Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Potential risks and opportunities associated with a road construction firm

    With your question I am assuming you are talking about the new requirements on Other Risks and Other Opportunities rather than OH&S Risks and OH&S Opportunities which are associated with Hazards identified in the organization. These new requirements ask you to think of other strategic-level risks that could impact your ability to prevent injury and ill health in the workplace, as well as other opportunities to improve the performance of the OHSMS.

    Unfortunately, this will be very unique to your specific organization and not just generic to road construction, so I can not just provide you with a listing. For instance, a strategic risk could include finding out a supplier was going out of business which might affect your access to safety equipment, and a strategic opportunity could include a supplier developing a new machine that could positively impact safety in your organization. It is these strategic-level risks and opportunities that you need to include in your planning for the OHSMS.

    For more information on risks and opportunities in the ISO 45001 standard, see the articles:

    • What are the new requirements for risks and opportunities according to ISO 45001? https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/
    • The basics of ISO 45001 hazards, risks, and opportunities https://advisera.com/45001academy/blog/2021/02/22/the-basics-of-iso-45001-hazards-risks-and-opportunities/

    • Privacy Notice Webinar - EU GDPR Premium Kit questions

      1. Tudor Galos mentioned using a four column table in a privacy notice. I didn’t get the column details quickly enough. Were they “category of data subject”, “personal data to be processed”, “purpose”, “legal basis”?

      This was a recommendation on customizing the Privacy Notice template in your Privacy Notices template. The columns I recommended for the association between personal data categories & purposes were “Personal Data Categories”, “Purpose of processing”, “Legal Basis”.

      2. TG also referred to the kit containing granular privacy notice. Did he just mean that you provide different ones for e.g. employees, supplier employees, web users etc?

      Yes, I was referring to the privacy notices you have in EU GDPR Premium Documentation Toolkit. In general, if you have a specific processing operation, different than the ones you had until now, you might choose to write a new privacy notice to inform the affected data subjects.

      3. Our privacy notice should give the supervisory authority a data subject can complain to. We are based in the UK so obviously we give the ICO for UK residents. We process the personal data of EU residents, mainly from Germany, France and Spain. We have appointed an EU Representative with an address in Germany as that is where the majority of the data subjects are. Which EU supervisory authority should be put in the privacy notice?

      For people in the EU you could provide the details of the EU Representative and of the relevant data protection authority in Germany, from the region your EU Representative is established.

      4. When dealing with a corporate client or supplier, we may well be given the personal data – usually contact details – of other staff members. How do deal with notifying them that we have their details. Commercially, it would be a bit odd if every time we emailed them direct. I could see us upsetting clients!
      If you are dealing with a corporate client or supplier, for the business relationship interactions – invoicing, emails with key updates, support, etc – you are both data controllers. If your client/supplier is giving you details of other staff members, they are responsible for the processing and they should make sure that they inform their staff about this processing (transfer of information to you).

      Please also consult these resources:

    • Do we need ISO 13485?

      According to the MDR 2017/745, Annex VIII Classification rules, Rule 16 covers the disinfectant and states the following: 
      All devices intended specifically to be used for disinfecting or sterilizing medical devices are classified as class IIa, unless they are disinfecting solutions or washer-disinfectors intended specifically to be used for disinfecting invasive devices, as the end point of processing, in which case they are classified as class IIb.
       
      So, if your cleaning chemicals are used to disinfect those devices (mentioned in rule 16), they are either class IIa or class IIb. This means that you need to have certified your cleaning chemicals according to the MDR and your quality management system according to the ISO 13485:2016. 

    • Career in GRC domain.

      Governance, Risk, and Compliance is not our field of work, but considering information security aspects related to GRC you should consider these certifications:

    • ISO 27001 Lead Implementer – this certification recognizes people who have competency in the ISO 27001 implementation process.
    • ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISM S against ISO 27001 requirements and want to become certification auditors (and this provides more confidence to an organization for being certified).

      • These articles will provide you with a further explanation of ISO 27001 personnel certifications:

      For courses related to these certifications, please see:

    • ISO 27001 Management Review : Fulfillment of the security objectives

      Thanks a lot for your recommendation. Fortunately i've got the advisera toolkit so will be able to see what is in the template shared :).

    • Doubts about the package of documents to buy

      To comply with the point you listed you can use the ISO 27001 documentation toolkit (https://advisera.com/27001academy/es/paquete-de-documentos-sobre-iso-27001/). Some documents in this toolkit that can help fulfill some of your points are:
      - Information Classification Policy (point 1 )
      - Security Procedures for IT Department (points 2, 3, 4, 5, and 6 )
      - IT Security Policy (points 2, 3, 6, and 9)
      - Access Control Policy (points 5 and 8)
      - Incident Management Policy (point 7 )
      - Statement of Acceptance of ISMS Documents (points 10 and 11)
      - Confidentiality Statement (points 10 and 11 )

    • Query on ISMS Scope

      You only need to include the implementation project team (i.e., yourself and the internal audit team) in the ISMS scope in case once the implementation is finished the project team will remain to perform other activities related to the ISMS.

      In your case, for example, since you are part of the IT Department, your role does not need to be explicitly included in the ISMS scope since the IT Department is in the ISMS scope. As for the Internal Audit Team, in case they will not perform the internal audit over the implemented ISMS, it does not need to be included in the ISMS scope.

      Regarding the offices, you only need to include them in the scope in case you consider that the information in the offices that are outside the scope of the outsourced services needs to be protected (e.g., printed information stored in the offices). 

      In case only information that is handed by the outsourced services is to be protected, then the offices do not need to be included in the scope.  

    • ISO 45001 and ISO 14001 in welding and fabrication shops

      Both ISO 45001 (Health & Safety management) and ISO 14001 (environmental management) allow your organization to go beyond simply meeting laws for the environment or health & safety, and instead have a coherent system that allows you to proactively manage these parts of your business. This is true for a welding and fabrication shop, just as it is for any other organization. The standards help to focus your efforts on identifying environmental interactions (called environmental aspects) and OH&S hazards with a focus on identifying the risk that is posed by each in order to apply controls to prevent environmental damage, injury or ill health.

      You can read a bit more on the benefits of ISO 14001 and ISO 45001 in the articles:

      • 6 Key Benefits of ISO 14001 https://advisera.com/14001academy/knowledgebase/6-key-benefits-of-iso-14001/
      • 4 key benefits of ISO 45001 for your business https://advisera.com/45001academy/blog/2015/09/30/4-key-benefits-of-iso-45001-for-your-business/

      • Performance Evaluation

        As an international standard, ISO 45001 is written to be used by any organization in any industry. As such, it will tell you what needs to be done in a process for OH&S, but not how to do it. So, ISO 45001 does not give details on how to conduct monitoring and evaluation, only providing requirements that you must determine what to monitor and evaluate and that you must ensure evaluation is adequate. As conducting monitoring and evaluation is something that will be specific to each organization, I cannot give you a specific procedure for M&E, nor what criteria to evaluate against as this will differ from industry to industry, as well as area of the world. The best I can recommend is to look at industry best practices that are in place where you are located and work with these to develop the M&E process that will be best for you. Remember, the reason that ISO includes monitoring, measurement, analysis, and performance evaluation into the standard is to collect data that can be used to make good evidence-based decisions. So, choosing the right data and the right evaluation method is critical for this to be effective. 

        You can read a bit more on how monitoring and measurement work in the article:

Page 63-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +