Search results

Environmental awareness

I will give my opinion on two levels. The first is more practical the second is more conceptual.

Let us go to the practical level: Before thinking on risks and opportunities I like to start with expected results. ISO 14001:2015 definition 3.2.10 and its Note 1 support viewing risk or opportunity as a deviation from the expected due to uncertainty. So, for energy use, for example, your organization may expect to become more efficient and reduce unitary consumption. What can go wrong and make you miss the target? 

For example, perhaps people are not motivated to adopt energy saving practices, this is a risk. 

For generation and disposal of waste your organization expects to minimize waste generation and waste contamination. What can go well and make you better than target? 

For example, one of the workers follows a practice that allows him/her to be much more efficient in the use of raw materials. Perhaps that practice can be generalized for all workers that program CNC cutting raw materials, this is an opportunity.

For example, you realize that the closer the waste bins are to place of generation of waste, the less contamination of wastes occur. Perhaps a new organization and distribution of waste bins can minimize waste 

Now, let us go to the conceptual level: when determining risks and opportunities in an environmental management system there are more than one way of doing it:

1. There are organizations that determine their environmental aspects and use a risk and opportunities assessment to determine its significant environmental aspects. (Please see the end of the second paragraph of Annex A.6.1.1 of ISO 14001:2015)

2. There are organizations that determine their environmental aspects evaluate them and determine the significant ones and use a risk and opportunities assessment to determine which ones need and action plan, and which ones need only to be monitored. For example, with your case, about habitat destruction, what can go wrong with your preventive measures system that can make the habitat suffer?

3. There are organizations that only apply the risk-based approach to the context part. In a certain way they are following the same approach as 1 without explicitly mentioning it.

The following material will provide you more information about aspects and impacts:

- Article - ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/
- Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
 

Context of the organization

In ISO 45001:2018 clause 4.1, context of the organization is understanding the internal and external issues that affect your ability to implement and maintain your OHSMS. Do you have an internal culture of safety or not? This would be an internal issue. A supplier notifying you that they are stopping production of a cleaning chemical you use (where the replacement is more hazardous) would be an external issue. This helps you to understand your organizational context; how it fits into the world around you.

You can learn more in this article: Defining the context of the organization according to ISO 45001, https://advisera.com/45001academy/blog/2016/02/03/defining-the-context-of-the-organization-according-to-iso-45001/

Audit requirement

Please consider ISO 9001:2015 clause 9.3.2 c) 6).

One of the relevant inputs to a management review is the result of audits. 

You want to have a comprehensive global insight about how the system is being performing and why. Audits give you a picture beyond results from performance indicators.

So, a good management review will include information from audits.

The following material will provide you information about the management review:

- Article - How to make Management Review more useful in the QMS - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Preparing for ISO Certification Audit: A Plain English Guide - https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

First qualified person

The first qualified person is a person who, because of his/her knowledge, training and experience, is qualified to perform that task safely and properly. This person can be trained for example by the manufacturer of the equipment used in the validation process, or this person can even be someone who developed certain validation process.

In ISO 13495:2016 section 7.5.6 Validation of processes for production or service provision, there is no requirement for procedure that specifies the first person to be qualified.

For more information on how to manage the validation process, please read the following article: 

Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/

ISO27001 - Who should sign off on a risk?

Never mind, I got the answer as per https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ 

Thanks

Template contents

Control A.18.1.2 is covered by the IT security policy template.

Regarding the other mentioned controls, we do not have those included in our toolkit. Please note that Advisera's ISO 27001 Documentation Toolkit does not have a document for each and every control from ISO 27001 because of the following reasons:

    1) ISO 27001 does not require each and every control to be documented
    2) If the toolkit had a document for each control, there would be too many documents, and this would be an overkill for smaller and mid-size companies.

Since our target are SMEs, we have decided to include an optimum amount of documents for companies of this size - the toolkit includes:

    All the mandatory documents - e.g. Information Security Policy, Statement of Applicability, Risk Assessment Methodology, Access Control Policy, etc.
    Documents that are not mandatory, but are commonly used - e.g. BYOD Policy, Classification Policy, Password Policy, Backup Policy, etc.

You can see a full list of documents included in the toolkit in this page: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

Cyber-security Career

First, it is important to note that cybersecurity covers several areas, then you should first decide which one to focus on. For example:
- Security Architect
- Security Consultant
- Penetration Tester/Ethical Hacker
- Chief Information Security Officer (CISO)

Once you have chosen one field, you should consider the most relevant certifications and best practices related to it. For example, for CISO some examples are CISM and CISA certifications.

For security consultants who wish to work cybersecurity based on ISO 27001 standard, the leading standard for information security management, there are two options:
- ISO 27001 Lead Implementer – this certification recognizes people who have competency on the ISO 27001 implementation process.
- ISO 27001 Lead Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and want to become certification auditor (and with this provides more confidence to an organization for being certified).

These articles will provide you further explanation about ISO 27001 personnel certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

This material will also help you regarding ISO 27001 personnel certifications:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/

Remote audit

A remote internal audit is possible, provided that required evidence of conformance does not need the physical presence of the auditor on-site. For example, to audit the conformance of an information system that can be remotely accessed or the conformance of a procedure, there is no need for the auditor's presence (he only needs to have access to the system or receive a scanned copy of physical documents and records). On the other hand, to audit the conformance of physical security controls, it might be necessary for the auditor to be on-site if the company cannot provide evidence of such controls remotely (e.g. through photographs, plans, maps, etc.).

Complaint handling and vigilance reporting

You can include determination of vigilance reporting in the Customer compaint procedure when receiving a complaint for device malfunction, deterioration in device performance, inadequate instructions, or inadequate labeling results in death, serious injury, or may lead to death or serious deterioration in state of health if it were to recur. 

For more information about ISO 13485:2016 requirements for handling complaints, please read the following article:How to comply with ISO 13485:2016 requirements for handling complaints  https://advisera.com/13485academy/blog/2017/03/21/how-to-comply-with-iso-134852016-requirements-for-handling-complaints/

If you need more information on how vigilance system has to be prepared in EU according to MDD please read the following guidelines: https://ec.europa.eu/growth/sectors/medical-devices/current-directives/guidance_en, and look for MEDDEV 2.12-1 rev 8 - GUIDELINES ON A MEDICAL DEVICES VIGILANCE SYSTEM.

If you need more information how vigilance system has to be prepared according to FDA please read the following guidelines https://www.fda.gov/medical-devices/medical-device-safety/medical-device-reporting-mdr-how-report-medical-device-problems

Risk assessment

ISO 27001 does not prescribe who must be the asset owner, so you can define that the Information Security Officer is the asset owner for all assets.

These articles will provide you further explanation about asset management:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/