Search results

ISO 9001:2015 clause 7.1.5

Since the 1987 version, ISO 9001 has been changing the designation of what is used to ensure the validity of results. I remember that the first one was something like “Inspection, Measuring and Test Equipment”, in the 2000 version became “Control of Monitoring and Measuring Devices”. Both ISO 9001:2015 and ISO 9001:2008 only include the definition of measuring equipment. Measuring equipment is a general designation that includes things like measuring instruments, software, reference materials (it can be a picture or an oil with a certain viscosity). According to the dictionary, a device can be a measuring instrument or combination of instruments among other things. I believe that the ISO 9001:2015 adoption of the term “resources” was a way of using a general designation that can be applied in several fields. For example, people use masks to check results of psychological tests more easily. Is it a piece of equipment? A device? An instrument? I cannot give you a definite answer because in these cases I just want to work with ISO 9001 definitions. 

The following material will provide you more information monitoring resources:

Articles – Monitoring and Measurement: The basis for evidence-based decisions - https://advisera.com/9001academy/blog/2020/09/21/how-to-perform-monitoring-and-measurement-according-to-iso-9001/- Enroll for free courses - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/- books – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ 

ISO Certification Steps

A waste management company may want to get ISO 9001 to improve efficiency, reduce costs and increase relevant interested parties satisfaction. A waste management company may want to get ISO 14001 to improve its image and credibility among relevant interested parties. A waste management company may apply simultaneously to both certifications through an integrated management system. So, this is a management decision, not a technical decision.

The following material will provide you more information about how Advisera can help you either with ISO 9001 or with ISO 14001 certification:

Articles - Please look for information in our blogs – https://advisera.com/9001academy/blog/ and https://advisera.com/14001academy/blog/

- Free webinars on demand - https://advisera.com/9001academy/webinars/ and https://advisera.com/14001academy/webinars/

- Free downloadable resources and tools - https://advisera.com/9001academy/free-downloads// and https://advisera.com/14001academy/free-downloads/

- Toolkits that can help you right away and reduce the implementation time - ISO 14001:2015 Documentation Toolkit - https://advisera.com/14001academy/iso-14001-documentation-toolkit/ and ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/ or for an integrated system - ISO 9001:2015 & ISO 14001:2015 Integrated Documentation Toolkit - https://advisera.com/14001academy/iso-9001-iso-14001-integrated-toolkit/

- Enroll for free courses - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ and ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/

- Books – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ and The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Requirements for the certification-process

I cannot fool you and write that. Certification is not just the output of a paper filling operation. So, before buying any document I invite you to enroll for free in our ISO 9001:2015 Foundations Course, that way you will plunge into the standard and get an idea about what is and what is needed. And you will not lose your time because you will learn the basics to interact with certification auditors in the future. Implementing a quality management system according to ISO 9001:2015 is about following some rules, satisfying customers, and meeting important objectives.

Health information

1. Do we need to get the consent before?

My assumption is that you have a legal obligation to send the health information to the Ministry of Health and if this is the case you don`t need to ask the data subjects for consent. However, in the privacy notice addressed to them you would need to mention that their personal data, as well as health data, will be sent to state authorities based on an existing legal obligation.
If you want to find out more about privacy notices check out this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).

2. Are we allowed to keep copies of their ID cards?

I would advise you to keep copies of IDs only if you have a specific legal obligation to do so. There are quite very limited situations where keeping copies of IDs would be justified.

3. Are there any security requirements on how to protect health data?

The EU GDPR does not impose specific security requirements these need to be decided depending on the types and categories of personal data you are processing. Since you are processing health-related data I would suggest having in place more strict measures such as encryption both in transit and at rest. ISO 27001 can be used as an example of best practices when it comes to security measures.

4. We are sending some health data but only non aggregated/statistical data to some of our producers that are outside the EU are there any specific thing we need to do?

If the data is truly and irreversibly anonymized you can send it without restriction.

IT staff and DPO availability

This is totally up to you. However, it is hard to believe that nobody is available as it is quite important, especially if there is a data breach, so I highly suggest you find either a third party that is permanently involved and knows how your system works or get somebody internal to fill for the IT person and the DPO.

If you want to find out more about what is expected from a DPO check out this free webinar Role of the DPO according to EU GDPR (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/).

How to implement ISO 14001?

You can say that your proposal for implementation starts with a Gap Analysis to establish a baseline, a starting point. Then, you can prepare an implementation plan to determine:

• Context and interested parties 
• Risks and opportunities 
• Aspects and impacts and
• Compliance obligations

From there you can define an environmental policy and objectives, and evaluate priorities and design a set of action plans to act upon:

• Critical risks and opportunities 
• Significant environmental impacts 
• Relevant compliance obligations and 
• Environmental objectives.

While implementing the action plans training will be identified and given, procedures will be written, monitoring plans will be designed and implemented. Then, an internal audit will be done, and a management review will take place to evaluate what was done and prepare the next management cycle iteration.

The following material will provide you more information about aspects and impacts:

- Article - Is a gap analysis desirable for ISO 14001 implementation? - https://advisera.com/14001academy/blog/2016/11/14/is-a-gap-analysis-desirable-for-iso-14001-implementation/

-ISO 14001:2015 Gap Analysis Tool - https://advisera.com/14001academy/iso-14001-gap-analysis-tool/

- Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/

- Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/

- Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/

- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/

- Enroll for free in this course – ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/

- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Methodology for opportunities

The ISO 45001:2018 standard does not dictate any specific process or format to follow for identifying and addressing OH&S opportunities. Many companies will simply do this through a brainstorming session with top management to identify what opportunities exist and what needs to be done about them; the opportunities can then be tracked through a simple spreadsheet or any other tracking mechanism used by the company for planned activities. Other companies may use a more formal SWOT analysis (Strengths, Weaknesses, Opportunities & Threats) to identify the opportunities that are available.

No matter what process you use, it is important to make sure it is a benefit for your organization and not just a complex and confusing process that you think you need to satisfy a requirement which does not provide any advantage to you.

For a better understanding of the requirements for risks and opportunities in ISO 45001:2018, see that article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/

Review of Control A13.1

First of all, you have to check the contract/service agreement your organization has with AWS regarding security clauses. Normally such reviews are performed by means of audits (internal or by AWS certification bodies), or results of penetration tests.

These articles will provide you a further explanation about handling supplier security:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

ISO standards related to ISO 27001

There are 52 standards related to ISO 27001. You can recognize them by the prefix ISO/IEC 270xx. They are not related to specific clauses, but to some processes (e.g., risk management, implementation, measurement, etc.), and to controls from Annex A, where they provide detailed implementation guidance (e.g., physical security, cloud security, privacy, etc.).

The most knowledgeable and used are:
- ISO 27002 - It provides general guidance on the implementation of Annex A controls 
- ISO 27005 - It provides general guidance on the implementation of information security risk management
- ISO 27017 - It provides specific guidance on the implementation of Annex A controls for cloud environments
- ISO 27018 - It provides specific guidance on the implementation of Annex A controls for privacy on cloud environments
- ISO 27031 - It provides specific guidance on the implementation of Annex A regarding IT disaster recovery
- ISO 27032 - It provides specific guidance on the implementation of Annex A regarding cybersecurity

At ISO site you can find a complete list of related standards: https://www.iso.org/obp/ui/#search
(filtros: standard and ISO/IEC JTC 1/SC 27)

For more information see:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
- Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/
- ISO 27001 vs. ISO 27032 cybersecurity standard https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/

2 - I was keen to understand about risk, does it make sense to just use the iso risk approach or methodology like the FAIR institute? Lost here in direction to study.

Answer: ISO 27001 does not prescribe which methodology to use for information security risk management, so you can use the approach it is best for your organization (e.g., FAIR, ISO 27005, ISO 31000, NIST RMF, etc.)

These articles will provide you a further explanation about risk management:
- How to address opportunities in ISO 27001 risk management using ISO 31000 https://advisera.com/27001academy/blog/2018/04/13/how-to-address-opportunities-in-iso-27001-risk-management-using-iso-31000/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/

ITIL Processes (Practices) Referenced in ISO 20000

Process is just one part of the practice in ITIL4, so you can use it while implementing ISO 20000.

Further on, practices in ITIL4 contain Practice Success Factors and Key Performance Indicators, both of them can be used while implementing and maintaining ISO 20000:2018 based SMS.

Processes in ISO 20000:2018 are:

1. Service catalogue management

2. Asset management / Configuration management

3. Business relationship management

4. Service level management

5. Supplier management

6. Budgeting and accounting for services

7. Demand management

8. Capacity management

9. Change management

10. Service design and transition

11. Release and deployment management

12. Incident management

13. Service request management

14. Problem management

15. Service availability management

16. Service continuity management

17. Information security management