Search results

Roles and Responsibilities

ISO 27001 only requires a definition of information security roles and responsibilities that can impact the ISMS scope (i.e., you must define the roles of the IT related to information security if this area is inside the ISMS scope).
 
Regarding where to document these roles, ISO 27001 does not require to write a separate document for roles and responsibilities. You can define the general roles and responsibilities in the Information Security Policy, and all other detailed responsibilities can be defined in specific documents.
 
This article will provide you a further explanation about roles and responsibilities:  

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

Initial environmental analysis

Attention, there is no requirement in ISO 14001:2015 making it mandatory to write a manual about the environmental management system. Please check this article Checklist of Mandatory Documentation Required by ISO 14001:2015 - https://info.advisera.com/14001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-140012015

I start with the gap analysis. Until some years, after the gap analysis, I used to perform the initial environmental analysis to get a clear picture of all the aspects and impacts and to know where their source is. Then, I realized that before that it is better to do a rough environmental compliance evaluation to determine situations of noncompliance that take time to correct and need investment. Changes in the wastewater treatment facility, changes in chimneys. After that, I perform the initial environmental analysis to locate all aspects, impacts, and sources.

You can find more information below:

• Is a gap analysis desirable for ISO 14001 implementation? - https://advisera.com/14001academy/blog/2016/11/14/is-a-gap-analysis-desirable-for-iso-14001-implementation/
• 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
• Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
• Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

GLP and ISO 17025 (Clause Improvement)

You asked

"My question is regarding GLP. Are there written requirements of GLP anywhere .which would be fulfilled to by lab.

Indeed, look at the Economic Cooperation and Development (OECD) principles of Good Laboratory Practice (GLP) at https://www.oecd.org/chemicalsafety/testing/good-laboratory-practiceglp.htm and  US Food and Drug Administration (FDA) Electronic Code of Federal Regulations Title 21 → Chapter I → Subchapter A → Part 58 from https://www.ecfr.gov/

Typically, a country will have specific GLP requirements and an official GLP monitoring authority that conducts study audits and provides certificates of compliance to organisations for compliance to the OECD principles of GLP.

You also asked 

If the lab will get same results as was in previous year then it means the lab has maintained its success or maintained the implemented rules. Does this would be counted in improvement? 

No this is not improvement. The term “improvement” relates to an increased ability to fulfil requirements, not just having maintained or met the same “level” of implementation.

And you asked 

Further to fulfill the clause of improvement what would you suggest to do ?"

Improvement involves meeting requirements in a more effective and or efficient way. It could also come from improved monitoring and traceability of objective evidence. Opportunities for improvement can be identified through: 

• feedback from customers and personnel (positive and negative)
• review of operational procedures, risk and opportunity assessments, audits, and management review
• data and trend analysis, including quality control (internal and proficiency testing), corrective actions, audits, and root cause / corrective action trends
• analyzing outcomes and use the evaluation to improve customer service, specific laboratory activities, and the overall management system

You should use your procedure for addressing risks and opportunities to select which improvements to make. 

For more information regarding actions to address risks and opportunities, see the ISO 17025 toolkit document template: Addressing Risks and Opportunities Procedure at https://advisera.com/17025academy/documentation/addressing-risks-and-opportunities-procedure/ 

Also have a look at a previous response to questions

• Addressing Improvement clause at https://community.advisera.com/topic/addressing-improvement-clause/ and
• Actions to address risks and opportunities (Option A) (new) at https://community.advisera.com/topic/8-5-actions-to-address-risks-and-opportunities-option-a-new/

Adapting existing management system

Both ISO/IEC 17025:20117 and ISO/IEC 17020:2012 are conformity assessment standards. They have common requirements and are structured in the same way in terms of Management requirements, General, Structural, Resource and Process requirements. If the responsibility for the management systems is with the same person, or group of people; it should be straight forward to have common processes and procedures. You would need to integrate the laboratory activities into the current processes, for example complaints, corrective actions. I suggest you look at the responsibilities and perform a gap assessment on what is required to “add” or build on to your existing management system. Perform a risk and benefit analysis of merging the two systems.

For more information on ISO 17025 have a look at the toolkit at  https://advisera.com/17025academy/iso-17025-documentation-toolkit/

ISO 27001 for medium-sized companies

Please note that ISO 27001 was designed to be applicable to organizations of any size and industry. In short, clauses from 4 to 10 (the ones that are mandatory), requires:

• Definition of the ISMS scope considering relevant internal and external issues and expected results
• Definition of roles and responsibilities regarding information security
• Identification and treatment of relevant risks
• Provision of resources
• Proper operation of controls, and recording of evidence
• Performance review
• Treatment of non-conformities and continual improvement

If you note, these activities should be performed by organizations of any size looking for excellence.
 
Regarding documents, ISO 27001 requires few documents in clauses 4 to 10, and most of the controls from Annex A do not require documentation such as policies or procedures (although for implemented controls you have to produce records, such as logs, reports, etc.)

What normally varies is that, according to the organization's willingness to take risks, the number of applicable controls will be greater or smaller than to other similar organizations, and this will affect the provision of resources.  

Most of our clients are companies smaller than 200 employees, and they do not have much trouble implementing this standard.

These articles will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Required reference documents for EU GDPR & ISO 27001 Integrated Documentation Toolkit

If your question was about templates for policies and procedures for Annex A controls, our EU GDPR & ISO 27001 Integrated Documentation Toolkit contains more than 30 templates for such documents - you can find them in folder "14 Security controls".

