will spend more resources and customers will not value the difference. However, if an organization fails to comply with the minimum, customers will be upset and will be dissatisfied. So, for these processes’ efficiency is the best.

In this free webinar on demand I develop the challenge of working with relevant indicators - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/

The following material will provide you more information:

• How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
• How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• Please check this free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/  - how to relate processes and objectives
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Gaps in complying with GDPR

From January 2021 the UK is no more part of the EU so you should comply with the UK GDPR instead of the EU GDPR if you are planning to offer services in the UK. Luckily, the UK GDPR is mirror legislation of the EU GDPR so regulation is pretty identical.One gap is encryption which is considered a common technical security measure, then you should inform the data subject and keep a register of processing activities, just to mention essential activities.

Here you can find more information on how to start implementing GDPR in your business:

• 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/

If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//

Is the Technical File still a requirement?

In MDR there is a requirement for Technical documentation. It is covered in Annex 2 - Technical documentation and Annex 3 - Technical documentation on post-market surveillance.

For more details, please see:

• EU MDR Annex 2 – Technical documentation - https://advisera.com/13485academy/mdr/technical-documentation/
• EU MDR Annex 3 – Technical  documentation on post-market surveillance - https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/

• Technical file procedure https://advisera.com/13485academy/documentation/technical-file-procedure/
• Technical documentation checklist https://advisera.com/13485academy/documentation/technical-documentation-checklist/

Additionally, we have prepared the following procedures and associated templates, required by MDR:

• Procedure for clinical evaluation - https://advisera.com/13485academy/documentation/procedure-for-clinical-evaluation/
• Procedure for Post-Market Surveillance System - https://advisera.com/13485academy/documentation/procedure-for-post-market-surveilance/

• ISO 9001 requirements for laboratories

  Yes, ISO 9001 requirements are similar. Of course, each laboratory has different interested parties and clients (clauses 4.2 and 5.1.2) and have to comply with different standards and regulation (clause 7.5 about external documents). So, although the requirements are the same, the specific way of complying with them may vary from laboratory to laboratory.

  You can find more information below:

  • Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
  • What are the benefits of ISO 9001 for your employees? - https://advisera.com/9001academy/blog/2016/06/14/what-are-the-benefits-of-iso-9001-for-your-employees/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/