Search results

OHSAS to OHSMS

OHSAS is the acronym for Occupational Health and Safety Assessment Series. This is from a series of standards that were issued by the British Standards Institute (BSI) in 1999, which included 2 standards; OHSAS 18001:1999 & OHSAS 18002:1999. On the other hand, OHSMS is the acronym for Occupational Health & Safety Management System. The OHSMS is all of the rules, policies, processes and procedures that an organization puts in place to continually improve OH&S performance, fulfil legal and other OH&S requirements and achieve OH&S objectives for the company. While OHSAS 18001:2007 previously provided the requirements for an OHSMS, now that ISO 45001:2018 has been released as the internationally recognized requirements for an OHSMS, it will replace OHSAS 18001:2007.

You can find out more in the article: OHSAS vs. OHSMS: What is the difference, https://advisera.com/45001academy/blog/2019/10/16/ohsas-vs-ohsms-what-is-the-difference/

Service as a Scope?

Thanks for your answer!

ISMS documents

What formats should I use to comply with the clauses and controls of ISO27001. (For example, registration of the scope of the ISMS, SWOT - to know where the company is headed and determine its objectives and align them with the ISMS)

ISO 27001does not prescribe the format to be used to elaborate documents, so organizations are free to develop them as better fits their needs, provided the clauses and controls statements are fulfilled.

To see how documents compliant with ISO 27001 looks like, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

These articles will provide you a further explanation about developing documents:

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
• How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding developing documents:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Risk treatment options

Please note that "risk transfer" is the general approach to treat risk, and according to ISO 27001 you need to specify which controls you will apply to implement this option (e.g. controls from section A.15 for suppliers and control A.13.2.2 Agreements on information transfer for third parties in general).

These articles will provide you a further explanation about risk treatment:

• 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

This material will also help you regarding risk treatment:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

ISO 27701

Up to this moment, ISO 27701 is not mandatory, and as with any new standard, it remains to be seen if it will become popular, i.e. useful.

This article will provide you a further explanation about ISO 27701:

• Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/

Can the certified auditor train others in the company?

As per IATF 16949: 2016 standard; all system internal auditors must competent in the following.

• ISO 9001:2015 standard requirements
• IATF 16949:2016 standard requirements
• Internal Auditors requirement with automotive process approach and  risk-based thinking
• Core Tools (APQP, PPAP, FMEA, SPC, MSA requirements)

If your current internal auditor is trained, competent, and your automotive customers do not have a special requirement in this regard; your internal auditor may provide this training to other employees.

Remote audits in context of COVID-19

Please consider this free webinar on demand about - How to perform an internal audit remotely - https://advisera.com/9001academy/webinar/remote-internal-audit-free-webinar-on-demand/

About ISO 19011:2018 please consider this, ISO 19011:2018 mentions the possibility of using remote audits and virtual audits. There is an important remark: Performing remote audits can depend on the kind of risk to achieving the audit objectives, the level of confidence between auditor and auditee’s personnel and any regulatory requirements. Please check ISO 19011:2018 Annex A.1 Applying audit methods. See also Annex A.15 Visiting the auditee’s location and Annex A.16 Auditing virtual activities and locations.

Deciding when and how to use remote auditing techniques depends on the audit objectives, scope and criteria, the available technology, the competency of the auditee and auditor to use the technology, and the type of audit evidence that needs to be gathered. The key question is whether the remote auditing techniques allow you to meet your audit objectives, while benefitting the audit process, or whether the use of remote auditing techniques could be a disadvantage to your audit.

The following material will provide you more information:

• What are the benefits and barriers when performing remote audits? - https://advisera.com/articles/what-are-benefits-and-barriers-when-performing-remote-audits/
• Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ (includes a slide about developing checklist questions)
• ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

ISO 9001 - Certification of a nonprofit association

A nonprofit association having all its services and support outsourced. Do you mean even top management? Do you mean even promotion of fundraising and contacting activities with benefactors? Who represents the nonprofit association? Who decides about outsources and contracts?

If you have at least one person acting as top management, you can certify that nonprofit association.

The following material will provide you more information:

• Implementing ISO 9001 in a nonprofit organization - https://advisera.com/9001academy/blog/2019/09/03/iso-9001-for-nonprofits-benefits-of-implementation/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 and calibration

If your radius gauges are used to verify the conformity of products and services to requirements they must be calibrated. If your radius gauges need to be calibrated your organization can analyze previous calibration results and evaluate the possibility of increasing the time interval between calibrations. Yearly calibrations are not the only frequency.

The following material will provide you more information:

• Monitoring and Measurement Equipment Control - https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

Who should be the asset owner

1 . A user of a laptop or computer - does the assets need to be listed separately with the individual user?

ISO 27001 does no prescribe who to define asset ownership, so organizations can define it as best suits them.

In a general way, you do not need to list laptops and computers separately with individual users, because in most cases they all share the same risk. It is sufficient to list a single asset (e.g., laptop or computer), and for this asset designate a generic owner (e.g., user). Only in cases you have a specific risk you should include specific assets and owners (e.g., "finance laptop" for the asset, and "CFO" for user).

2. If yes then every user would need to be presented as a group or individually to offer feedback of risks that they feel in individual to them for that asset? Correct? Would be interested in any feedback. Thanks

For generic assets as a "laptop", you should list at least the most seasoned personnel in the organization and the key users (there is no need to list all people that have a laptop), so you can gather good feedback without much effort. For individual assets as "finance laptop," you should list the person responsible for it

This article will provide you a further explanation about asset register and risk assessment:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk assessment:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/