Search results

ISO 14001 requirements for GreenHouse Gas

By GHG you mean GreenHouse Gas.

Specific requirements about GHG will depend on compliance obligations from country to country. For example, European countries within the European Union have to comply with a regulation stating requirements like these:

• Control on the use of refrigerant substances or fluids that contain greenhouse gases
• Survey of equipment with refrigeration systems, identification of fluorinated greenhouse gases, and verify whether or not it is a controlled substance
• Survey of refrigerant quantities / Preparation of inventory of equipment that may contain GHG
• Compliance with the Plan for annual verification of equipment with a quantity of regulated refrigerant equal to or exceeding 5 ton CO2 eq.
• Verification carried out by certified technician/entity, the existence of records
• Annual data communication to national environmental Agency until the end of the 1st quarter.

Please consider the following information:

• What is evaluation of compliance and how to do it according to ISO 14001? - https://advisera.com/14001academy/blog/2020/12/01/what-is-evaluation-of-compliance-and-how-to-do-it-according-to-iso-14001/
• Environmental performance evaluation - https://advisera.com/14001academy/blog/2015/07/06/environmental-performance-evaluation/
• How to perform communication related to the EMS - https://advisera.com/14001academy/blog/2015/08/31/how-to-perform-communication-related-to-the-ems/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Internal audit schedule

I agree with you that all processes feel important. However, according to requirement 4.1.2, it is necessary to apply a risk-based approach to control the appropriate process. So risk approach can be your guideline to decide the priority of your processes for internal audits. First of all, manufacturing is the most important process. Then is purchasing because you need to be sure that the purchase of raw material and packaging is under control. If you have a sterile medical device, the sterilization process is definitively an important process.

For more information on this topic, please see the following articles:

• Five main steps in the ISO 13485:2016 internal audit https://advisera.com/13485academy/knowledgebase/five-main-steps-in-the-iso-134852016-internal-audit/
• How to create a checklist for an ISO 13485 internal audit for your QMS https://advisera.com/13485academy/knowledgebase/how-to-create-a-checklist-for-an-iso-13485-internal-audit-for-your-qms/
• Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/

• Continual improvement

  Continual improvement is a recurring activity to enhance performance. One can see evidences of continual improvement when we see establishing more demanding environmental objectives, when we see effective corrective actions to minimize or eliminate non-conformities or to improve performance trends. One cannot improve all parts of an environmental management system (EMS) at once, there are not enough resources and there are different priorities. So continual improvement is used to systematically improve different processes within the EMS in order to provide improvements overall according to resources available and priorities.

  You can find more information below:

  • How to achieve continual improvement of your EMS according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/02/22/how-to-achieve-continual-improvement-of-your-ems-according-to-iso-140012015/
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

   

• Questions about ISO 27001 implementation

  1. Is there a difference between ISO 27001: 2013 and ISO 27001: 2014? We understood that 2014 was the most current version. Our implementation we wanted based on 2014.

  I’m assuming you are referring to UNE-ISO/IEC 27001:2014.

  Considering that, please note that this is the Spanish translation of ISO 27001, released by the UNE Normalización Española, so it contains the same information and content of the international standard. You can use either ISO/IEC 27001:2013 or UNE-ISO/IEC 27001:2014 for your implementation.

  2. We are currently within our process, we are in the Diagnostic stage, to see the critical factors within the processes. For this stage, which Templates would be more recommended to use.

  The beginning of the implementation process involves the identification of organizational context and requirements, and interested parties, so you should consider using the templates in folder 02:

  • 02.1 Appendix 1 List of Legal Regulatory Contractual and Other Requirements
  • 02 Procedure for Identification of Requirements

  For further information, see

  • How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
  • How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
  • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

  3. Once the Diagnostic part was finished, our next stage was to carry out the implementation of the ISMS indicating the controls Necessary and Monitoring. In this regard, is there any recommendation with which template to start the implementation part?

