Search results

ISO 14001 Environmental auditing vs monitoring compliance

Environmental auditing concerns clause 9.2 of ISO 14001:2015 and his about auditing the whole environmental management system based on a sample. Evaluation of compliance concerns clause 9.1.2 of ISO 14001:2015 and his about checking the current status of an organization against all the regulations and legislation determined according to clause 6.1.3 of ISO 14001:2015, and if there is any noncompliance check if actions were taken to deal with it, and if top management was made aware of the current situation. Evaluation of compliance is not based on sample, is a complete evaluation.

You can find more information below:

• Compliance requirements according to ISO 14001:2015 – What has changed? - https://advisera.com/14001academy/blog/2015/09/14/compliance-requirements-according-to-iso-140012015-what-has-changed/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 14001: 2015 en la industria química

Primeramente es muy importante contar con el apoyo lo de la alta dirección, que va a facilitar los recursos tanto de personal como económicos para poder llevar a cabo el proyecto de implementación.

Posteriormente debería de realizar un análisis de brecha (o GAP, por sus siglas en inglés) que le ayudará a identificar aquellos requisitos con los que la organización aún no cumple. Esto le va a facilitar la implementación ya que reducirá significativamente el tiempo de implementación, especialmente en una industria química donde ya existen numerosos procedimientos que cumplen con regulaaciones especiíficas de medio ambiente. Aquí puede llevar a cabo el análisis de forma gratuita - Herramienta de análisis de brecha en ISO 14001: https://advisera.com/14001academy/es/herramienta-gap-analysis-iso-140012015/

Más tarde le recomiendo que lleve a cabo un plan de proyecto, donde defina las responsabilidades, hitos durante la implementación, plazos, etc. Aquí puede descargar de forma gratuita un plan de proyecto - Project Plan for ISO 14001:2015 implementation: https://info.advisera.com/14001academy/free-download/project-plan-for-iso-140012015-implementation-ms-powerpoint

Luego ya podrían empezar con lo que es la implementación en sí de la norma, definiendo el alcance del Sistema de Gestión Ambiental, para lo cual le recomiendo que primeramente de las cuestiones internas y externas del contexto de la organización, ya que le puede ser de gran ayuda a la hora de saber cuáles van a ser los límites de su SGA. A continuación, puede determinar tanto la política de su SGA así como los objetivos del SGA. Aquí puede obtener más información de cómo definir el alcance de su SGA - How to determine the scope of the EMS according to ISO 14001:2015: https://advisera.com/14001academy/blog/2016/02/01/how-to-determine-the-scope-of-the-ems-according-to-iso-140012015/

Más adentante, deberá de establecer todos los procesos relacionados con el sistema e implentarlos para finalmente realizar la auditoría interna y finalmente llevar a cabo la revisión por la dirección.

Estos materiales  pueden ayudarle a saber cuáles son los pasos en la implementación de ISO 14001:2015:

- Artículo: Lista de pasos para la implementación de la ISO 14001: https://advisera.com/14001academy/es/knowledgebase/lista-de-pasos-para-la-implementacion-de-la-iso-14001/

- Curso gratuito - Fundamentos de ISO 14001:2015:  https://advisera.com/training/es/course/curso-fundamentos-iso-14001/

- Libro - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/

Question about LinkedIn and emails

My situation is that we are publishing a list of the top 25 UK figures in a specific technology. We would like to notify those figures that they've been chosen before we publish, but we have not been given their email addresses.

My questions are: If we are able to obtain those email addresses from the public domain (but haven't been given explicit consent from the people to use those email addresses), is it admissible to email them in order to ask them if they want to be featured? Does this fall under 'legitimate interest'?

Yes, it falls under legitimate interest. If you find the email in the public domain, the owner of the email expects to be contacted for something of interest. Not to receive commercials or spam, therefore informing those persons that they will feature on a list of top 25 UK figures can be considered a legitimate interest.

If we message these people on social media instead of emailing (i.e. LinkedIn and/or Twitter), but we are not currently 'connected' to them, is this admissible under GDPR?

Yes, the message is under the legitimate interest of the data controller.

Here you can find more information:

• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Early stage compliance

What do you mean by start-up? Let us consider two hypotheses:

• A - Let me use start-up to represent a new company with an established business model, like a restaurant, like a new shoe manufacturing plant, or a new transport company.
• B - Let me use start-up company as a designation for a project of company in search of a business model. Startups, in reality, are not yet companies, they are still projects of companies in search of a successful business model and customer fit. So, a startup is like an experiment being done. The startup can be called a company only after finding the right business model, a customer fit, and when it starts scaling. Only then, the procedures and internal standards are ready to be documented.

So, for situation B it is too early to certify. For situation A, I think it is easier to get ISO certification than with an established company (with same resources and motivation). An established company has to unlearn some practices and that it is not always easy.

For situation B certification makes sense only after starting to scale.

