Search results

Backout procedure

Backout procedure is your plan in case change is not implemented sucessfully. It will help you return to initial state (before change is implemented) or some other remediation actions (e.g. in cae you can't go back to initial state - like, revisiting the change and actions performed to find an error, etc.).

Here are some more details:

Service Transition in ITIL https://advisera.com/20000academy/blog/2013/06/11/service-transition-itil/

What is the remediation procedure and back-out in the ITIL/ISO 20000 Change Management process? https://advisera.com/20000academy/blog/2017/06/13/what-is-the-remediation-procedure-and-back-out-in-the-itiliso-20000-change-management-process/

RAG rating

The RAG rating system is a standard system typically used for rating tasks in project management as Red/Amber/Green (much like a traffic light) as to whether they are on track, in trouble or no problems.

Keeping in mind that this is not a requirements of OHSAS 18001 or ISO 45001, you could use this as part of an assessment report by rating if a task was on time, or if a requirement was not met or partially met, or the status of a risk. How you use it would be up to you as it is your choice as to how you want to assess something and not a requirement of the standard.

If you are looking for a simple gap analysis tool you can check out our Free ISO 45001 Gap Analysis Tool, https://advisera.com/45001academy/iso-45001-gap-analysis-tool/

ISO 27001 and LGPD

If I understood well, you're asking why ISO 27001 was not mentioned in the LGPD (Brazilian personal data protection law).

Typically, laws and regulations do not require particular standards to be implemented because they do not want to prescribe how the implementation needs to look like. 

GDPR (European personal data protection regulation) is very similar to LGPD, and it also does not refer to ISO 27001 - we have analyzed GDPR and found ISO 27001 to be very useful for its implementation, you can find the white paper here: What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help 

OH&S opportunity assessment

As per ISO 45001 there is no defined mechanism in the standard for identifying and assessing the OH&S opportunities and other opportunities. It is up to the company to determine the process and assessment criteria it will use.

You can find out more in the article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/

ISO 9001 audit

Yes, all clauses of the standard are to be included in the internal audit program. If your organization uses those processes to manage those topics, they should be audited.

For example, about the Corrective Action Process I would like to verify if you develop corrective actions, if your corrective actions act upon true root causes, if your corrective actions are implemented and effective, and if your corrective actions take too much time to take place.

The following material will provide you information about audits: 

- ISO 9001 – What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/

- free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/

- book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

Appendix 3 – Internal Audit Checklist for ISO 27001

I'm sorry about this confusion - yes, you should go with the "Integrated" version, this one is optimized if you go only for ISO 27001 implementation. 

"Premium" is optimized if you go for both ISO 27001 and ISO 22301 standards, while "Cloud" is if you go for ISO 27001, ISO 27017 and ISO 27018 standards. 

Difference between legal and other requirements

In the ISO terminology, other requirements could be regulatory or contractual requirements. 

This article will help you: How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ 

AS 9100 and referencing the revision level

As per the AS9100 requirements, the quality policy does not need to make reference to the AS9100 standard, so if you choose to include this you can choose not to include the revision level. As for business cards, this is also not detailed in the requirements of the standard.

You can find out more on the policy in the article: How to write the AS9100D Quality Policy, https://advisera.com/9100academy/blog/2018/07/09/how-to-write-the-as9100d-quality-policy/

EU GDPR questions

How can an authority in the EU fine a company in India or another country outside the EU?

Based on art 27 of the EU GDPR the controller or processor must appoint a representative. That representative must be based in a Member State in which the relevant individuals are based. There is a limited exemption to the obligation to appoint a representative where the processing is occasional, is unlikely to be a risk to individuals and does not involve large scale processing of sensitive personal data. Although there is no best practice on this, most likely the fine will be issued to the representatives.

Do you have some materials to help me understand how to start a GDPR program?

I would suggest starting by going through our article  “9 steps for implementing GDPR” (https://advisera.com/articles/9-steps-for-implementing-gdpr/) as well as this webinar “An overview of steps needed to comply with GDPR” (https://advisera.com/eugdpracademy/webinar/an-overview-of-steps-needed-to-comply-with-gdpr-free-webinar-on-demand/).

Do you have some materials that I could present to the management of the company to make them aware of the GDPR?

 Please check this Power Point presentation that you can download freely from our website “Why is privacy important for our company? - Awareness presentation” (https://info.advisera.com/eugdpracademy/free-download/why-is-privacy-important-for-our-company-awareness-presentation).

If we have access to data of EU users do we need to do anything special? We usually get data from EU companies and we do data cleaning removing duplicates.

 Based on the description provided you are acting as a processor and you act on the instructions of your clients. Usually, your clients would need to have you sign a Data Processing Agreement where you would commit yourself to process personal data based on the instructions of the data controller.

We also receive some personal data from our clients' employees when they enter tickets. Is there something specific to consider?

