Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Guest
1 - can external auditor still considered this compliant and an ISO/IEC 27001 certification be awarded to the company?
Even if WFH or teleworking is not included in the audit plan, if the auditor identifies this practice affects the stated ISMS scope, he can include it in the audit (because it may compromise the security of the information the ISMS is intended to protect), checking if relevant requirements were identified, risk assessment and treatment were performed, and, in case there are required controls if they are implemented and working properly.
In case such items are not properly fulfilled, this could mean a non-conformity that can prevent the certification to be awarded.
2 - is there such thing as partial certification?
What is possible is that you limit the scope of your ISMS, and therefore limit the scope of certification - see this article for more information:
Speaking in general terms you can measure outputs like air emissions quality, water discharging quality, environmental noise levels. You can measure amounts and types of wastes generated, amount of reused, recycled or landfilled wastes. You can measure amount of hazardous wastes generated. You can measure efficiency in the use of resources like water, energy or main raw materials. Some of these may be prescribed by legislation with frequency attached, others may be voluntary.
Please consider the following information:
You should focus on top management responsibilities and make questions to get a feeling about what level of commitment they have with the management system.
You can find more detailed information below:
There is no universal solution. Some organizations use the same rating and method to evaluate risks and opportunities. The difference stands in one being a positive risk and the other a negative risk.
Another possibility is to use a 2x2 matrix measuring the effort to exploit the opportunity and the consequences in terms of improvements within productivity, turnover or quality.
You can find more information below:
ISO 9001 is a generic universal standard to implement a quality management system to improve customer satisfaction and performance.
ISO 9001:2015 introduced the risk-based approach and is much less dependent of documentation requirements. Please check this infographic to give you a sense of the changes with ISO 9001:2015 - Infographic: ISO 9001:2015 vs. 2008 revision – What has changed? - https://advisera.com/9001academy/knowledgebase/infographic-iso-90012015-vs-2008-revision-what-has-changed/
The following material will provide you more information:
According to ISO 14001:2015 an organization must determine who are its interested parties and what are their relevant needs and expectations concerning the environment. Please check clause 0.5 of ISO 14001:2015. If an organization considers its employees and the public as interested parties the following question is: what needs and expectations concerning the environment are relevant for them? There is nothing in ISO 14001:2015 that makes welfare mandatory. To be correct here we should define welfare. If by welfare we mean the environmental conditions of the neighborhood, I can think that it is a way of avoiding environmental complaints and problems with local authorities.
The following material will provide you more information:
Yes, you are right, we do not have a change control form. We considered that changes in the documentation would be initiated by the person listed as the document owner. All updates and reviews must be performed in line with the frequency defined in the List of Internal Documents.
All changes to the document must be made by using "Track changes," making visible only the revisions to the previous version, and must be briefly described in the "Change History" table; if the Track changes option is unavailable, or if the changes are too numerous, then the Track changes option is not used.
Furthermore, each document should preferably have a "Change History" table used to record every change made to the document.
For more information about common mistakes with ISO 13485:2016 documentation control and how to avoid them, please see the following article:
You need to remember that Article 6 GDPR about the lawfulness of processing states that it is lawful to process data to fulfill a contractual obligation or a legal requirement. Therefore, if a contract or your national law requires you to keep records for 3 or 7 years, it will be considered perfectly compliant. You will write in your data processing registry (if you have one) or in your internal policy the data retention period for that category of personal data.
Here you can find more information:
If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
I always recommend following three ways to determine risks:
In this free webinar on demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/ - I show some examples of determining risks and then acting on them.
After determining risks, you have to evaluate them to determine which ones are more relevant and deserve some kind of action (see clause 6.1.2 of ISO 9001:2015). ISO 9001:2015 is very flexible about how organizations decide to evaluate and to act.
Please check also this other free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
You can find more information below about risks.