Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 14001 Lead Auditor

    Can one implement ISO 14001 without been an ISO 14001 Lead Auditor?

    Answer:

    Yes, there is no mandatory requirement to be a Lead Auditor, to be able to implement an ISO 14001 environmental management system (EMS). Anyone wanting to implement an ISO 14001 EMS can do it as long as he/she get knowledge about the standard and/or get help from a consultant.

    Which is a better qualification to possess as an environmental manager introduction to ISO 14001 certification or Lead Auditor course ISO 14001?

    Answer:

    As an environmental manager, if you need an introduction to ISO 14001 then ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/ is the right course for you. The focus is on ISO 14001 and you will be able to understand the standard and feel more confident for starting an implementation project. Alternatively you can have a course like ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ because that way you will be able to perform internal audits during the implementation. The ISO 14001:2015 Internal Auditor Course has 9 modules, and the first 5 are included in the ISO 14001:2015 Foundations Course. Another possibility is our ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/ with 11 modules. The first 5 are included in the ISO 14001:2015 Foundations Course, the other 6 are about techniques to implement a management system.

    Please check this article - How to choose the most appropriate training - https://advisera.com/training/compare/

  • Requirements for ISO 45001 implementation

    ISO 45001 is not just about writing documents, what is really important is having all the necessary processes and records in place for the OHSMS; and be actively using these processes. If you are thinking about certification, the certification body will have some requirements before they will audit your OHSMS after implementation; so, this is also needed for you to know your system is fully implemented. The certification body will expect:

    - You use the system for a number of months (often 6) to ensure there are enough records collected to adequately audit.

    - You have performed a complete set of internal audits for all your processes, and taken corrective actions where needed.

    - You have performed at least 1 full management review of all required management review inputs and taken corrective actions where needed.

    This is really what you need to do to say you are fully implemented, and then continue using your system with internal audits and management reviews to maintain.

    For a graphical view of the full implementation process, see this: Diagram of ISO 45001 Implementation Process, https://info.advisera.com/45001academy/free-download/diagram-of-iso-45001-implementation-process

  • Replacing OHSAS 18001 by ISO 45001

    Moving your OHSMS from a system based on OHSAS 18001 to ISO 45001 is not that difficult as most of the processes form OHSAS 18001 are used in the new ISO 45001 standard. The main additions for ISO 45001 are the inclusion of the definition of the context of the organization; specifically identifying the issues that affect the OHSMS and the interested parties and their needs.

    Some helpful tools that will assist with this are as follows:

    For an easier transition, the whitepaper: Twelve-step transition process from OHSAS 18001 to ISO 45001, https://info.advisera.com/45001academy/free-download/twelve-step-transition-process-from-ohsas-18001-to-iso-45001

    To understand the main changes, the webinar: ISO 45001 vs OHSAS 18001 the main changes, https://advisera.com/45001academy/webinar/iso-45001-2017-vs-ohsas-18001-2007-the-main-changes-on-demand/

    To make sure you don’t miss any required documentation, the whitepaper: Checklist of Mandatory Documentation Required by ISO 45001, https://info.advisera.com/45001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-45001

  • Auditable clauses

    Clauses 4 to 10 in ISO 9001:2015 are the auditable clauses. Annexes are not auditable; they are just informative.

    You can find more information below:

  • How to market to potential clients after ISO 9001

    Customers are all different but can be segmented into groups more or less homogeneous. Some segments may value, or even require that their suppliers be ISO 9001 certified. Pick those segments, identify individual potential clients and think about what are the benefits that they want to get, and what kind of function or role will be more likely concerned with that. Search Linkedin or trade databases for those functions or roles and industry sector. Your organization could start a systematic work of presenting communications on seminars and conferences attended by those functions or roles, or publishing technical articles on magazines or specialized blogs

    You can find more information below:

  • Risk based approach in ISO 13485

    1. Has there been a noticeable improvement with the implementation of 13485:2016 with the risk-based thinking approach?

    Since we are not a consulting company, unfortunately, we really do not have feedback from the field about this matter. But, when we discuss with the client that has both our toolkit, it is noted that the risk-based approach helped them in making individual decisions. For example, when defining critical suppliers and making a decision with which to establish a quality agreement and with which not; then when determining when to go to the audit of a critical supplier - whether once a year or less often or more often; then, which software needs to be validated etc. 

    More information about the risk-based approach you can find in the following article:

    2. What must companies do in advance to prepare for the stringent requirements in Eu MDR handling of complaints?

    First of all, you need to learn about MDR requirements. On this link, you can find Full text of EU MDR (Medical Device Regulation): https://advisera.com/13485academy/mdr/ 

    Then it will be best to check which additional documentation you need to have to be in compliance with the MDR and to compare it with your current status.

    Complete EU MDR Checklist of Mandatory Documents you can find on the following link: https://info.advisera.com/13485academy/free-download/eu-mdr-checklist-of-mandatory-documents

    Once you have identified which documents these are, they need to be prepared.

    How templates for the Clinical Evaluation, Post-market surveillance system and Technical file look like you can see in our ISO 13485 & MDR Integrated Documentation Toolkit: https://advisera.com/13485academy/iso-13485-eu-mdr-documentation-toolkit/

  • ISO 13485 for outsourced supplier – is it necessary?

    According to the ISO 13485:2016, requirement 1 Scope, it is stated that this standard is applicable for entities involved in all life-cycle of a medical device. Among others, it is also listed as a supplier or external parties, that provides products or parts of the product. What is most important from the notified body's point of view, is that traceability for the entire production process must be covered. Therefore, it is expected that both manufacturers and outsourced suppliers will have implemented ISO 13485:2016.

