Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 45001 Interested parties, Scope and the OHSMS
Answer:
You have asked about some very important elements in the OHSMS. Clause 4.2 (need & expectations of workers and interested parties) requires that you identify any parties (people, organizations, agencies) that have an interest in your OHSMS and determine what their expectations are. What do your workers need? What are the expectations of the OH&S laws you need to meet? Then you need to determine which of these expectations are legal or other requirements you need to comply with. This does not need to be written down, but it is definitely helpful to do so as it needs to be reviewed regularly.
Clause 4.3 (Scope of the organization) needs to define the boundaries and applicability of the OHSMS. In other words, exactly where do the rules, polices and processes of your OHSMS apply? This does need to be written down, and will be used by you r certification body to know where they must audit. You can learn more in this article: How to determine scope of the OH&SMS, https://advisera.com/45001academy/blog/2015/12/09/how-to-determine-scope-of-the-ohsms/
Finally, Clause 4.4 does not require any specific documentation, but instead refers to everything you put in place to meet ISO 45001 and your requirements. The clause states you need to establish, implement, maintain and continually improve your OHSMS. This means you need to define what the processes will include (establish), make sure everyone using the process understands the requirements (implement), keep this up by training new people who come on board and ensure changes are understood (maintain), and finally to make the processes better over time (continually improve).
To help make sure you have all the required documentation in your filing checklist, you can see the free whitepaper: Checklist of Mandatory Documentation Required by ISO 45001, https://info.advisera.com/45001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-45001 -
Residual risk
Answer:
First it is important to note that ISO 27001 does not define what residual risk means, nor how it is determined.
However, consulting ISO 27000, which presents the vocabulary for information security management systems, and is referred on section 3 of the standard, residual risks are the risks remaining after risk treatment.
Considering that, the auditor statement is not correct, because at the point where residual risk acceptance is required (after approval of the risk treatment plan) some controls may not have been implemented yet, so calculation or residual risk is the only way for decision makers to have a estimative if selected controls are sufficient enough.
Maybe what the auditor has tried to say is that you cannot take as real a calculated residual risk until you measure the effects of implemented controls. You can consider it at most as an expected residual risk until the first measurement and evaluation of controls ef fectiveness, which will validate or not you calculation.
This article will provide you further explanation about residual risks:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/ -
Implementing an EMS?
Answer:
Implementing an environmental management system according to ISO 14001 is a voluntary decision and it’s a management decision. Your organization should evaluate the cost-benefit of that decision. To be certified, all ISO 14001 clauses should be considered.
The following material will provide you information about implementing an environmental management system:
- 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
- Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
- Free ISO 14001 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Free online course - ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/
- Book – The ISO 14001 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ -
Report writing for certification
We've received additional questions:
> 1. Hi, i need more further information about ISO 13485 report writing. How many report should be given to the client for one certificate ISO 13485?
Answer:
I assume that by „how many report should be given to the client for one certificate ISO 13485“ you mean how many reports certification body provide to the clinet after the certification audit is finished. If that was your question, than this is the answer to it.
-The number of reports depends on the Certification body rules. Some certification companies have one report, while others have two: Management Summary and List of findings.
If I missunderstand the question, can you please provide some clarification. Thank you in advance.
>2. Lead auditor must be responsible to prepare the report but, how about technical expert part?
Answer:
Lead auditor is responsible for preparing and finalizing the report. Technical expert fulfills only the part that is related to the area that he audited.
>3. Does it make sense if the audit and report (summary certification report) shall be covered by only one auditor?
Answer:
Yes, the audit report can be covered only by Lead auditor. He is responsible for it. But, if there is a Technical expert in the audit team, it should be mentioned somewhere in the report.
For more details on how the certification process looks like, what are the phases of the certification audit, what auditor can and cannot do, and how to solve non-conformities from certification audit, please take a look at the following material:
What to expect at the ISO certification audit: What the auditor can and cannot do
https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit -
Electronic signature for ISO 13485 documentation
Answer:
Simple Adobe sign is enough. ISO 13485 does not dictate the form of signature used. Companies can use electronic documents even without digital signature, it is sufficient to prove that the authorized person has approved them through email or document management system. -
Medical device file structure
Answer:
There is no template for Medical device file because its content is defined by the Medical Devices Directive 93/42 / EEC (https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:1993L0042:20071011:EN:PDF The Directive states which documents are required. Medical device file template is quite hard to do because there is extremely a lot of different things that are considered medical devices: from spoons for giving antibiotics through a variety of software, infusion tube, gauze and covers for surgery to artificial hearts.