You can find more information below:

• Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• What are the benefits of ISO 9001 for your employees? - https://advisera.com/9001academy/blog/2016/06/14/what-are-the-benefits-of-iso-9001-for-your-employees/
• How to budget an ISO 9001 implementation project - https://info.advisera.com/9001academy/free-download/how-to-budget-an-iso-9001-implementation-project?utm_source=script-for-iso-9001-lead-implementer-course&utm_medium=downloaded-content&utm_content=lang-en&utm_campaign=free-downloads-9001
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Clause 8.1 Management system requirements

Clause 8.1 does not require a procedure. It specifies the need to establish a management system and document it to the extent necessary so that the laboratory can achieve the requirements of ISO 17025. This means it is more applicable to apply clause 8.1 to a policy statement. e.g. State as a policy “The laboratory is committed to establishing,  documenting and maintaining a management system to meet the general, structural, resource, process and management requirements of ISO 17025”. This is typically documented in the Quality Manual, not as a procedure. If the laboratory does not have a system already established in accordance with ISO 9001, then state that the Option A applies, where the clause 8 management requirements are addressed as part of ISO 17025. If the laboratory does have a system already established in accordance with ISO 9001, then state that the Option B applies, where the clause 8 management requirements are addressed as part of ISO 9001, including laboratory activities. This means that, for example how complaints and corrective action are handled, fall under the ISO 9001 activities and evidence can be shown of laboratory activities being included.You can link this clause 8.1 to your overall project planning to implement ISO 17025:2017.

Have a look at the ISO 17025 toolkit document templates for some more insight:  

• Quality Policy at https://advisera.com/17025academy/documentation/quality-policy/;  and
• Quality Manual at https://advisera.com/17025academy/documentation/quality-manual/
• Project Plan for ISO/IEC 17025 implementation at https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation

The following articles may be of interest :

• List of mandatory documents required by ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/08/30/list-of-mandatory-documents-required-by-iso-170252017/ 
• Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

Excluding "Design" from the ISO audit

Let us consider three situations:

a) Company does not perform design activities
b) Company performs design activities, but they are performed outside the scope of the quality management system
c) Company performs design activities, and they are performed within the scope of the quality management system and the company decides to exclude design from the certification process

Situations a) and b) are allowed, but the organization has to explain why design was excluded. These are common, pacific situations.
Situation c) is not allowed. If design is performed within the management system scope it must be included. Not including design is a major non-conformity.
The following material will provide you more information about exclusions:

• What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
• Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope -
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 - getting started in a quality department

I think that a quality department should develop three areas of expertise:

• Quality control
• Quality improvement 
• Quality development 
   

For quality control you can start with the risk-based thinking and developing a quality control plan from scratch: what to control, where, with what frequency, how, by whom, where to record, whit what specifications.

For quality improvement you start with the facts collected with quality control and customer satisfaction using tools to find trends, find priorities to improve your system.

Root cause analysis is fundamental for quality improvement and can be one of the bases for developing knowledge about how to design quality into products and services from the beginning.

The following material will provide you more information:

• Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/ Article - How to establish QMS Statistical Process
• How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
• Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 –
  https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
   

BCMS objectives

Please note that business continuity objectives depend on the organizational context and the organization's own business objectives and strategies, so it is unfeasible to provide specific inputs.

Generally speaking, you can have at least two types of objectives:

1. Strategic objectives – for your whole Business Continuity Management System, and
2. Tactical objectives – Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), Minimum Business Continuity Objectives (MBCOs), and exercising and testing objectives.

These articles will provide you a further explanation about BC objectives and organizational context (although the last article is about ISO 27001, the same concept applies to ISO 22301):

• Setting the business continuity objectives in ISO 22301https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/
• How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

This material will also help you:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

License management Auditing

Please note that ISO 27001 does not approach specifics about processes and technologies. It only defines requirements for information security management and information security objectives to be achieved.

Considering that "License management" involves the control and documentation of the software products your business uses, and where and how they are used, you should consider at least auditing these controls:

• A.8.1.1 Inventory of assets
• A.8.1.3 Acceptable use of assets
• A.12.5.1 Installation of software on operational systems
• A.12.6.2 Restrictions on software installation
• A.18.1.1 Identification of applicable legislation and contractual requirements
• A.18.1.2 Intellectual property rights

This article will provide you a further explanation about developing an audit checklist:

• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

These materials will also help you regarding performing an audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Integration of 22301 and 27001 - common policies

Considering ISO 27001 and ISO 22301, which have a lot of requirements in common, it is perfectly possible to integrate some documents. In fact, this can bring many benefits, like decreased costs in implementation, maintenance, and internal audits.

This article will provide you a further explanation about integrated implementation:

• How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

This material will provide further information:

• Free webinar – ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

This material will provide information about overlaps:

• ISO 27001 vs. ISO 22301 matrix (PDF) https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-22301-matrix