Search results

Head Office

The ISMS scope can be limited only to the Head Office, provided you can define a clear separation between the Head Office and the other sites (e.g., by defining a logical separation between the Head Office and the sites). 

These articles will provide you further explanation about the scope definition and network segregation:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/

Clause 8.3 of ISO 9001:2015

No. Clause 8.3 is about design and development of products or services. Unless the company’s business is helping other organizations in their development of strategies, policies and regulations.

The following material will provide you more information about design and development:

• The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
• Procedure for Design and Development - https://advisera.com/9001academy/documentation/procedure-design-development/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 13485 N95 Face Mask

Yes, N95FaceMasks are considered as class II devices regulated by the FDA. These masks are used and worn by health care personnel during procedures to protect both the patient and health care personnel from the transfer of microorganisms, body fluids, and particulate material.

Implemented ISO 13485 and approved N95 Face Mask is enough to be considered as FDA approved class II devices.  Generally, class II devices must receive premarket clearance from the FDA under section 510(k) Clearances. However, N95s are exempt from this 510(k) Clearance requirements according to the  Memorandum of Understanding MOU 225-18-006. 

For more details about this decision, please read an article on the following link: https://www.fda.gov/about-fda/domestic-mous/mou-225-18-006

GDPR applicability in the UK

The UK is now in the transition period until December 31, 2020. Since then, it needs to comply with all the EU regulations, including GDPR. 

After December 31, 2020, the application of GDPR from the UK organizations will depend.

In fact, GDPR applies to all EU organizations AND to all organizations (wherever they are located) which process personal data of people living in the EU. Therefore, if your organization does not process any personal data of individuals living in the EU (maybe you are a local shop) you may not be under GDPR and you will need to comply with the UK data protection act. 

On the contrary, if your activity has a website and it is visited from EU individuals and you sell or buy or work with individuals living in the EU, you will need to comply with GDPR requirements.

You can find more information on our article

- Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/

You can also learn more about GDPR with our online free EU GDPR Foundation Course: https://advisera.com/training/eu-gdpr-foundations-course//

Data protection and using WhatsApp

Your Charity should implement a data protection policy to tell staff how to deal with data.

Consider that (mental) health data that you probably handle is a particular category of data that is under article 9 GDPR (also known as sensitive data). These data need to be processed under the consent of data subject and require additional precaution for their security because the risk for freedom and right of individuals is high.

In these tragic circumstances, due to the COVID-19 pandemic, each Data Protection Authority is giving some advice to organizations working from home, so firstly you should check the website of your Data Protection Authority.

Here you can find some useful links to Data Protection Authorities website: https://advisera.com/eugdpracademy/knowledgebase/useful-links/ 

In general, you should try to keep separate charity data from personal data belonging to your staff. In case of emergency, maybe your staff is working from home with their own device. Therefore, ask them to avoid leaving their device accessible to their family members, to make a separate account on Windows for work tasks and to avoid to save data on their hard disk. They should also implement security measures, like antivirus, antispam and antimalware and two factors authentication methods.

WhatsApp allows encryption end to end, and if the mobile phone is used with fingerprint authentication can be a way to communicate with clients.

You should always make aware clients that they are communicating with staff using their own device and through WhatsApp and offer different methods in case they don’t feel confident about it (i.e. email or telephone).

You can find some useful information here:

Operator observance audit

I am not sure I understood your question entirely. However, there is no direct operator observance audit issue in the IATF 16949 standard.

But what I understand is, the issue of layer audit, which is the customer-specific requirement of FORD and GM. Operator behaviors are routinely monitored during layer audits.

Layer audit is also the subject of a manufacturing process audit, and the IATF 16949 standard number is 9.2.2.3 under internal audit requirement. 

The following article may be of help:

IATF 16949 Audit Types & How they Affect Process Improvement https://advisera.com/16949academy/blog/2017/11/01/iatf-16949-audit-types-how-they-affect-process-improvement/

ISO 14001 objectives for mining business

Good environmental objectives stem from the environmental policy. A good environmental policy includes the three commitments from ISO 14001:2015 (Continual improvement, Prevention of pollution, Compliance with legal and other requirements) and sets priorities for environmental improvement.