Medical device files includes descriptions of design records, manufacturing processes, product specifications, device usage guides, quality measurement criteria, levels of compliance with regulatory bodies and quality standards, and, if required, servicing and installation records and their guidelines. For more detailes how to prepare medical device file you can find i n following link: https://advisera.com/13485academy/blog/2017/06/28/how-to-meet-iso-13485-requirements-for-medical-device-files/ -
Legal requirements and security awareness
Although the call was very interesting for us, some new questions are still emerging and we would like to get support from emails. I will start with two questions:
1. When I'm looking for my suppliers and they only have EU-U.S. Privacy Shield, Swiss-U.S. Privacy Shield creditations for information privacy, is that enough assuring compliance with ISO 27001 ? And What about SOC2 and SOC 3 ?
Answer: Considering ISO 27001, your suppliers need to be compliant with the legal requirements your own organization must be compliant with regarding information security, if they will have access to information in the scope of your ISMS. Considering that, if your organization must be compliant with SOC2 and SOC3, and your suppliers will have access to information related to these two requirements, then your suppliers will also have to be compliant with SOC2 and SOC3. If this is not the case, then your suppliers do not need to be compliant with such legal requirements.
2. Now talking about security awareness for all employees, is the confirmation that all employees watched a series of security awareness videos (like the ones in Advisera eTraining) enough for being compliant with ISO 27001 A.7.2.2 ?
Answer: Regarding awareness, a confirmation that an employee has watched security awareness videos will be sufficient to comply with control A.7.2.2. But you must note that this controls also cover training and education, and for these evaluations of improvement after the training or education activities are also required.
This article will provide you further explanation about awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/ -
ISO 27005 and ISO 27001
Answer:
ISO 27005 is a supporting standard to ISO 27001, detailing how to implement risk management for information security (basically covering ISO 27001 clauses 6.1.2 and 6.1.3).
Considering that, if you already defined a risk assessment and treatment process for your ISMS, then you have to evaluate if your defined approach is compliant with ISO 27005, and make proper adjustments. If you have not defined your risk assessment and treatment process yet, then you only need to follow ISO 27005 recommendations for each step of ISO 27001 clauses 6.1.2 and 6.1.3.
This article will provide you further explanation about implementing risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https:// advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
If you want to see how a risk management process compliant with ISO 27005 looks like, I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/ -
IT Service Management implementation
Answer:
Depending on the organization (implementing ITSM) as well as process maturity, there are many elements that must "fit" so that ITSM is implemented (which could be very broadly interpreted, anyways).
So, here are few items that must be in place, adapted to the services you provide and managed:
processes
organization
tool(s)/technology
partners
Each of these elements must fit for purpose, be mature and be managed.
Here are few articles that will give you a hint how to start:
Ready, steady… go – Starting ITIL implementation https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/
7 effective strategies to gain employee buy-in for ISO 20000 implementation https://advisera.com/20000academy/blog/2017/09/05/7-effective-strategies-to-gain-employee-buy-in-for-iso-20000-implementation/
This free webinar can help you speed up the implementation "How to use a Documentation Toolkit for the implementation of ITIL / ISO 20000" https://advisera.com/20000academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-itil-iso-20000-free-webinar-on-demand/ -
Start rolling a plan for the implementation of an IMS
Answer I recommend an approach like this one: 1. Why does your organization exist? It exists to offer dairy products. Consumers buy dairy products to your company clients and they pay your company for the supplies. So, I start by determining who are the interested parties, what do they want/need from your company, and what does your company want/need from them. 2. Draw a model of how your organization work based on the process-approach. I use this model as the anchor because the company only exists because of clients and consumers. 3. Assess your company’s environmental aspects and impacts based on your processes, products and services. Later, when you decide how to handle the relevant environmental aspects consider what kind of changes or controls should be introduced or improved in each process. This is important because you want to have an IMS, you don’t want people to wear different hats if they are working on quality, environment or health and safety. You want that people do their work and while doing their work they produce good products, minimize environmental impacts and do it safely. 4. Do the same for health and safety. 5. Previous steps will help you develop the operational side of the IMS. 6. Now, you have to develop the strategic side: consider strategic orientation, the context and risk analysis, a common policy and objectives, and you action plans. 7. Develop a monitoring and control plan. 8. Perform internal audits and a management review. The following material will provide you more information about integrated management systems: How to implement integrated management systems – https://advisera.com/articles/how-to-implement-integrated-management-systems/ - Free webinar – How to integrate ISO 9001:2015 and ISO 14001:2015 – https://advisera.com/9001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar-on-demand/ - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ - Enroll for free course - ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/ - ISO 9001, ISO 14001 and ISO 45001 Integrated Documentation Toolkit – https://advisera.com/9001academy/iso-9001-iso-14001-iso-45001-integrated-documentation-toolkit/ - book – THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business – /books/the-iso-14001-2015-companion/ - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/