Search results

Integrating the ISO 14001:2015 & ISO 45001:2018

BecauseISO 45001:2018 and ISO 14001:2015 both follow the Annex SL format, they aremuch easier to integrate than previous standards have been as they have many commonprocesses. Even though it also includes ISO 9001 the information is still everyuseful, so I would suggest reading our whitepaper; How to integrate ISO 9001,ISO 14001 and ISO 45001, https://info.advisera.com/9001academy/free-download/how-to-integrate-iso-9001-iso-14001-and-iso-45001

Calculating audit days

The main criteria are a number of employees and an audit complexity.

Without more detailed information we cannot provide a precise answer, but this document can give you a good insight if the defined day are fair considering your context:

IAF MD 5:2015 "Determination of Audit Time of Quality and Environmental Management Systems" https://www.iaf.nu/upFiles/IAFMD5QMSEMSAuditDurationIssue311062015.pdf

Although its title refers to QMS and EMS it also can be applied to estimate audit days for an ISMS certification audit.

Additionally, should consider asking for quotes from a couple of certification bodies, so that you can compare the numbers they offer.

This article will provide you further explanation about certification audit:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

Risk & Opportunity Management

Short and straight answer: No!

Let us support our answer. First go to clause 6.1.1 and note that the standard focuses attention only on the risks and opportunities that deserve to be addressed. So, your classification of risk severity low means that they don’t need to be addressed. ISO 9001:2015 does not mandates a register with all the risks and opportunities determined. Nevertheless, that is a good practice. Recording all risks and opportunities and acting only on those that you consider significant.

The following material will provide you information about the risk-based approach:

- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/  
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

A few EU GDPR questions before implementation

1. Does every company need to have an Inventory of processing activities?

 An Inventory of processing activities is mandatory if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offenses.

2. How about a DPO?

Appointing a DPO is mandatory if (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or (b) the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the legal entity of processing on a large scale of special categories of data pursuant to Article 9 of the EU GDPR and personal data relating to criminal convictions and offenses referred to in Article 10 of the EU GDPR. If you want to find out more about the duties of the DPO check out this free webinar Role of the DPO according to EU GDPR (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/).

3. How does the GDPR apply to companies outside Europe?

The EU GDPR will apply to the processing of personal data of EU data subjects, regardless of whether the processing activities take place in the EU or not. The EU GDPR is also applicable to entities established outside the EU if they offer goods or services to individuals in the Union, or if they monitor the behaviour of individuals in the Union (i.e., profiling activities, tracking individuals’ activities on the internet, etc.).

The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation’s laws.

When the data of EU citizens is processed outside of the EU by companies which are also outside the EU, then this is not considered to be “in the Union”. For example, the EU GDPR will not be applicable for a school which is based in the United States just because there is a possibility that one or several of its students would be EU citizens. In this case the processing does not take place “in the Union,” nor is the individual “in the Union”.

4. What is the biggest fine so far?

The biggest GDPR fine to date amounts to 123 million Euro and was issued to Marriot.

5. Which would be the best way to present to the management the need to implement GDPR?

You can find a free presentation on the importance of complying with the EU GDPR at https://info.advisera.com/eugdpracademy/free-download/why-is-privacy-important-for-our-company-awareness-presentation.

6. How much time would it take a small company?

The time depends on the size of the company as well as on the complexity of their processing activities. You can find a duration calculator at https://advisera.com/eugdpracademy/eu-gdpr-compliance-duration-calculator/

Design and development and requirements of 7.1

I'm sorry, but I do not understand your first question - could you please elaborate?

Considering requirement 7.1 Planning of product realization, you need to plan and to develop the processes that you need to realize products. It means that you need to make procedures, forms and any other kind of document that will prove that your product is produced in a certain way. Also, you need to develop a risk management process for product realization. It means that you need to analyze your manufacturing process from the point of view of product safety for the patient. So, what can happen during production, which can cause the product to come out unsafe. For risk guidance, please look for ISO 14971:2012. 

You also need to plan how you're going to realize your product, what raw materials you need, what equipment, what kind of premises and other infrastructure. You need to formulate what are quality objectives for your product, clarify specific product realization requirements, generate product realization planning outputs.

For more details about how to implement prodcution nad service provision, please read an article Production and service provision process in ISO 13485 on the following link: https://advisera.com/13485academy/blog/2017/12/13/production-and-service-provision-process-in-iso-13485/

Also you can read and article How to use ISO 14971 to manage risks for medical devices on the following link: https://advisera.com/13485academy/blog/2017/09/21/how-to-use-iso-14971-to-manage-risks-for-medical-devices/ 

Audit forms

To have an idea on how audit documentation looks like, I suggest you take a look at the free demo of our ISO 27001/ISO 22301 Internal Audit Toolkit at this link": https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/

It contains the following documents:
- Internal Audit Checklist: it provides a list of questions in order to help perform an internal audit against ISO 27001 and/or ISO 22301. For each clause or control from the standard, the checklist provides one or more questions that should be asked during the audit in order to verify the implementation.
- Procedure for Internal Audit: it describes all audit-related activities – writing the audit program, selecting an auditor, conducting individual audits and reporting.
- Annual Internal Audit Program: it defines how often the internal audits will be conducted, and by which rules.
- Internal Audit Report: it documents the findings of internal audit.

These articles will provide you further explanation about internal audits:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

Defining KRI's for Risks

Dear Rhand

Thanks for the reply and advise

ISO 9001 record management

It is not mandatory to stamp records unless internal procedures determine so.

Normally records have a name and a date, and that is enough for a clear identification. For example, a complaint received through e-mail already has a date and can be annexed to a complaint form internally filled.

The following material will provide you information about record control:

- ISO 9001 – Some tips to make Control of Records more useful for your QMS - https://advisera.com/9001academy/blog/2014/01/28/tips-make-control-records-useful-qms/

New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

DPIA, consent and other EU GDPR questions

1.What documents in the  EU GDPR Premium Documentation Toolkit toolkit are mandatory?

You can find a list of the mandatory documents on the  EU GDPR Premium Documentation Toolkit product page under the "Toolkit Documents" subsection: https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/

2.Usually how many DPIA does a medium size company need to perform?

The number of DPIAs depends on the number of your processing activities as well as on their complexity and the effect that they may have on the rights and freedoms of the data subjects. You can find more about DPIAs in this free webinar Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR (https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/).

3.Can an employer ask consent from employees for sending their data outside the EU ?

 Consent is not recommended to be used as a lawful base when dealing with employee personal data. I recommend using legitimate interest instead.

4.Is ISO27001 enough in terms of security measures?

 ISO27001 is a best practice when it comes to security and usually, it should be enough as long as the security measures cover all the processes where personal data are involved.

5.When does a company outside EU need to appoint a representative?

Where the offering or monitoring tests apply, the controller or processor must appoint a representative. That representative must be based in a Member State in which the relevant individuals are based. There is a limited exemption to the obligation to appoint a representative where the processing is occasional, is unlikely to be a risk to individuals and does not involve large scale processing of sensitive personal data.

6.Is it a specific formality?

Yes, there is you can find a representative appointment letter in our EU GDPR Premium Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/).

Risk assessment and asset management

According to ISO 27001, risk assessment should be done first - once you identify and evaluate all the risks, then you can start implementing security controls - in ISO 27001 Annex A section A.8 "Asset management", there are in total 10 controls that deal with asset management. 

These articles will also help you:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ 
• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ 
• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ 

These materials will also help you regarding risk assessment and asset management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/