Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 45001 vs OHSAS 18001

    Probably the biggest change from OHSAS 18001 to ISO 45001 is the introduction of the context of the organization. This requirement means that you need to understand the internal and external issues that affect your OHSMS, as well as who your interested parties are and what their needs are. This information is used later in the standard to identify risks that are not directly related to hazards, as well as plans for emergency response.

    We have a pre-recorded webinar that discusses the change which may help: ISO 45001:2018 vs. OHSAS 18001:2007 – The main changes, https://advisera.com/45001academy/webinar/iso-45001-2017-vs-ohsas-18001-2007-the-main-changes-on-demand/

  • Certify company in safe data destruction and recycling

    We need to certify our company in the secure erasure of data, either by software methods or by the destruction of disks and that we can demonstrate or certify that the data is irrecoverable for the machines unsubscribed by the client.

     It is possible to certify a secure erasure of data process against ISO 27001, certifying that the process follows the standard's requirements and that the data is irrecoverable from the media where it was stored.

    But please note that ISO 27001 does not provide technical guidance on how to perform data disposal. For technical guidance, you need to consider additional references, like NIST special publications.

    These articles will provide you a further explanation about ISO 27001, how it can be used for media disposal, and NIST practices:

    These materials will also help you regarding ISO 27001:

  • ISO 9001 consultant challenges

    Some of the challenges of being a consultant are:

    • Finding new customers;
    • Winning a bad project;
    • Customers expecting that consultants do customers’ work;
    • Meeting project delivery dates;
    • Meeting budget target;
    • Always being in a research and learning mode

    You can find more information below:

  • ISO 9001 and property belonging to customers/external providers

    Clause 8.5.3 about property belonging to customers or external providers (suppliers) may not be applicable to every organization.

    Simpler case – a customer bought a product and that product is returned for planned maintenance, or for correcting some defect, or for upgrading some part (last week I updated my computer battery, for example).

    Business to consumer – your company sold a washing machine to a consumer and one of your company’s teams is going to install it at the consumer’s kitchen. You expect that the team does not damage the consumer’s kitchen.

    Business to business case – consider a brand that outsources the manufacturing of its garments to a manufacturer. The manufacturer buys and applies all materials, but the brand supplies the high-profile brand labels. Those labels must be protected from theft or any kind of loss. For all purposes, those labels are like money.

    Intellectual property – a customer sends you, the manufacturer, the blueprints of its later high-tech gadget. Customers expect that the blueprints are protected from theft or leaking into the media.

    Molds – A customer has a mold and asks your organization to manufacture injection molding parts with it. The customer expects that you don’t start injection parts with that mold for your own use

    External providers – It is becoming more common that organizations don’t possess equipment, they rent it to an external provider. For example, in a construction company, the scaffolding structure used may belong to an external provider.

    You can find more information below:

  • Inventory of Assets template

    For the value on the "Impact" column in the Inventory of Assets template, you must copy the value identified in the "Consequence" column in the Risk Assessment Table template.

  • ISO 27001 implementation

    Yes, the templates take into account the integration with ISO 27001 with other ISO management systems.

    Since 2012 all ISO management systems have common requirements aligned (e.g., control of documents and records, internal audit, management review, etc.), so you can use part of the documents you already have for ISO 9001 and make only small adjustments for them to be also compliant with ISO 27001.

    These articles will provide you a further explanation about integrating management systems:

    These materials will also help you regarding ISO 27001 implementation:

  • Information Security Policy vs IT Security Policy

    Please note that these are different documents:

    • the Information Security Policy is located on folder 02 (General policies), as you mentioned
    • the IT Security Policy is located on folder 08 Annex A Security Controls, subfolder A.8 Asset Management

    The purpose of the Information Security Policy is to define high-level information about how information security is managed, while the purpose of the IT Security Policy is to provide details on how to use the information system and other information assets.

    In the List of Documents file included in your toolkit, you can identify where each document is located and which clauses and controls are covered by each of them.

    This article will provide you a further explanation about the information security policy:

  • IS Cross Border Personal Data Transfer Procedure actual according to GDPR?

    If I correctly understand your question, you are asking if in your documentation you can mention the Directive 95/46/EC.

    As you correctly said, Directive 95/46/EC has been replaced by GDPR and it is not in force anymore. Therefore, it is not correct to mention Directive 95/46/EC in your documentation, you should refer to GDPR.

    GDPR does not mention “Data Importer” and “Data Exporter”, only the data controller and data processor.

    If you want to keep the definition of “Data Importer” and “Data Exporter” in your documentation, you should define it inside the GDPR framework (i.e. “Data Importer is a data processor under Article 28 GDPR which is located in a third country where the data are transferred with adequate safeguards according to Articles 44-50 GDPR”) and then you can keep using those definitions.

  • Procedures listed in equipment's manual

    1. 6.4.3 The laboratory shall have a procedure for handling, transport, storage, and use and planned maintenance of equipment, these procedures could they be the ones that listed in the equipment's manual? Or a procedure must be created according to the manual and the laboratory's policy?

    The mandatory requirement for ISO 17025:2017 is that your laboratory has a procedure and necessary records. I assume you are referring to you own equipment manual, which covers all your equipment. Yes, you could use you own equipment manual as your documented procedure and refer to the relevant sections of Suppliers manuals; as long as the references and information is up to date and controlled.

    Regarding your reference to “the laboratory's policy”, there is no need for a policy on management of your equipment. Your ISO 17025 management system must include an overall quality policy and specific objectives. How you meet the requirements for equipment management must be risk and opportunity based, to support your quality policy and to achieve your objectives.

    2. If the laboratory has a code of ethics and conducts, to which every employee signed his agreement to respect, does that prove the company's impartiality and confidentiality?"

    If the established code of ethics and conduct addresses the requirements to safeguard impartiality and confidentiality, this is evidence of management’s commitment to these topics. The purpose of a signed acknowledgment by an employee is to show that, firstly it has been communicated to them (again a requirement of management), they have received it and that they acknowledge the content of the code. Even if they declared by signing that they will abide by the code; this is not evidence of actual compliance with the policies. There is no objective evidence through acknowledging the code that impartiality and confidentiality is in fact upheld.

    Ensuring Impartiality and confidentiality is an activity that is ongoing. It is achieved through a process approach by knowing your process inputs and outputs and the factors that could affect your objective of safeguarding impartiality and confidentiality for every laboratory activity. Risk assessments should be performed upfront to identify and address any initial risks to impartiality and confidentiality. Then use surveillance activities such as audits, employee meetings/feedback and customer feedback on an ongoing basis to monitor compliance. Take appropriate action to mitigate any new or changed risks.

    For more information, have a look at the ISO 17025 Expert Advice Community answersAssuring impartiality and confidentiality - https://community.advisera.com/topic/assuring-impartiality-and-confidentiality/Compliance with the ISO/IEC 17025:2017 requirement for Impartiality - https://community.advisera.com/topic/compliance-with-the-isoiec-170252017-requirement-for-impartiality/Procedure for impartiality - https://community.advisera.com/topic/procedure-for-impartiality/

    Have a look to see how the following toolkit documents can assist you:Quality Policy, Quality Manual and procedure Addressing Risks and Opportunities.  Previews are available at https://advisera.com/17025academy/iso-17025-documentation-toolkit/
Page 376-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +