Search results

Safety

Please check ISO 14001:2015 clause 0.5 where you can read “This Standard does not contain requirements specific to other management systems, such as those relating to quality, health and safety at work, energy or financial management”.

Your question made me remember my ISO 14001:1996 Lead Auditor training. The trainer said something like: “people may be dying inside the organization, as long as there is no impact in the environment is outside the scope of ISO 14001. If you open a very small door, sooner or later you will be having a safety audit in the middle of what is supposed to be only an environmental management system audit. Perhaps this article could be useful - ISO 45001 vs. ISO 14001: Differences and similarities - https://advisera.com/45001academy/blog/2019/02/20/iso-45001-vs-iso-14001-differences-and-similarities/

ISO 14001 / Management Review

You can merge those registers in order to save time and documentation and afterwards, quantitatively analyze those risks to find out which are significant and address them.

Regarding the risks, you need not only to consider the environmental aspects in your EMS but also to your environmental legal requirements, feedback from your interested parties such as customers or employees and benchmarking your processes against other similar organizations. 

I recommend you to create a Process Aspect Chart where you can register and evaluate environmental aspects and risks associated to each process following your selected criteria (e.g. probability, reach of impact) - For the opportunities you can use another register. Here you can find an example - Process Aspect Chart: https://advisera.com/14001academy/documentation/process-aspects-chart/

These materials can help you to learn more about risks and environmental aspects:

- Article - ISO 14001 risks and opportunities vs environmental aspects: https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/

- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/

- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Document Control Procedure content

1. Is this something that is needed for ISO?

For ISO management systems, like ISO 27001, the management of external documents is mandatory.

2. How do I know which external documents are necessary for ISMS  compliance?

External documents are any documents not owned or controlled by an organization that are required to its operation, either mandatory or voluntarily adopted. Examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself), and documents and records from customers, suppliers, and partners (e.g., contracts, service agreements, product/service specification, operation manuals, etc.)

This material will also help you regarding control of documents:

• Free video tutorial that you received as part of your toolkit: How to Write ISO 27001/ISO 22301 Document Control Procedure

3. Also is there an incoming mail register document as part of the templates?

Incoming mail register is not a mandatory document, you can simply have a table where you register who received some important external document, or where such a document is stored.

This material will also help you regarding document management:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Please note that you can find helpful information about these and other potential doubts in the comments included in the template.

Security awareness training

Yes, you do not need to document each and every control - in such cases, you will use awareness sessions and trainings to explain to your employees how particular security activities need to be done.

In the SoA you cannot simply refer to the Training Plan - you need to explain in a sentence or two how the control is implemented - e.g. "The data recorded on media must be encrypted."

Please note that some controls, when identified as applicable, require documentation (e.g., control A.9.1.1 - Access Control Policy).

Consequence and Likelihood after Risk Treatment

Not all controls affect the consequence and likelihood at the same time. The controls you mentioned works only to prevent Unauthorized Physical Access. Once access is gained, they cannot provide any means to avoid damage to assets. Examples of controls you can consider to reduce the impact on information assets are backup and redundancy.

This article will provide you a further explanation about controls selection:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding controls selection:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Internal audit after certification

ISO 27001 requires an internal audit to be performed considering all mandatory requirements from sections 4 to 10 and all controls identified as applicable in the statement of applicability. Considering that, you have to audit section 5.1, regardless of the external auditors will audit this clause.

This article will provide you a further explanation about surveillance audit:

• Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Power of Attorney

Transfer of data outside the EU on behalf of the controller is made through a transfer data agreement and not through a general Power of Attorney. It is because the data controller must set instructions for the data transfer the data processor must comply with. In fact, the data controller will be liable for any infringement of GDPR rules and even for choosing the wrong data processor.Consider that the EU Commission adopted a Standard contractual clause to implement contracts concerning data transfers.

If you are referring to the Power of Attorney in connection with a legal claim (i.e. transferring data outside EU for a legal claim), consider that establishing, exercising or defending legal claims is an exemption to GDPR rules. The Power of Attorney, in this case, can allow data controller or data processor to transfer data outside the EU (of course only data which are necessary for the legal claim.)

Here you can find more information about this topic: - EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

- 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

- Standard Contractual Clauses - Free download: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes

- Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

IATF 16949 vs ISO 9001 lead auditor

ISO9001:2015 is the base of IATF16949:2016. An IATF auditor, first of all, has to reach the qualification of ISO9001. It is recommended as a first step to achieve the IATF16949 lead auditor qualification.

IATF16949:2016 is a quality management system only applied to the automotive industry. Only the supplier’s part of the automotive supply chain are eligible to be IATF certified. With the knowledge of ISO9001 will be much easier to cover the IATF 16949 additional requirements. 

Advisera have available the following courses:

ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
ISO 9001 Lead auditor course: https://advisera.com/training/iso-9001-lead-auditor-course/

ISO 9001 / Quality roles for iso requirements

Anyone can implement and manage an ISO 9001 quality management system. The only requirements are based on the needs of the task: to have some knowledge about the standard, being able to promote teamwork and being able to have some influence over managers. ISO 9001:2015 no longer mentions the management representative role, because it wants to give much more importance to top management commitment with the quality management system. So, be sure that top management works together with that supervisor, particularly when he/she needs to have authority over managers.

The following material will provide you more information about the management representative:

- What is the job of the quality management representative? - https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/
- What will be the destiny of the management representative in the new ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
- Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 / Procedure vs processes

Procedures are not mandatory documents in ISO 9001:2015 anymore. But even though you don´t need to write any procedure, they can be very useful for the organization, since procedures can help you to conduct processes in a sistematically way and therefore, you will be able to compare results correctly. 

Regarding the procedure for design and development you can adapt to your own situation, as you mention it can have dependencies with other processes or be based on one main process. 

Here you can find the mandatory documents and records that you need to create in order to comply with ISO 9001:2015 requirements - List of mandatory documents required by ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

The following material will provide you more information about procedures and mandatory documents:

- Some tips to make Document Control more useful for your QMS: https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
- How to structure quality management system documentation: https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- Free online training ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
- Book - Managing ISO Documentation: A Plain English Guide: https://advisera.com/books/managing-iso-documentation-plain-english-guide/