Search results

Identification of justifications for SoA

https://advisera.zendesk.com/attachments/token/0Sa3NH86A9WJA1S9njTfJrTuc/?name=image001.png

When the justification for control applicability is related to risk assessment results, you can identify the Id of the related risks (e.g., results of last risk assessment ID 32, ID 17, and ID 23). As for contractual or legal obligation, you can identify the name of the obligation (e.g., name of the law or ID of the contract), and the clauses related to the control.

Included in the toolkit you bought you also have access to a video tutorial that can help you fill the Statement of Applicability.

This article will provide you a further explanation about Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

ISO 9001 and non-conformities

No, the non-conformity can only be closed after checking a representative sample, after the closing date of your project and concluding that the non-conformity was removed.

The following material will provide you more information about the closing nonconformities:

- How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – (where I use the process approach this way) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Service-Only Providers and ISO 13485

Thanks for taking the time to respond in detail.  I appreciate it.

ISO 9001 clause 4.4 requrements

ISO 9001:2015 promotes the use of the process approach. Please consider watching this free webinar on demand about the process approach - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/

Slide 12 is about determining a set of interrelated processes that model how an organization works. (4.4.1 b))

Slide 13 is about the characterization of each process (4.4.1 a); c) d) e) f) g) and h))

Slide 14 is about risks and processes (4.4.1 f))

Slide 15 is about (4.4.1 e))

I consider the process approach one of the best tools to manage and improve an organization.

The following material will provide you more information about the process approach:

- ISO 9001 – ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – (where I use the process approach this way) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Implementation cutoff dates

Both standards are currently in effect, and a company can become certified to them right now, however, below is the information on transitioning from other standards and when these previous standards become obsolete as this is what is normally viewed as the cut off for implementation.

ISO 45001:2018 was released in March 2018, and as such will replace OHSAS 18001 in March 2021. At this point all companies who were registered to OHSAS 18001 will need to be transitioned over to ISO 45001, any certification will not be renewed, and the OHSAS standard will be made obsolete. This is confirmed in the BSI website, the organization that controlled the OHSAS 18001 standard, here: https://www.bsigroup.com/en-CA/BS-OHSAS-18001-Occupational-Health-and-Safety/

ISO 22000:2018 was published in June 2018, and if you had the ISO 22000:2005 standard in place you will have 3 years until June 2021 to make your transition. More about this standard can be found on the ISO website here: https://www.iso.org/standard/65464.html

Personal data definition

Personal data is defined by the GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Assuming that by EMI you refer to “equated monthly installment” the EMI is not personal data as it is not unique to a specific person and the same EMI would be applicable to multiple borrowers.

If you want to find out more about personal data check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//)

Inquiries on Transition to ISO 45001

1. We are currently in the process of assessing our documentation in preparation for our transition to ISO 45001 from OHSAS 18001. What other documentation do we need to produce?

If you are transitioning over from OHSAS 18001, much of the OHSMS is fully transferable, with only a few additions to the requirements such as consultation and participation of workers. As for documentation, there is not much additional documentation required by the new ISO standard.

For more on the documentation necessary or ISO 45001, see the whitepaper; Checklist of Mandatory Documentation Required by ISO 45001, https://info.advisera.com/45001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-45001

2. Are Risk and Opportunity associated with OH&S the same with Hazard and Risk?

Risk and opportunity are not the same as OH&S hazards and risks. Risks and opportunities are considering he top level risks for the OHSMS, and are captured in clause 6.1.2.2 and 6.1.2.3, whereas, the OH&S hazards are in 6.1.2.1.

For more on the new risks and opportunities requirements, see the article; What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/

Carrying out activities and specific training

Do the requirements in ISO 9001:2015 focus on how activities are carried out?

Answer:

No, ISO 9001:2015 has no requirements about “how activities are carried out”. ISO 9001:2015 only has requirements about the what not the how. For example, clause 8.2.2 a) 1) states that when determining the requirements for the products to be offered to customers, the

organization shall ensure that the requirements for the products are defined, including any applicable statutory and regulatory requirements. There is no clue about how to do it. The how is up to each organization to decide.

Does the training clause also include training about the specific process to enhance the competence of employees?

Answer:

That is not mandatory, according to ISO 9001:2015. However, if that process is complex, or has a track record of failures, perhaps your organization should consider including that kind of training. If you consider clause 7.2 content you will see that the point is acting to solve competency gaps.

The following material will provide you more information about training and competence:

- Article - How to ensure competence and awareness in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
- Enroll for free - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Free webinar on demand – please check the relationship between processes and competencies - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

How to Implement Information Classification in a Dept.

Since you already have an information classification procedure, you first should review the document to see if it:
Considering ISO 27001, to implement the operational steps of a document (e.g., policies and procedures), you need to:
- properly covers legal and contractual requirements your organization must fulfill(e.g., laws, regulations, contracts which demand information classification)
- properly covers the results of your risk assessment
- is optimized and aligned with your other document(s)

Once you ensure the document is properly structured and written, and approved, you should consider developing some examples and training material to explain to your employees why such a policy or procedure is necessary and how to classify information. As an example on how to explain this process, please see: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

For further information, please see:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//

This material will also help you regarding elaborating documents:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

How to establish new ISMS Objectives

1. How should I proceed in this case? New ISMS objectives will depend upon which factors? How can I make new objectives?

The answer to these three questions is that you can use the same process and factors you used for the creation of the first ISMS objectives to create the new ones. Regarding factors to be considered, you can add factors that are now relevant, or exclude factors that are not relevant. Examples to be considered are:

Internal factors: you need to make sure that your information security objectives are aligned with the business strategy, perform the risk assessment, determine resources, information security roles, and responsibilities, capabilities, etc.
External issues: you simply need to identify interested parties and their requirements (interested parties can be employees, clients, suppliers, and partners, etc)

For further information, see:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

2. What will happen to my objectives which have been completed?

You can exclude them from your current objectives if after a management review your organization defined there is no need to pursue them anymore.

3. Do I need to keep a record for them for management review in the future?

ISO 27001 requires the results of management review to be documented (e.g. the decision of which objectives were defined, and the achieved results), but is also a good practice to keep the history of previous objectives to be used as input for future organizational planning.

For further information, see:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

4. Do I need to make any implementation plan for the new objectives and how they will be achieved?

You have to procedure the same way you did for the first cycle of your ISMS, so you also need to define how objectives will be achieved.