Search results

ISO 14001 Risk Register Preparation

You can prepare a table where you list:

• risks,
• sources,
• measure of severity,
• measure of probability,
• measure of significance,
• actions to be implemented,
• responsibilities,
• main resources needed,
• time frame.
   

You can find more information below:

• ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
• Risks and opportunities in ISO 14001:2015 – What they are and why they are important - https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

GDPR Implementation Inquiry

"We have an inquiry regarding the GDPR implementation, we are a software company that develops a software solutions to  a customer X at Europe ; the  software solutions are carrying personal information for X’s employees so we are a processor.
Internal systems developed and maintained by my company  for other customers that have EU citizen employees should be GDPR compliant and in this case it should be secure by design and data should be secured at rest considering there is no agreement between the client and ourselves for applying GDPR requirements on the system ..please confirm?

You are a data processor under GDPR because you are processing personal data on behalf of your Client. You need a data processor appointment agreement to comply with obligations listed in Article 28 GDPR. It helps you to demonstrate accountability to GDPR principles in case of controls by Data Protection Authorities. 

We developed the template of the Agreement to use with your Clients applying GDPR:
EU GDPR document template: Supplier Data Processing Agreement https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/

You can also find more information here:

• Full text of GDPR: https://advisera.com/eugdpracademy/gdpr/
• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

Regarding personal rights, are these rights applied on employees as they are EU citizens in the way that is compliant with business rules and data retention policies, for example if the employee left the company and wants his data to be deleted, in this case the company should reply within 1 month that according to the business needs and regulations, his data will be retained for 5 years for example and after these 5 years ha may ask for a data deletion confirmation, is that right? We need to know what are the employee rights here and what to be applied at our systems? 

Being a data processor under GDPR you need to guarantee data subjects’ rights in your system. However, it should be the data controller to ensure that you comply with GDPR requirements through the Data Processing Agreement.

This happens because data subjects shall exercise their rights in front of the data controller and you – as a data processor – will be jointly responsible. Keep in mind that retention periods may vary under national legislation implementing GDPR requirements (I.e. in Italy bookkeeping legislation requires a company to store documents for 10 years) so you need to check it with your Client.

The employee rights are those listed from Article 15 to 22 GDPR:

• Right of access
• Right of rectification
• Right of erasure (Right to be forgotten)
• Right to restriction of processing
• Right to data portability
• Right to lodge a complaint to a Data Protection Authority
• Right to object
• Right to ask for human control in case of automated individual decision-making

Here you can find more information:

• Full text of GDPR: https://advisera.com/eugdpracademy/gdpr/
• Data subject rights according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//

You can consider enrolling in our free EU GDPR Foundations Course
EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

ISO 9001 and product added value

First, attention: ISO 9001:2015 is not about product or processes, it is about the management system.

I belong to a group of people that think that value is not added to a product but something that emerges in the mind of a customer. Value is in the eyes of the beholder.

So, I made this figure to help me share how I see your challenge:

Your organization was certified and now wants to increase prices to previous customers because now it is certified. That is quadrant 1 on the figure, it is what I call arm wrestling. You cannot do it competition will not allow it.

Your organization was certified and now can access previous markets where ISO 9001 acts as an entry barrier. That is quadrant 2 on the figure, your organization has to find new customers that could value more your product and services.

Another alternative stands over developing a new offer, a new product, a better service, to the same or different customers, quadrants 3 and 4.

You can find more information below:

• Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

ISO 9001 compliance in a mining company

When I’m in that situation I follow this technique:

So, I list the major benefits that can pull top management to make that decision. I also list problems, organizational pain, that can push top management to make that decision. About the resources needed that will depend from organization to organization, but for one with 33 000 employees I believe is quite affordable.

