Search results

Statement of acceptance document

You should get some kind of acknowledgement from your staff that they have read your company internal security documentation - this can be done by signing Statement of acceptance, or by e.g. tracking their activities through a document management system, or by simply confirming they have read the documentation through email. This should be done by all people who need to read the security documents.

ISO 27001 re-certification

Due to accreditation bodies definition, certifications bodies must conclude the re-certification process before the expiration date. If it is not concluded by this date, the certification will expire and the organization will have to start the certification process all over again (i.e. it will lose its certificate number).

Considering that, certification bodies recommend the re-certification audit to be performed on a date that will give time for organizations to handle the event they don’t pass the renewal audit (e.g., because of a major non-conformity). This date is normally tow at most months before the expiration date.

A.12.5.1 Vs A.12.6.2

No separate document is required.

Please note that control A.12.5.1 only requires a procedure for software installation to be implemented, but it does not require you to be specific about which users can install software. If you require restriction for users (e.g., only IT staff can install software or end-users only have install rights under specific conditions), you will need to complement procedure with recommendations of control A.12.6.2.

Head Office

The ISMS scope can be limited only to the Head Office, provided you can define a clear separation between the Head Office and the other sites (e.g., by defining a logical separation between the Head Office and the sites). 

These articles will provide you further explanation about the scope definition and network segregation:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/

Clause 8.3 of ISO 9001:2015

No. Clause 8.3 is about design and development of products or services. Unless the company’s business is helping other organizations in their development of strategies, policies and regulations.

The following material will provide you more information about design and development:

• The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
• Procedure for Design and Development - https://advisera.com/9001academy/documentation/procedure-design-development/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 13485 N95 Face Mask

Yes, N95FaceMasks are considered as class II devices regulated by the FDA. These masks are used and worn by health care personnel during procedures to protect both the patient and health care personnel from the transfer of microorganisms, body fluids, and particulate material.

Implemented ISO 13485 and approved N95 Face Mask is enough to be considered as FDA approved class II devices.  Generally, class II devices must receive premarket clearance from the FDA under section 510(k) Clearances. However, N95s are exempt from this 510(k) Clearance requirements according to the  Memorandum of Understanding MOU 225-18-006. 

For more details about this decision, please read an article on the following link: https://www.fda.gov/about-fda/domestic-mous/mou-225-18-006

GDPR applicability in the UK

The UK is now in the transition period until December 31, 2020. Since then, it needs to comply with all the EU regulations, including GDPR. 

After December 31, 2020, the application of GDPR from the UK organizations will depend.

In fact, GDPR applies to all EU organizations AND to all organizations (wherever they are located) which process personal data of people living in the EU. Therefore, if your organization does not process any personal data of individuals living in the EU (maybe you are a local shop) you may not be under GDPR and you will need to comply with the UK data protection act. 

On the contrary, if your activity has a website and it is visited from EU individuals and you sell or buy or work with individuals living in the EU, you will need to comply with GDPR requirements.

You can find more information on our article

- Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/

You can also learn more about GDPR with our online free EU GDPR Foundation Course: https://advisera.com/training/eu-gdpr-foundations-course//

Data protection and using WhatsApp

Your Charity should implement a data protection policy to tell staff how to deal with data.

Consider that (mental) health data that you probably handle is a particular category of data that is under article 9 GDPR (also known as sensitive data). These data need to be processed under the consent of data subject and require additional precaution for their security because the risk for freedom and right of individuals is high.

In these tragic circumstances, due to the COVID-19 pandemic, each Data Protection Authority is giving some advice to organizations working from home, so firstly you should check the website of your Data Protection Authority.

Here you can find some useful links to Data Protection Authorities website: https://advisera.com/eugdpracademy/knowledgebase/useful-links/ 

In general, you should try to keep separate charity data from personal data belonging to your staff. In case of emergency, maybe your staff is working from home with their own device. Therefore, ask them to avoid leaving their device accessible to their family members, to make a separate account on Windows for work tasks and to avoid to save data on their hard disk. They should also implement security measures, like antivirus, antispam and antimalware and two factors authentication methods.

WhatsApp allows encryption end to end, and if the mobile phone is used with fingerprint authentication can be a way to communicate with clients.

You should always make aware clients that they are communicating with staff using their own device and through WhatsApp and offer different methods in case they don’t feel confident about it (i.e. email or telephone).

You can find some useful information here:

Operator observance audit

I am not sure I understood your question entirely. However, there is no direct operator observance audit issue in the IATF 16949 standard.

But what I understand is, the issue of layer audit, which is the customer-specific requirement of FORD and GM. Operator behaviors are routinely monitored during layer audits.

Layer audit is also the subject of a manufacturing process audit, and the IATF 16949 standard number is 9.2.2.3 under internal audit requirement. 

The following article may be of help:

IATF 16949 Audit Types & How they Affect Process Improvement https://advisera.com/16949academy/blog/2017/11/01/iatf-16949-audit-types-how-they-affect-process-improvement/

ISO 14001 objectives for mining business

Good environmental objectives stem from the environmental policy. A good environmental policy includes the three commitments from ISO 14001:2015 (Continual improvement, Prevention of pollution, Compliance with legal and other requirements) and sets priorities for environmental improvement.

After an initial environmental survey is made, what are the most significant environmental aspects? For a mining operation I can think about neighborhood nuisance, water pollution events, tailings disposal, vegetation removal, landscape destruction, biodiversity effect, airborne emissions. Some of those environmental aspects, or at least their potential magnitude will depend of the kind of operation (open-pit mining, underground mining, or other) 

What are the environmental improvement priorities for a mining operation? Determine the environmental impacts of those environmental aspects. Consider normal and abnormal operation. Consider emergency situations. Consider startup or closing down of operations. Consider regulation or legislation performance requirements. Evaluate those environmental impacts and decide which ones are more relevant and need to be improved, considering the three commitments from the environmental policy.

Some examples of what environmental objectives for a mining operation could be:

• Reduce water consumption and effluent discharge by x% in the next 18 months
• Reduce neighboring communities’ complaints by y% in the next 12 months
• Comply with fugitive’s emissions legislation within the next 9 months

The following material will provide you information about environmental policy and objectives:

• Why mining companies should obtain ISO 14001 certification - https://advisera.com/14001academy/blog/2018/04/17/why-mining-companies-should-obtain-iso-14001-certification/
• How to write an ISO 14001 environmental policy - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-write-an-iso-14001-environmental-policy/
• How to Use Good Environmental Objectives - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-use-good-environmental-objectives/
• Examples of ISO 14001 objectives based on the different company sizes - https://advisera.com/14001academy/blog/2019/10/22/iso-14001-objectives-examples-for-different-company-sizes/
• Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
• Article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/ 
• You can watch free webinars on demand – ISO 14001Webinars - https://advisera.com/14001academy/webinars/ 
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/