When collecting personal data you need to present to the data subjects a Privacy Notice explaining to them why you need their data and what you are using it for. If you want to find out more about Privacy Notices check out this free webinar “ Privacy Notices under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).

How much time do we need to keep the personal data?

Unless there is a specific legal obligation that sets up a specific retention period you can define a retention period yourself bearing in mind that the date should not be kept for longer than is necessary.

Are some specific security measures to be deployed?

The EU GDPR only specifies at art. 32 some examples of security measures that can be employed. However, these are mere examples and is up to the controller/processor to define adequate security measures. A good example and best practice are the security measures in the ISO27001 Standard.

Can you recommend a site to get GDPR updates?

I would suggest going first to the European Data Protection Board website (https://edpb.europa.eu/edpb_en) as well as the websites of the Supervisory Authorities in the EU such as the ICO (https://ico.org.uk/). You will also find useful information on our website as well at https://advisera.com/eugdpracademy/what-is-eugdpr/

Also, we received a request from a client to present out Records of Processing Activities. What are these?

If you act as a controller, you must keep a record of the following information:

·         your name and contact details and, where applicable, any joint controllers, representatives and data protection officers;

·         the purposes of the processing;

·          a description of the categories of data subjects and of the categories of personal data;

·         the categories of recipients, including recipients in third countries or international organizations;

·          details of transfers of personal data to third countries (where applicable);

·          retention periods for different categories of personal data (where possible); and

·         a general description of the security measures employed (where possible).

If you act as a data processor, you must keep the following records:

·         your name and contact details and, where applicable, representatives and data protection officers;

·         the name and contact details of each controller you act for including, where applicable, representatives and data protection officers;

·         the categories of processing carried out on behalf of each controller;

·         details of transfers of personal data to third countries (where applicable);

·          a general description of the security measures employed (where possible)

 Do we need to have them?

This document is mandatory if

·        (a) the company has more than 250 employees; or

·        (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning, a natural person’s sex life or sexual orientation); or (e) the processing includes personal data relating to criminal, convictions, and offenses.

Audit Non-conforming work

I understand from your reference to an audit nonconformance that your laboratory may not have adequately addressed competence, impartiality and consistent operations in the Quality Policy and Objectives; and you are asking how to correct this? 

ISO 17025:2017 clause 8.2.2 requires that the policies and objectives of a laboratory are established to support the scope and purpose of the ISO 17025 standard and the quality management system of a laboratory. The role of the Quality Policy is to bind the management system together in a singular vision of what quality means to the laboratory. It essentially sets the stage for establishing objectives and the design of all laboratory processes to ensure competence, consistent operation and safeguard impartiality. 

When looking at the gaps in the Quality Policy and Objectives, start by reviewing the laboratory’s context, i.e. the circumstances – sector, accreditation, legal entity; scope of work; and identify all interested/involved parties. For example, a parent company or board of directors may have a strategic direction and an ethics policy which the laboratory needs to be in line with. The accreditation body that audited your lab is also an “interested party”; as are regulators in your sector. These parties may have specific requirements to be met. Once you have relooked at these core issues, revise the quality policy and quality objectives to address the gaps. For example, include a statement that “Management is committed to performing activities to ensure impartiality through continual identification of risks to its impartiality and taking appropriate action to mitigate them”.  

Commitment to competence and consistent operation is a thread that must run through all laboratory processes. State and provide evidence of commitment and investment in quality control, personnel training and evaluation; equipment maintenance and calibration. State how the laboratory plans to support these policies and achieve objectives.  Ensure effective planning, doing and checking (monitoring). Lastly, record and act on observed improvement or deviations to drive consistent operation. 

The ISO 17025 Toolkit provides useful guidance and templates to assist with effective implementation. Have a look at:

• ISO/IEC 17025:2017 Documentation Toolkit https://advisera.com/17025academy/iso-17025-documentation-toolkit/
• ISO 17025 document template: Quality Policy https://advisera.com/17025academy/documentation/quality-policy/ and Quality Objectives https://advisera.com/17025academy/documentation/quality-objectives/
• ISO 17025 document template: Competence, Training and Awareness Procedure https://advisera.com/17025academy/documentation/competence-training-and-awareness-procedure/
• Project Plan template  https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation
• ISO 17025:2017 Implementation Diagram https://info.advisera.com/17025academy/free-download/diagram-of-iso-17025-implementation-process

The following articles could also be helpful:

• Checklist of ISO 17025 implementation steps https://advisera.com/17025academy/blog/2019/08/28/checklist-of-iso-17025-implementation-steps/
• List of mandatory documents required by ISO 17025:2017 https://advisera.com/17025academy/blog/2019/08/30/list-of-mandatory-documents-required-by-iso-170252017/
• Compliance with the ISO/IEC 17025:2017 requirement for Impartiality https://community.advisera.com/topic/compliance-with-the-isoiec-170252017-requirement-for-impartiality/