    Since your company is already ISO 9001 certified, you can buy only documents that are requested by ISO 13485 from our ISO 13485:2015 documentation toolkit: https://advisera.com/13485academy/iso-13485-documentation-toolkit/

    At the end of this web page, you can check and purchase individual documents as well.

    Also, the following articles can be helpful:

    • Checklist of ISO 13485 implementation and certification steps: https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
    • Six key benefits of ISO 13485 implementation: https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/

    • ISO 27001 scope

      1. We use a third party to provide infrastructure for our product (Installation sits on an AWS Server). On the Scope document, what would we put under “Location” for these servers that are provided by a third party?

      Please note that under “Location” you need to include only your premises locations, not those of your providers. Regarding the infrastructure you mentioned, you only need to specify them and explain they are provided by a third party under "Networks and IT infrastructure", so this information can be used during the other phases of the implementation (e.g., risk assessment and risk treatment).

      For further information, see:

      2. What would we count as our assets regarding these servers that are provided by a third party? These servers are accessed by our staff to do our work using any laptop that is available to us, provided that the IP is cleared by our CTO to access the servers

      The proper approach will depend on the level of control you have over these servers:

      • if you need to operate and maintain the servers (i.e., the provider only offers the virtual machines), you should count as assets the servers themselves
      • if you only use the servers (i.e., the provider operates and maintains the servers), it is better to count them as a single service

      For further information, see:

      3. Do we need to reference anything from the Third Party provider? Where will it be referenced in the ISMS?

      The relation with Third-Party providers should be referenced primarily in the List of legal, regulatory, and contractual requirements, identifying the contracts or agreements signed with them (so the organization is aware of what needs to be considered). They can also be referenced in the risk assessment and risk treatment process (where you can identify relevant risks related to them and define proper treatment).

      4. Can you give examples on how regulations, like GDPR, translate into a policy or procedure – like a specific rule in the Information Security Policy Document. I just want to see an example of the wording pattern in a policy where a regulation is referenced.

      Please note that legal requirements (e.g., laws, regulations, or contracts) should not be directly translated into policies or procedures (this approach would quickly turn the documents into a mess).

      The adopted approach in our toolkit is to list the relevant legal requirements in the List of Legal, Regulatory, Contractual and Other Requirements template, located on folder 02 Identification of Requirements, and from this list, identify which controls from Annex A must be applied (this identification is made in the Statement of Applicability, located on folder 06 Applicability of Controls).

      With this approach, aligning the legal requirements with controls first, we ensure that legal requirements that will use the same controls are under the same general text we already developed, compliant with the standard, and you will only need to include specifics (e.g., references to technologies and activities) as needed (the parts of the text that requires customization are identified in the templates).

      For example, GDPR article 32 requires companies to use (where appropriate) pseudonymization and encryption of personal data. In this case, controls from section A.10 A.10 Cryptography are applicable, and in the related document, Policy on the Use of Encryption, located on folder 08 Annex A Security Controls >> A.10 Cryptography you only need to specify elements like "Name of the system", "Cryptographic tool", "Encryption algorithm", and "Key size"

      5. Let’s say the scope of ISMS for now applies to the Services that we provide that are hosted in a third party provided server. What would be examples to exclude?

      Since you are referring only to your provided services, an example of a scope exclusion would be the organization's administrative departments. Since exclusions of the ISMS scope will depend on the organization's objectives, without more detailed information, it is not possible to provide a more detailed answer.

    • Gap analysis

      You can access the ISO 27001 Gap Analysis Tool at this link:  https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/ - however, we do not recommend using it for companies smaller than 500 employees because it would make your implementation unnecessarily complex. The point is, during the implementation of the toolkit (especially during the risk assessment and treatment) you will analyze which controls you have in place, so this is why the Gap analysis is not needed.

      This article will provide you a further explanation about Gap analysis:

    • Default legal position around data transfers under German Laws

      Germany applies the GDPR which is an EU Regulation with direct application in the EU Member States legislation. Therefore, data transfers are ruled by Articles 44 - 50 GDPR.

      Transfers of data are free among the EU countries, while outside EU are subject to some requirements like:

    • adequacy decision by the EU Commission. Now the EU Commission made adequacy decisions for the following countries: Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States (Privacy Shield). You can verify on the EU Commission website any update to the list: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). 
    • Standard data protection clauses adopted by the Commission which are contractual clauses that grant some protection rights to parties.
    • Standard data protection clauses adopted by a supervisory authority (DPA) This is the link to the Federal Data Protection Authority in Germany: https://www.bfdi.bund.de/EN/Home/home_node.html
    • An approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
    • an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights

      • Here you can find some information:• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/• Standard Contractual Clauses for the Transfer to Processors and Standard Contractual Clauses for the Transfer to Controllers.: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes• EU GDPR Article 44 – General principle for transfers: https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/• EU GDPR Article 45 – Transfers on the basis of an adequacy decision: https://advisera.com/gdpr/transfers-on-the-basis-of-an-adequacy-decision/• EU GDPR Article 46 – Transfers subject to appropriate safeguards: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/• EU GDPR Article 47 – Binding corporate rules: https://advisera.com/gdpr/binding-corporate-rules/• Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

      You may also consider enrolling in this online EU GDPR Foundations Course:EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Page 369-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +