Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
OHSAS 18001 vs IMS certification
Answer:
The integrated management system (IMS) is intended to include more than one management system standard, but which standards are included in your IMS is up to you. For all of the standards that you have included in your IMS, your certification audit should include a certification audit of all the different standards. A certificate should be issued for each standard that is included, since not every IMS includes the same standards (e.g. one IMS may include quality and environmental, another may include quality and OH&S, a third may include IT safety and environmental, etc.)
So, for your example above, if your IMS included OHSAS 18001 then your IMS audit should have included certification to this standard and you do not need to do it separately. If you are adding an OH&S management system into your IMS where it was not there before, then you will need to do this implementation and then have the certification audit completed for the new OHSMS.
If you are only now adding an OHSMS, you should really look at the ISO 45001 standard as the OHSAS 18001 standard has been replaced by this new standard and will become obsolete in the near future with companies transitioning over. You do not need to maintain certification to both standards, nor should you.
For more information on integrating management systems, you can see the free whitepaper: How to integrate ISO 9001, ISO 14001 and ISO 45001, https://info.advisera.com/9001academy/free-download/how-to-integrate-iso-9001-iso-14001-and-iso-45001 -
GDPR data controller or processor
We've received another question:
>Thank you, sir, for your prompt reply.
>My company is planning to move towards the cloud and wants to provide the billing feature as Software As a Service. Will this change my role as a data processor?
Answer:
No, this won't change role as a data processor. -
From conformance to performance
Answer:
Yes, but…
That motto is all about conformance. Is all about doing things right. And conformance is an important issue with ISO 9001. I always use the example of the Titanic to sink and the musicians continue to play, and the waiters continue to serve drinks. More important than doing things right is doing the right things. A management system should focus on performance. Speaking about mottos, I use one since 1999: “From conformance to performance”. By the way, look into the ISO 9000:2015 definition of management system: performance is the name of the game
The following material will provide you information about performance evaluation:
- ISO 9001 – How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/
- How to define Key Performance Indicators for a QMS based on ISO 9001 - https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Law enforcement agencies
Answer:
It is the duty of the data controllers to mention in their privacy notices which are the third parties that would have access to the users personal data.
If you want to find out more about Privacy Notices check out this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/). -
Service catalogue
Answer:
Backup is, probably, one of your enabling services. Meaning, you need this service in order to provide other service(s) to your customer(s). Therefore, it should be part of the Service Catalog, but you will keep this service for internal view only i.e. it will be part of the Technical Service Catalog.
If you sell backup as a service, then it should be part of the customer's Service Catalog i.e. Business Service Catalog.
For more information, please read the articles " Service Catalogue – a window to the world" https://advisera.com/20000academy/blog/2013/03/19/service-catalogue-window-world/ and "Service Catalogue – Defining the service" https://advisera.com/20000academy/blog/2014/03/11/service-catalogue-defining-service/
and watch our free webinar "ITIL Service Catalogue from scratch" https://advisera.com/20000academy/webinar/itil-service-catalogue-from-scratch-free-webinar/ -
Working with Organizational Knowledge
Answer:
When I work with organizations, facilitating the implementation of a quality management system according to ISO 9001:2015, about clause 7.1.6 “Organizational Knowledge, I draw the following matrix:
The first and second paragraphs of clause 7.1.6 are about quadrants 1 and 2.
Quadrant 1 is about what we know that we know – that is written in procedures, work instructions, tables, specifications. Normally, is listed or codified in job descriptions and when someone starts in a new position human resources plans an integration program with that knowledge transfer.
Quadrant 2 is about what we don’t know that we know – that is work experience not codified, you know, unwritten rules. Normally, is transferred through coaching with more experienced job partners.
The third and fourth paragraphs of clause 7.1.6 are about quadrants 3 and 4.
Quadrant 3 is about what we know that we don’t know – that is information that when an organization realizes that is missing can be obtained through training, books, seminars, consultants, suppliers, technical magazines. For example, this question fits in this quadrant.
Quadrant 4 is about what we don’t know that we don’t know – I call it the radar. How does the organization keep a radar working relevant information that can change the future of the business? Normally, organizations keep track of anything new through books, magazines, blogs, conferences, networking, suppliers, …
For example, many years ago, I was working in a process engineering team in the chemical industry. One afternoon, one of my colleagues, reading a technical magazine, started to comment in loud voice about a new kind of material for storage silos. Rapidly, we in the room started a kind of brainstorm about benefits and drawbacks. After that, my colleague contacted the manufacturer, requested technical information and presented it to our board of directors. After some calculations, it was easy to conclude that the new material had a lot of advantages. We used it in the next plant expansion.
So, organizational knowledge can be much more than work instructions. Just about quadrant 1, don’t forget to mention job descriptions that list knowledge requirements.
The following material will provide you information about organizational knowledge:
- ISO 9001 – How to manage knowledge of the organization according to ISO 9001 – https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Use of Mobile Device and Teleworking Policy and Clear Screen and Clear Desk Poli
If a Mobile Device & Teleworking Policy and Clear Screen & Clear Desk Policy would not be adequate, would there be another more 'achievable' way how to restrict access?
Answer: First of all, sorry for this confusion.
Use of Mobile Device and Teleworking Policy and Clear Screen and Clear Desk Policy is the proper treatment for situations like that, where you do not have control over some locations from where employees can access information (home, office, etc...), since these policies define secure behavior for teleworkers when they are out of organization premises.
2. I assume the Risk Treatment Table only has to contain the unacceptable risks, right?
Answer: Besides unacceptable risks, the Risk Treatment Table also has to include acceptable risks related to controls you want to make modifications or improvements (e.g., if you want to update a technology related to a control, or setup new parameters). -
Legal requirements identification
Do you have a comprehensive list of all of them that I can edit and select the ones that are applicable to us ?
Answer:
The development of such a list would require legal knowledge of laws and regulations of many countries, and this kind of knowledge is out of our field of expertise.
Generally speaking some other examples you should consider are:
- Protection of personally identifiable data
- Continuity of telecommunication services
- Protection against computer systems misuse
- Secure exchange of data
In this case we suggest you hiring local legal advisers to evaluate your identified requirements documents. -
ISMS documentation
Answer:
In the ISMS implementation, the risk assessment and treatment process is performed after ISMS scope and Information Security Policy definition, starting with the definition of the Risk Assessment and Treatment Methodology.
After implementation risk assessment is normally performed once a year or every time there is a significant change on organizational context.
These articles will provide you further explanation about risk assessment:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ -
ISO 22301 documents and competencies
- the replacement scheme
- the task documenting
as you said in on of the articles?
Answer: Through replacement scheme (where during normal operation different people perform the same activity) you ensure that more than one person knows how to perform an activity, so in case the main operator is unavailable other person can resume his activities.
Regarding documentation, it ensures that knowledge will be retained by the organization in case the person who performs it leaves the organization, as well as it helps to define a standard way of doing things, supporting the replacement scheme.
2. Is there any specific requirement in the standard to regarding these 2 points?
Answer: There is no requirement for replacement scheme in ISO 22301, however clause 7.2 (competence) requires persons are competent for doing work that affects business continuity, and this can be used to support the replacement scheme practice.
Regarding documentation, clause 7.5.1, requires documentation of information determined by the organization as being necessary for the effectiveness of BCMS. So, if a critical activity is considered important to the organization for business continuity, then it should be documented.
For further information see:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/