If your question was about the text of the ISO 27001 standard and its Annex A, unfortunately we are currently not authorized to sell ISO standards - you can purchase it here: https://www.iso.org/standard/54534.html

This book will provide you a quick explanation of the controls:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• When is a good time to implement ISO 9001

  Please check these articles about the benefits of implementing a QMS - Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/ and What are the benefits of ISO 9001 for your employees? - https://advisera.com/9001academy/blog/2016/06/14/what-are-the-benefits-of-iso-9001-for-your-employees/ - Can your organization benefit from implementing ISO 9001? For example, would it bring more credibility?

  An organization with 4 employees can design a very light, a very practical QMS.

• Do we need ISO 17025 certification to certify the freezer?

  You asked 

  Do we need that certification to certify the freezer?"

  I assume you are referring to your company having ISO 17025 accreditation (it is not certification)? It depends on the customers needs. 

  The requirement that could be applicable to your situation is that the client needs the performance of the device verification to be done by an ISO 17025 accredited laboratory. In that case, the accredited laboratory would have to be accredited for the specific scope (type of test) they require. There are various ISO and National standards and regulations related to fridges and freezers, depending on their purpose. For example, the National Health regulator could have requirements for storage and monitoring conditions for vaccines. There is difference between certifying the performance of a device on manufacture (technical specification) to assure stability and verifying and monitoring the operational performance. For example refer to WHO requirements https://apps.who.int/immunization_standards/vaccine_quality/pqs_catalogue/categorypage.aspx?id_cat=17 The customer must clarify exactly what they need.

  Different vaccines require different storage conditions, provided by the vaccine manufacturers provide recommended storage temperatures for their products.

  Regarding the tests performed and the certificate of calibration, see the CDC requirements as an example, at https://www.cdc.gov/vaccines/hcp/admin/storage/toolkit/storage-handling-toolkit.pdf

  For ISO 17025 calibration report requirements, refer to the ISO 17025 document template: Calibration Report and Certificate Requirements Procedure at https://advisera.com/17025academy/documentation/calibration-report-and-certificate-requirements-procedure/ 

• Annex A controls to be applied while mitigating GDPR related risks

  In general, there are no "GDPR-related risks", there are only risks related to confidentiality, integrity and availabilty of personal data.

  To answer your questions:

  1) Can you advise which of the Annex A controls are to be applied while we try to mitigate GDPR related risks?

  Answer: Article 32 (Security of processing) of GDPR requires the following safeguards to be implemented:

  • Risk management - ISO 27001 clause 6.1
  • Encryption - ISO 27001 section A.10
  • Ability to restore the availability - ISO 27001 section A.17
  • Access control - ISO 27001 section A.9
  • Regular testing, assessing and evaluating the effectiveness - ISO 27001 clause 9.2 (Internal audit)

  Further, GDPR Articles 28, 32, 33, 34, 39 and 82 require the following:

  • Relationship with suppliers / processors - ISO 27001 section A.15
  • Handling incidents / data breaches - ISO 27001 section A.16
  • Training and awareness - ISO 27001 clauses 7.3 and 7.4; control A.7.2.2
  • Ensuring confidentiality, integrity and availability - this is basically the whole ISO 27001 standard

  You can find more information in this free webinar: How to integrate GDPR with ISO 27001 https://advisera.com/eugdpracademy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/

   

  2) Also, do we have any other Annex for GDPR related risks controls?

  Answer: ISO 27001 does not have some other Annex that would cover privacy nor GDPR, however ISO 27701 standard covers privacy management in more details - here's some info: Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/

• ISO 14001 risks and opportunities management plan

  About risks and opportunities in ISO 14001:2015 I recommend reading Annex A.6.1.1. What does your organization want from the environmental Management System (EMS)?

  

  How is this done? With a set of action plans:

  

  Risks and opportunities are:

  

  What A6.1.1 tell us is:

  • Look into your list of environmental aspects, which can create risks and opportunities. Your significant aspects can generate significant impacts and those can be seen as risks and opportunities
  • Look into your list of compliance obligations, are there risks of failing to comply, or opportunities to be better than compliance obligations?
  • Look into your context and interested parties, which can create risks and opportunities? For example, trends in environmental legislation, trends in neighborhood or client’s sentiment about your organization’s environmental performance.

  Determining environmental aspects is determining how an organization interacts with the environment. For example:

  

  Determining risks and opportunities of an organization, according to ISO 14001:2015, is based on its environmental aspects, compliance obligations, and context and interested parties.

  For example, concerning environmental aspects we can have:

  

  Since organizations have to consider the lifecycle of its products and services, do not forget to consider risks and opportunities around your products and services during use or final disposal.

  For example, concerning compliance obligations, and context and interested parties we can have for example, the above organization can realize that neighbors (an interested party) are pressuring local authorities to not allow its expansion (an external issue) due to non-compliance with wastewater discharging legislation (compliance obligations) translated into river pollution.

  Please check risk definition (3.2.10) on ISO 14001:2015 (effect of uncertainty). With environmental aspects and impacts we are considering normal, expected situations, like startup and closing down operations, but also abnormal and emergency situations. Whenever there is uncertainty there is risk or opportunities, there is a potential deviation from the expected.

  Please check this information below with more detailed answers:

  • Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
  • Catalogue of environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/
  • ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
  • Risks and opportunities in ISO 14001:2015 – What they are and why they are important - https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
  • Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
  • ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
  • Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/