After an initial environmental survey is made, what are the most significant environmental aspects? For a mining operation I can think about neighborhood nuisance, water pollution events, tailings disposal, vegetation removal, landscape destruction, biodiversity effect, airborne emissions. Some of those environmental aspects, or at least their potential magnitude will depend of the kind of operation (open-pit mining, underground mining, or other) 

What are the environmental improvement priorities for a mining operation? Determine the environmental impacts of those environmental aspects. Consider normal and abnormal operation. Consider emergency situations. Consider startup or closing down of operations. Consider regulation or legislation performance requirements. Evaluate those environmental impacts and decide which ones are more relevant and need to be improved, considering the three commitments from the environmental policy.

Some examples of what environmental objectives for a mining operation could be:

• Reduce water consumption and effluent discharge by x% in the next 18 months
• Reduce neighboring communities’ complaints by y% in the next 12 months
• Comply with fugitive’s emissions legislation within the next 9 months

The following material will provide you information about environmental policy and objectives:

• Why mining companies should obtain ISO 14001 certification - https://advisera.com/14001academy/blog/2018/04/17/why-mining-companies-should-obtain-iso-14001-certification/
• How to write an ISO 14001 environmental policy - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-write-an-iso-14001-environmental-policy/
• How to Use Good Environmental Objectives - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-use-good-environmental-objectives/
• Examples of ISO 14001 objectives based on the different company sizes - https://advisera.com/14001academy/blog/2019/10/22/iso-14001-objectives-examples-for-different-company-sizes/
• Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
• Article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/ 
• You can watch free webinars on demand – ISO 14001Webinars - https://advisera.com/14001academy/webinars/ 
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

Templates for controls from Annex A

In general, these topics are already covered by the daily activities of an HR area of an organization (they are part of its core activities), so we do not provide related templates to not add unnecessary administrative effort to the ISMS (you can adopt the documents you already have and only adjust them to the requirements of related ISO 27001 controls).

In case you do not have such documents, you can contact us through email or online meeting, so we can help you develop such documents.

Risk assessment

1.  Regarding risks that come from outside of the scope, should we consider these risks in the Risk Assessment and apply controls to mitigate them, or we need to include the source of them in the scope, for example, there are some laptops that can access and (download or view) some sensitive data from what is in the scope, so should we need to include these laptops in the scope or just apply some controls to mitigate risks come from them?

Answer: If risks, internal or external, have the potential to impact the elements of the ISMS scope, then you have to include them in the risk assessment, and apply controls to mitigate those identified as unacceptable.

About including the risk source information, ISO 27001 does not prescribe this information as mandatory, so this will depend on the risk assessment methodology you are using, because some of them require this information and others do not.

For further information see: ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

2.  What is the difference between the existing controls and planned controls? do we need to have both in the risk register?

Answer: Existing controls are controls already implemented by the time you perform the risk assessment, while planned controls are controls you intend to implement after the approval of risk treatment.

Existing controls must be included in the risk register if they have any impact in the assessed risk value, and planned controls must be included in the risk register only for risks considered unacceptable and are to be treated (i.e., for risks identified as acceptable there is no need for planned controls).

3. Should we write already mitigated risks in the risk assessment phase, for example, a security feature in a system is enabled so no risk right now, but if someone disables this feature, then it may lead to a potential risk, so do we need to write down these risks in the risk assessment phase?

Answer: This is an example of risk with existing control applied, and if this risk is relevant to your ISMS scope, then it must be included in the risk assessment, so you have a formal knowledge that exists and is already being treated.

4. How we can design a criteria for the impact if our scope is in cloud?

Answer: ISO 27001 does not prescribe the use of specific criteria for impact on elements of the scope in the cloud, so you can use the same criteria for impact used in your standard risk assessment.

What happens when part of the scope is in the cloud is the modification of the responsibilities for the assets, and on the impact and likelihood levels for those elements, not in their type.

For further information, see:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

These materials can also provide further information:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Procedure for documents and records

The activity of establishing and maintaining ISO 17025:2017 documents and records is a critical activity in most laboratories, as it usually involves many personnel meeting many ISO 17025 requirements. A procedure is therefore required, being defined as a “specified way to carry out an activity or a process”. (ISO 9000:2015)

Although it is noted that procedures can be either documented or not; consider that documents and records are core to meeting every ISO 17025 requirement. If a documented procedure did not exist to establish, identify, approve, review, change and control distribution of documents and records; a laboratory would risk the quality and control of many processes within the ISO 17025 management system.  As ISO 17025 requires a laboratory to consider and address risks of all activities, a documented procedure to manage documents and records is considered mandatory.