Search results

How to establish new ISMS Objectives

1. How should I proceed in this case? New ISMS objectives will depend upon which factors? How can I make new objectives?

The answer to these three questions is that you can use the same process and factors you used for the creation of the first ISMS objectives to create the new ones. Regarding factors to be considered, you can add factors that are now relevant, or exclude factors that are not relevant. Examples to be considered are:

Internal factors: you need to make sure that your information security objectives are aligned with the business strategy, perform the risk assessment, determine resources, information security roles, and responsibilities, capabilities, etc.
External issues: you simply need to identify interested parties and their requirements (interested parties can be employees, clients, suppliers, and partners, etc)

For further information, see:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

2. What will happen to my objectives which have been completed?

You can exclude them from your current objectives if after a management review your organization defined there is no need to pursue them anymore.

3. Do I need to keep a record for them for management review in the future?

ISO 27001 requires the results of management review to be documented (e.g. the decision of which objectives were defined, and the achieved results), but is also a good practice to keep the history of previous objectives to be used as input for future organizational planning.

For further information, see:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

4. Do I need to make any implementation plan for the new objectives and how they will be achieved?

You have to procedure the same way you did for the first cycle of your ISMS, so you also need to define how objectives will be achieved.

Implementing EMS

Implementing an EMS for a CNC company is no different from a typical manufacturing enterprise.
I recommend starting with a Gap Analysis and then developing an implementation plan. Determining your significant environmental aspects is another important step. Implement your EMS, perform an internal audit and a management review before addressing the decision to go for certification.

The following material will provide you more information about implementing an EMS:
- ISO 14001:2015 Gap Analysis Tool - https://advisera.com/14001academy/iso-14001-gap-analysis-tool/
- Is a gap analysis desirable for ISO 14001 implementation? - https://advisera.com/14001academy/blog/2016/11/14/is-a-gap-analysis-desirable-for-iso-14001-implementation/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- 5 elements of a successful ISO 14001 project - https://advisera.com/14001academy/blog/2015/03/23/5-elements-of-a-successful-iso-14001-project/
- ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
- How long does it take to implement ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/04/04/how-long-does-it-take-to-implement-iso-140012015/
- Free webinar on demand - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
- Enroll for free in this course ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/
- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Technical File

Integrating the ISO 14001:2015 & ISO 45001:2018

BecauseISO 45001:2018 and ISO 14001:2015 both follow the Annex SL format, they aremuch easier to integrate than previous standards have been as they have many commonprocesses. Even though it also includes ISO 9001 the information is still everyuseful, so I would suggest reading our whitepaper; How to integrate ISO 9001,ISO 14001 and ISO 45001, https://info.advisera.com/9001academy/free-download/how-to-integrate-iso-9001-iso-14001-and-iso-45001

Calculating audit days

The main criteria are a number of employees and an audit complexity.

Without more detailed information we cannot provide a precise answer, but this document can give you a good insight if the defined day are fair considering your context:

IAF MD 5:2015 "Determination of Audit Time of Quality and Environmental Management Systems" https://www.iaf.nu/upFiles/IAFMD5QMSEMSAuditDurationIssue311062015.pdf

Although its title refers to QMS and EMS it also can be applied to estimate audit days for an ISMS certification audit.

Additionally, should consider asking for quotes from a couple of certification bodies, so that you can compare the numbers they offer.

This article will provide you further explanation about certification audit:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

Risk & Opportunity Management

Short and straight answer: No!

Let us support our answer. First go to clause 6.1.1 and note that the standard focuses attention only on the risks and opportunities that deserve to be addressed. So, your classification of risk severity low means that they don’t need to be addressed. ISO 9001:2015 does not mandates a register with all the risks and opportunities determined. Nevertheless, that is a good practice. Recording all risks and opportunities and acting only on those that you consider significant.

The following material will provide you information about the risk-based approach:

- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/  
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

A few EU GDPR questions before implementation

1. Does every company need to have an Inventory of processing activities?

 An Inventory of processing activities is mandatory if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offenses.

2. How about a DPO?

Appointing a DPO is mandatory if (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or (b) the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the legal entity of processing on a large scale of special categories of data pursuant to Article 9 of the EU GDPR and personal data relating to criminal convictions and offenses referred to in Article 10 of the EU GDPR. If you want to find out more about the duties of the DPO check out this free webinar Role of the DPO according to EU GDPR (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/).

3. How does the GDPR apply to companies outside Europe?

The EU GDPR will apply to the processing of personal data of EU data subjects, regardless of whether the processing activities take place in the EU or not. The EU GDPR is also applicable to entities established outside the EU if they offer goods or services to individuals in the Union, or if they monitor the behaviour of individuals in the Union (i.e., profiling activities, tracking individuals’ activities on the internet, etc.).

The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation’s laws.

When the data of EU citizens is processed outside of the EU by companies which are also outside the EU, then this is not considered to be “in the Union”. For example, the EU GDPR will not be applicable for a school which is based in the United States just because there is a possibility that one or several of its students would be EU citizens. In this case the processing does not take place “in the Union,” nor is the individual “in the Union”.

4. What is the biggest fine so far?

The biggest GDPR fine to date amounts to 123 million Euro and was issued to Marriot.

5. Which would be the best way to present to the management the need to implement GDPR?

You can find a free presentation on the importance of complying with the EU GDPR at https://info.advisera.com/eugdpracademy/free-download/why-is-privacy-important-for-our-company-awareness-presentation.

6. How much time would it take a small company?

The time depends on the size of the company as well as on the complexity of their processing activities. You can find a duration calculator at https://advisera.com/eugdpracademy/eu-gdpr-compliance-duration-calculator/

Design and development and requirements of 7.1

I'm sorry, but I do not understand your first question - could you please elaborate?

Considering requirement 7.1 Planning of product realization, you need to plan and to develop the processes that you need to realize products. It means that you need to make procedures, forms and any other kind of document that will prove that your product is produced in a certain way. Also, you need to develop a risk management process for product realization. It means that you need to analyze your manufacturing process from the point of view of product safety for the patient. So, what can happen during production, which can cause the product to come out unsafe. For risk guidance, please look for ISO 14971:2012. 

You also need to plan how you're going to realize your product, what raw materials you need, what equipment, what kind of premises and other infrastructure. You need to formulate what are quality objectives for your product, clarify specific product realization requirements, generate product realization planning outputs.

For more details about how to implement prodcution nad service provision, please read an article Production and service provision process in ISO 13485 on the following link: https://advisera.com/13485academy/blog/2017/12/13/production-and-service-provision-process-in-iso-13485/

Also you can read and article How to use ISO 14971 to manage risks for medical devices on the following link: https://advisera.com/13485academy/blog/2017/09/21/how-to-use-iso-14971-to-manage-risks-for-medical-devices/ 

Audit forms

To have an idea on how audit documentation looks like, I suggest you take a look at the free demo of our ISO 27001/ISO 22301 Internal Audit Toolkit at this link": https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/

It contains the following documents:
- Internal Audit Checklist: it provides a list of questions in order to help perform an internal audit against ISO 27001 and/or ISO 22301. For each clause or control from the standard, the checklist provides one or more questions that should be asked during the audit in order to verify the implementation.
- Procedure for Internal Audit: it describes all audit-related activities – writing the audit program, selecting an auditor, conducting individual audits and reporting.
- Annual Internal Audit Program: it defines how often the internal audits will be conducted, and by which rules.
- Internal Audit Report: it documents the findings of internal audit.

These articles will provide you further explanation about internal audits:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

Defining KRI's for Risks

Dear Rhand

Thanks for the reply and advise