Search results

Environmental aspects

What do you do in your work? 

You perform some activities and in doing so you use bulbs, fluorescent tubes and other materials.

An organization’s environmental aspects are all those elements that interact with the environment through its activities, products or services. For example, you, with your work as electrician, generate waste (used bulbs, fluorescent tubes, used paper and plastic packages).

Environmental impacts are the changes to the environment resulting from its environmental aspects.

First you should determine environmental aspects and impacts (waste, energy consumption, materials use, noise, water pollution, soil pollution, …)

Then you should evaluate which aspects are more significant and define what action plans are needed to avoid, control or reduce their impact.

The following material will provide you more information about aspects and impacts:

Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 27001 implementation

1. An educated guess for the duration and cost of the certification for our budget planning.

The time to implement ISO 27001 will depend on many variables, like the size of the organization, the complexity of the scope, the resources available, etc., but considering your scenario, the implementation duration can vary from 3 to 6 months.

To have an estimate based on your organization context, I suggest you to take a look at our free ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/

About implementation costs, there are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information (and you already provided quite a few), it's not possible to precise a value. What I can tell you are some cost issues you should consider:

    Training and literature
    External assistance
    Technologies to be updated/implemented
    Employee's effort and time
    The certification process

Regarding ISMS maintenance costs, the above-mentioned costs also have to be considered, but at different levels, and you have to add the surveillance audit costs for certification maintenance.

These articles can provide you more information:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/

2. Recommended roadmap in terms of your services/products offered.

I assume you are interested in ISO 27001 standard, therefore we would recommend our ISO 27001 Documentation Toolkit [https://advisera.com/27001academy/iso-27001-documentation-toolkit/] - it will provide you with step-by-step explanation of all activities you need to perform to become compliant, and it will give you all the documents you need for the certification audit.

Coding ISO 9001 documents

There is no universal rule to follow when coding ISO documents.

I can only tell you about my practice. 

ISO 9001:2015 invites us to follow the process approach. So, I model how the quality management system works, as a set of interrelated processes, and I code each process with a number and a verb+noun. Like:

1.Win order

2.Buy material

3.Provide service

4.Develop new service

5.Install service

Now I use that numbering as the basis for coding the documentation. Like, for example:

PD1.0 – Process Description 1 version 0.
Any work instruction related with Process Description 1 is coded as WI.1.1; WI 1.2; …

Forms, I code them with a serial number.

The following material will provide you information about the document control:

- ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- ISO 9001 blog – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Free webinar on demand - Free webinar – How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/
- Free online training ISO 9001:2015 Internal Auditor Course
– https://advisera.com/training/iso-9001-internal-auditor-course/  
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
 

Internal Audits

You can have one Internal Audit Report, you just need to have different audits for all three types of audits. The manufacturing process is not the same as product audit, in product audit you are auditing the product itself against specification you have.

Data subjects’ consent in a mobile app

The Regulation requires Privacy Notices to be concise, transparent, intelligible and easily accessible. The Regulation should standardize the content of your privacy notices, it is likely that they will still need to be translated into local languages if they are directed at a particular jurisdiction. In particular, it is hard to see how your notice can be “accessible” if it is in a language the individual does not understand. Similarly, in some Member States such as France, the use of a local language for consumers and employees is mandatory under consumer protection and employment law.

If you want to find out more about privacy notices check out this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/)

FOI legislation

Some of the documents in the Toolkit are meant to be public so there are no IPR issues here if the legal entity is bound by statutory requirements of transparency to make them public. The same goes for the other documents if there is a statutory legal requirement to make them available in certain cases.

Incident response plan

To build an Incident Response Plan you should consider the following information:
- Name, job title and contact information of personnel required to handle specific incidents (e.g., system/network administrator for IT-related incidents, facilities manager for premises related incidents, etc.).
- Which external parties should be contacted (e.g., customers, partners, media, public services/authorities, etc.), in which situation, through which communication channel (e.g., by phone, e-mail, press conference, etc.) and by whom.
- Types of incidents that should be handled by the plan (e.g., fire, premises evacuation, service failure, etc.)
- Details on how to treat each of the identified incident (e.g., for fire, summon the fire brigade, start premise evacuation, call fire department, etc.)

To see how an incident response plan looks like, please see this free demo: 
- Incident Response Plan https://advisera.com/27001academy/documentation/incident-response-plan/

These articles will provide you further explanation about incident management and response plan:
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/

These materials will also help you regarding incident management and response plan:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Writing a business continuity plan according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/

Risk and opportunities in QMS

Is it required to identify risk and opportunities for each process in QMS?

Answer:

Short and straight answer: no.

More detailed answer: It is not mandatory, but I bet that all organizations determine risks and opportunities in every process, even without being aware that they are doing so. For example, why do organizations:

• Evaluate training effectiveness?
• Select people that they want to admit?
• Define authorities to issue orders to suppliers?
• Order supplies before they are out of stock?
• Control quality of supplies at reception? 
• Review and approve customers’ orders? 
• Control production process and product/service quality? 
• Control design and development projects? 

Behind each of those activities is a risk that organizations want to prevent.

Is it required to identify issues, interested parties and associated risks for each process or department?

Answer:

Short and straight answer: no.

Normally, organizations when determining issues and interested parties think more broadly, they consider the whole organization. For example, if a raise in trade barriers affects your organization, or if a new regulation makes part of your product range obsolete, that’s not a process or department issue. What happens is that when your organization consider the issues determined in clause 4.1 and what is relevant for interested parties, determined in clause 4.2, you determine another kind of risks. For example, loss of market share due to trade barriers and more demanding regulatory requirements. 

The following material will provide you information about the risk-based approach, context and interested parties:

- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/  
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

ISO 45001 requirement for Internal Audit

The ISO 45001:2018 standard does not dictate that you need to be certified in ISO 45001 to conduct internal audits, however the standard does state that you need to identify the competencies for internal auditors, as with all other jobs in yoru organization. These competencies should certainly include knowledge of the ISO 45001 standard and how it applies to the organization, but certifiction to the standard is not a requirement.

To find out more about the competencies of auditors for ISO 45001, see the article: What competences should an ISO 45001 internal auditor have?, https://advisera.com/45001academy/blog/2019/10/31/iso-45001-internal-auditor-what-competences-are-needed/

Template content

I'm assuming you are referring to the whole table in the mentioned section because it is not very useful without the column containing the record name. 

Considering that, please note that section 4. "Managing records kept on the basis of this document" appears in templates when it is required some sort of evidence to be recorded as proof that a required activity was performed.
Our templates suggest the minimum records you should keep as evidence, but depending on your scenario you may include more records.
If at the moment of document implementation you do not have the required record, then you must start to create the record when performing the activity, or you will be under the risk of a non-compliance by not having proper records.

This article will provide you further explanation about record management:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

This material will also help you regarding record management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/