You can find more information about ISO 9001 implementation below:

• Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• How to budget an ISO 9001 implementation project - https://info.advisera.com/9001academy/free-download/how-to-budget-an-iso-9001-implementation-project?utm_source=script-for-iso-9001-lead-implementer-course&utm_medium=downloaded-content&utm_content=lang-en&utm_campaign=free-downloads-9001
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/ may be useful
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

ISO 9001 and itemized inventory as a requirement

If you include that requirement as an explicit specification of your orders and if your supplier accepts that requirement you can expect and demand compliance with that requirement. Let’s see what ISO 9001 requires from a supplier receiving an order from a customer, you:

Clause 8.2.2 is about receiving an order, or a request for a quotation from a potential client. Your ISO 9001 certified supplier wants to be sure about what is that the customer, you, want, it can be a standard product from their warehouse, but that is not enough. They need to know quantities, delivery date, any restrictions imposed by law, and even restrictions imposed by their own organization. For example, they may not deliver an order to a certain country, or to a PO box address.

Clause 8.2.3 is about preparing to make a promise to the client, to you. The supplier already knows what the requirements and needs are, but before making a commitment, they must be sure they have the resources to comply.
Can their organization comply with explicit requirements from the client, from you, for example, can they deliver the amount required on the requested date? Can their product really comply with a performance feature required by you?
They know more about the product or service and conditions of use than any client. They may know about some implicit requirements not mentioned by you but required for the effective performance of the product. Is their organization in condition to comply with those implicit requirements?
Can they comply with legislation and regulation applicable?
Can they provide the product within the organization’s own internal rules? For example, will they accept a 200-days interval for payment according to the client requirements, when their organization’s internal rules are only 20 days?

You can find more information below.

• Clause-by-clause explanation of ISO 9001:2015 - https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

SOC 1 & 2 equivalent for International Vendor

We're not experts in SOC 2, but there are many common points between SOC II and ISO 27001:2013 that may allow you to adopt ISO 27001 for due diligence for a new international vendor: risk management, internal audit, business continuity, access control, etc.

If you want to know details about the similarities about both standards, and what resources can be shared, you can see the document “Trust Services Map to ISO 27001” in the official site of the American Institute of CPAs. You can find it at this link: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/othermapping/trust-services-map-to-iso-27001.xlsx

ISO 45001 mandatory clauses for an audit

In clause 9.2.1 for internal audit the ISO 45001 standard simply states that the organization must audit that the OHSMS meets their own requirements, and the requirements of the standard. Using the recommended approach from ISO 19011, the idea is to perform an audit of the processes, rather than a clause-by-clause audit of the standard. During the audit you see if the planned process arrangements meet the ISO 45001 standard requirements, then you talk to people and see if they are meeting the process planned arrangements as identified by the company (because most of them won’t know the ISO 45001 standard, rather they know what they have been trained to do. With internal audit the audit is not done clause-by-clause, so there are no mandatory clauses to audit.

When it comes to a certification audit, they will audit all of your processes, and then ensure that everything meets all of the requirements of ISO 45001. If you are auditing a supplier (second-party audit) then it is up to you what you want to look at; you don’t need to follow the standard at all (for instance you may just want to look at their nonconformance process). If you have specific requirements on a supplier, this is often the audit criteria used in a second-party audit.

You can learn more about auditing using ISO 19011 in the article: How to perform an internal audit using

ISO 19011, https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011

Documenting ISO 45001

The ISO 45001:2018 standard does not define how you must create your documentation, or how it must look. In terms of procedures you can use whatever format works best for your organization, including flow charts, text documents, or even diagrammatic instructions if that is what works for your employees. As for records, again whatever format make sense to you for a particular record then that is what you can use. This is of course limited by any legal requirements that may exist for records and reports, such as a government form that needs to be submitted.

The general flow for creating documentation should go like this: What information do we need to document? Is there a required format to use (such as legal or other requirement)? If not, what is the best, and simplest, way we can record this information so that it is usable for us?

You can learn more about the new documentation requirements in the article: New approach to ISO 145001 documentation, https://advisera.com/45001academy/blog/2018/03/13/new-approach-to-iso-45001-documentation/