Search results

The difference between ISO 27001 AND NESA

I'm assuming that by NESA you are referring to the National Electronic Security Authority from the United Arab Emirates (UAE). Considering that, NESA  is a government body that develops documents based on ISO 27001 and several other established standards (such as NIST publications). These documents are named as a whole as NESA Information Pack. On the other hand, ISO 27001 is an internationally recognized standard for information security management, published by ISO.

In short, ISO 27001 is an international standard, while NESA documents are developed based in part on ISO 27001, but to cover specifics of United Arab Emirates.

This article will provide you further explanation about ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/

ISO 14001 as a legal requirement

I do not know of any country where ISO 14001 certification is mandatory by law in any economic sector. What I see is that some important customers in relevant economic sectors make ISO 14001 certification either a mandatory requirement, or a plus for qualification of a supplier.

For example, in the automotive sector. 

Concerning VW, in its 2018 Sustainability Report, it states:

“A certified environmental management system in accordance with ISO 14001 and/or EMAS is one of the ecological requirements our tier 1 suppliers have to meet.”

Concerning GM, it required all supplier facilities to be ISO 14001 certified by December 31, 2002.

Concerning Ford, it required all supplier facilities to be ISO 14001 certified by July 1, 2003.

Sources for GM and Ford requirement are difficult to find but it is well documented in news around the world from the beginning of the century.

So, it is natural that Tier 1 suppliers make ISO 14001 certification a mandatory requirement for Tier 2 suppliers and so on. 

Your organization, instead of legal requirements, can use its purchasing power to invite or make mandatory the ISO 14001 certification. For example, certified suppliers could expect more orders.

The following material will provide you more information about aspects and impacts:

- Article - Driving Your Supply Chain to ISO 14001 Compliance - https://advisera.com/14001academy/blog/2015/04/13/driving-your-supply-chain-to-iso-14001-compliance/- Article - How to manage outsourced suppliers in line with ISO 14001:2015 - https://advisera.com/14001academy/blog/2017/07/11/how-to-manage-outsourced-suppliers-in-line-with-iso-140012105/- Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Calibration of measurement equipment

You asked:

Question - In relation to recalibration or our own equipment What information would you look for on the calibration certificate to determine the equipment needs to be recheck and why? 

I assume you are referring to external calibration? The certificate should not specify the recalibration date. The decision is that of the laboratory based on need, meaning assurance of test results generated using your equipment. The unbroken chain of calibrations is what provides the Metrological traceability for your results, to meet ISO 17025 clause 6.5.

The calibration interval will vary depending on the type of equipment, in terms of its robustness. The accreditation bodies typically have requirements and or guidelines on this, guided by ILAV (see link below). Some sectors of work and instruments will require a mathematical calculation to determine that the interval is suitable. Typically however, the laboratory itself must look at the need to make the interval shorter due to risk, or justify increasing the interval due to lack of risk. Take an analytical balance for example, that is well looked after. You may typically have it calibrated externally say once a year. Then you perform intermediate checks (verification) before use that verify that the balance is still calibrated and fit for use. Based on risk, you set the range your verified mass should fall within. You should of course, use calibrated mass pieces of a suitable class depending on the type of balance. Then you watch for trends. If you see the performance deteriorating, to minimise risk you would have the next external calibration sooner.

You also asked

What key requirements should I consider when managing all equipment in our lab to insure reliable result? Equipment register?"

Look at Clause 6.4 (Equipment) in ISO 17025, together with clause 6.5 Metrological Traceability where all the requirements are stated. Any that can jeopardise the competency of the laboratory to generate valid results must be considered, risk assessed and controls put in place. For example if am instrument is potentially unstable (drifts) then you would run reference samples (of known result) more often. When those results fail, then the unknown results are not reliable and corrective action must be taken, which may include recalibration.

For more information, have a look at:

• The response to the question Is it necessary having third party come to certify accuracy of my equipment periodically at https://community.advisera.com/topic/is-it-necessary-having-third-party-come-to-certify-accuracy-of-my-equipment-periodically/
• The article: What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
  The ISO 17025 toolkit document template: Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure

Also refer to  ILAC P10:07/2020 ILAC Policy on Metrological Traceability of Measurement Results and ILAC G24:2007 Guidelines for the determination of calibration intervals of measuring instruments, available from https://ilac.org/publications-and-resources/

GDPR clarifications

Is consent needed to transfer personal data to other countries outside EU?

Not necessarily. Content is needed only as an exemption if the other safeguards in Chapter 5 of the GDPR. If you want to find out more about international data transfers check out this webinar : “How to make personal data transfers to other countries compliant with GDPR” (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).

Do I need to have a data processing agreement with data controllers?

Although not mandated by the EU GDPR it is a best practice to have a Controller to Controller Agreement in place. You can find such a template at : https://advisera.com/eugdpracademy/documentation/controller-to-controller-data-processing-agreement/

When can legitimate interest be used as a legal basis?

It can be used but you need to perform a Legitimate Interest Assessment to prove that your interest is not infringing upon the rights and freedoms of the data subjects.

Do I need to insert data protection specific clauses in work contracts?

The GDPR does not specifically require such clauses to be included in the labor agreements however you need to ensure that you have in place appropriate confidentiality clauses.

Can I delete the data of a former emplyee if he makes a request?

The right to be forgotten in not an absolute right especially when we are taking about labor law. As a company you have some legal obligations so you need to ensure that you are not breaking such obligations before deleting the unnecessary data.

How much time do I have do delete the data?

The GDPR allows for one month before you need to respond to a request. However, if the request is complex you can extent the period to a maximum of 3 months. You can find out more about data subject rights in our webinar : Data Subject Rights under the EU GDPR (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/).

GDPR Data Protection office course and GDPR Fundamental course

The EU GDPR Foundations is meant to build general knowledge about the EU GDPR and is around 8 hours while the EU GDPR Data Protection Officer Course is more detailed and is more aimed towards persons fulfilling the role of Data Protection Officer. Additionally, the EU GDPR Data Protection Officer Course takes around 15 hours to complete.

ISO 22301 templates update

Good morning, as you know, buy the package of documents for 27001 and 22301.

Since October, version 22301 2019 is already available, can you please confirm if you plan to update the documents that have changed or if, on the contrary, it will remain in the purchased version?

We are working on the updates of ISO 22301 templates, and as soon as we finish the updated versions they will be sent to all customers who purchased the toolkit within last 12 months, without charge.

Access control policy

Great answer by referring to exactly where the topic document can be found with content. 👍

Supplier compliance

First is important to note that being compliant is different than being certified.

If an organization fulfills ISO 27001 requirements then it is ISO 27001 compliant.

If an organization is ISO 27001 certified, it means that an accredited certification body has independently verified that the organization fulfills ISO 27001 requirements.

Considering that, since the UK office is not included in the certification, you should audit this office, by using your own auditors or a third-party auditor in your behalf, to verify if the UK office is ISO 27001 compliant.  

Frame time for non conformity closing

Please, can you elaborate a little bit more?

Thank you.

Environmental action, hazards and risks for oil and gas company

Any meaningful environmental action should start with a complete environmental survey to determine and assess environmental aspects and impacts. Impact assessment will allow an organization to define priorities for environmental action. Each organization, based on location, based on interested parties, based on each country or economic zone regulation, based on its own experience and history will have its own environmental hazards and risks.

The following material will provide you more information about aspects and impacts:

- 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
- Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/