Search results

Analyzing implemented standards

ISO 9001:2015 and ISO 14001:2015 are two standards among many other ISO standards. To confirm, please check the certificates, there you can confirm the standards identity.

The following material will provide you more information about those standards:

- What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
- What is ISO 14001? - What is ISO 9001? - https://advisera.com/14001academy/what-is-iso-14001/
- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
- Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

RTO and MAO

 Considering ISO 22300 vocabulary (which can be found here: https://www.iso.org/obp/ui/#iso:std:iso:22300:ed-2:v1:en)

• MAO: maximum acceptable outage, the time it would take for adverse impact to become unacceptable
• RTO: recovery time objective, the period of time following a disruptive event within which operation is resumed, or resources are recovered.

Considering these definitions, the RTO value only makes sense if it is smaller than MAO, so RTO cannot be greater than MAO.

In fact, there is a note for RTO in the standard defining this relation: the recovery time objective is less than the time it would take for the adverse impacts to become unacceptable.

For further information about RTO, see:

• What is the difference between the Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

2016 version vs 2018 version

There does not seem to be a difference in the requirements these two standards, as both are equivalent to AS 9100 Rev D. There may be some changes in the appendix information because the transition period for AS9100 Rev D is over, but this does not change any requirements for the QMS.
You can learn more about the AS9100 standard, see the whitepaper: Clause-by-clause explanation of AS9100 Rev D, https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d
For help implementing the standard, our book may be useful: Applying AS9100 Rev D, https://advisera.com/books/applying-as9100-rev-d/

Risk Assessment software

Small and medium-size companies in most cases do not have a big number of risks to justify the use of software for risk assessment, and the features of a spreadsheet are sufficient to perform the process.

For risk assessment and treatement you can use the following templates in your toolkit:

• Risk Assessment and Risk Treatment Methodology
• Appendix 1 – Risk Assessment Table
• Appendix 2 – Risk Treatment Table
• Appendix 3 – Risk Assessment and Treatment Report

These documents are located on folder 10 - Risk Assessment and Risk Treatment.

Parental information

First of all, consider that the data process of minors is lawful under GDPR when the child is at least 16 years old. Under the age of 16 years old, you will require their parent consent (in such case, you can have access to their parents’ email).According GDPR, you can require parents' email but you cannot use it for marketing activity without their consent.

In fact, you need to consider that for targeted marketing activity the GDPR requires the consent of the targeted person so that children and parents need to flag the box wishing to receive your advertising.

In such form, to be GDPR compliant, you should ask for consent from prospective students and/or parents, also adding a box to flag for marketing purposes. You should inform them about the data process in your privacy notice.

For more information, please see these materials:

•  How does GDPR impact marketing activities?: https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/
• Email marketing in the era of GDPR – How to ensure compliance?: https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/
• How does GDPR affect digital marketing? https://advisera.com/eugdpracademy/blog/2019/02/20/how-does-gdpr-affect-digital-marketing/
• ART 8 GDPR: https://advisera.com/eugdpracademy/gdpr/conditions-applicable-to-childs-consent-in-relation-to-information-society-services/
• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
• EU GDPR document template: Parental Consent Form https://advisera.com/eugdpracademy/documentation/parental-consent-form/

IS Manager role

First is important to note that ISO 27001 does not require a company to nominate a person to manage information security (for small companies a specific role would be overkill), so this role can be performed by an existing role.

Examples of what this person could do (divided by ISO 27001 sections) are:Compliance:

• Develop the list of interested parties related to information security
• Develop the list of requirements from interested parties

Documentation:

• Propose the draft of main information security documents
• Be responsible for reviewing and updating the main documents

Risk management:

• Teach employees how to perform a risk assessment
• Coordinate the whole process of risk assessment

These articles will provide you further explanation about the IS manager role:

• What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
• Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

These materials will also help you regarding IS manager role:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

IATF 16949 Tool tryout

Tool tryout is one of the process stages for manufacturing process approval. This stage is part of the 8.3  IATF requirement, namely 8.3.3.2 Manufacturing process design inputs and 8.3.5.2 Manufacturing process design output.

Typically consists of a sequence of sample production with the objective of making corrections in the tool and placing the part according to the drawing specification. If the customer determines a method to perform the tryout, for example, run@rate or batch production, it must be followed.

Adapting QMS from Parent Company to Subsidiary

There is not really a detailed procedure to migrate a parent company QMS to a subsidiary. In general, the steps you need to take would be:

1. Identify the existing processes that are relevant to your QMS and transfer them over.

2. Perform a gap analysis to see what else is missing from your QMS that is required by AS9100.

3. Put in place the missing elements of the QMS.

4. Ensure everyone is trained in the changes or additions to the QMS so that they know what they need to do.

To help make sure you are not missing anything after the transfer, see this helpful listing of the mandatory documents: AS9100 Rev D List of Mandatory Documents, https://info.advisera.com/9100academy/free-download/as9100-rev-d-list-of-mandatory-documents

You can also see our book on implementing AS9100: Applying AS9100 Rev D, https://advisera.com/books/applying-as9100-rev-d/

Safety

Please check ISO 14001:2015 clause 0.5 where you can read “This Standard does not contain requirements specific to other management systems, such as those relating to quality, health and safety at work, energy or financial management”.

Your question made me remember my ISO 14001:1996 Lead Auditor training. The trainer said something like: “people may be dying inside the organization, as long as there is no impact in the environment is outside the scope of ISO 14001. If you open a very small door, sooner or later you will be having a safety audit in the middle of what is supposed to be only an environmental management system audit. Perhaps this article could be useful - ISO 45001 vs. ISO 14001: Differences and similarities - https://advisera.com/45001academy/blog/2019/02/20/iso-45001-vs-iso-14001-differences-and-similarities/

ISO 14001 / Management Review

You can merge those registers in order to save time and documentation and afterwards, quantitatively analyze those risks to find out which are significant and address them.

Regarding the risks, you need not only to consider the environmental aspects in your EMS but also to your environmental legal requirements, feedback from your interested parties such as customers or employees and benchmarking your processes against other similar organizations. 

I recommend you to create a Process Aspect Chart where you can register and evaluate environmental aspects and risks associated to each process following your selected criteria (e.g. probability, reach of impact) - For the opportunities you can use another register. Here you can find an example - Process Aspect Chart: https://advisera.com/14001academy/documentation/process-aspects-chart/

These materials can help you to learn more about risks and environmental aspects:

- Article - ISO 14001 risks and opportunities vs environmental aspects: https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/

- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/

- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/