  Please note that after the definition of organizational context and identification of interested parties, you need to define the ISMS scope, ISMS Policy, and define the risk assessment and risk treatment methodology, before identifying necessary controls.

  Considering that, for a streamlined implementation, you should implement the documents in the order they appear in the toolkit.

  By the way, included in the toolkit you bought, you have access to a video tutorial that can help you fill in the most critical documents, using real data examples.

  These articles will provide you a further explanation about ISO 27001 implementation:

  • ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
  • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  These materials will also help you regarding ISO 27001 implementation:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
  • How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/

• ISO 27001 rules to consider for usage of documents

  ISO 27001 does not prescribe how to handle the information according to their classification level. Such treatment must be based on results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts). For example, if the risks related to keeping confidential information on the public cloud are unacceptable, then one rule to be defined is that confidential documents must not be kept on the public cloud. Another example is that a contractual clause may define that confidential documents must be kept on local servers.  

  To see how rules to handle information compliant with ISO 27001 looks like, please see the free demo of our Information Classification Policy template at this link: https://advisera.com/27001academy/documentation/information-classification-policy/

  This article will provide you a further explanation about information classification:

  • Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

  These materials will also help you regarding information classification and handling:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• ISO certification: 7.4 Communication

  The official ISO 27001 revision is from 2013, and it was confirmed in 2019 - you can see the details here: https://www.iso.org/standard/54534.html 

  When you mention ISO 27001:2017, this is probably a standard that was re-published by a European or a local standardization body in a particular country - however, even though it has the year "2017" it is again the same as the original ISO 27001:2013. 

  This article can also help you: European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/

• Adding new control to SoA after audit

  Adding, changing, or excluding a control from SoA is a natural and necessary thing to maintain the ISMS.

  To do that, considering the requirements of the standard, you need to review your risk assessment and risk treatment, and your list of applicable legal requirements, to verify if there is any change in your context that can justify a change in SoA. Additionally, you need to check if there is any management decision to implement a control (in such cases there will be no changes in risk management nor in legal requirements).

  Once a need for change is identified, you need to define an implementation plan to perform the change.

  These articles will provide you a further explanation about SoA:

  The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
  ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
  How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

• Sending personnel data from UK or Europe for analysis.

  The data you are going to process belongs to the special category of personal data under Article 9 GDPR (some legislation call them sensitive data) because this kind of data contains information which may end up in discrimination and in threats to the freedom and rights of individuals. Therefore, the EU GDPR requires controllers and processors to pay particular attention when processing this kind of data. 

  Before starting processing, you will need a Data Protection Impact Assessment as Article 35 GDPR requires in order to verify the risk for freedom and rights of data subjects arising from your data process and assess the risks with appropriate safeguards. This will also help you to comply with privacy by design and privacy by default principles.

  From the information you wrote, your data processing will be likely based on consent. Therefore, you will need to pay attention to the information provided to data subjects in your privacy notice and the request for consent.The register of processing activities will also be required.You will need to establish a procedure to deal with Data Subjects Access Request (DSAR) because data subjects may always withdraw the consent and you need to be able to verify the request and proceed with the exercise of DSAR and also comply with the right of erasure if requested so.

  Be sure to inform data subjects that their data will be processed also in the US. 

  Then, transferring data to a processor in the US may request safeguards: adoption of a data protection agreement with the approved standard contractual clauses is necessary because the EU Court of Justice invalidated the US Privacy Shield with the so-called Shrems II decision. You may also adopt secure transfer protocols and encryption (if you can anonymize data it would be a plus while pseudonymization is highly recommended).

  Here you can find more information:

  • A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
  • List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
  • Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
  • Everything you need to know about the GDPR Privacy Notice https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
  • 5 phases of the EU GDPR Data Protection Impact Assessment https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
  • What is privacy by design & default according to GDPR? https://advisera.com/eugdpracademy/blog/2018/04/17/what-is-privacy-by-design-and-default-according-to-gdpr/
  • 3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

  To have a deeper idea of the list of requirements of GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Sample size in the field of valve calibration

  Thank you so much