Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Incidents that won't be fixed
Answer:
It's hard to generalize. If incidents can't or won't be fixed, it's good idea to have marker that no further action was taken. If there is a place to enter resolution code, yes you can do as proposed. -
Drafting OH&S Policy
Answer:
According to ISO 45001, OH&S Policy should contain the following:
- a commitment to provide safe and healthy work environment;
- a commitment to fulfill legal and other requirements;
- a commitment to eliminate hazards and reduce OH&S risks;
- a commitment to continual improvement of OH&S management system; and
- a commitment to consultation and participation of workers or their representatives.
In addition, the commitments stated in the policy should provide framework for establishing OH&S objectives.
The reason for regular review of the policy is to ensure it's adequacy, relevance and appropriateness. This does not mean that you need to change the policy every year, but it does how to be reviewed by the top management.
For more information, see the following articles:
- How detailed should your occupational health & safety policy be? https://advisera.com/45001academy/blog/2017/06/21/how-detailed-should-your-occupational-health-safety-policy-be/
- How to write an OH&S Policy https://advisera.com/45001academy/blog/2015/06/19/how-to-write-an-ohs-policy/ -
Resources for ISMS and BCMS implementation
Answer: First it is important to understand that there are two types of manpower needed: the members of the project team (e.g., project manager, consultant, other team members, etc.), which work directly in the project, and the personnel from the business units and processes included in the ISMS/BCMS scope (e.g., business units managers, key users, and other employees), that mostly provide information and work during controls and practices implementation.
Considering that, the number of required personnel for the project team generally goes from 1 to 5 on small to mid size organizations, while the number of personnel from business units and processes will vary depending on the complexity of the organizational structure (e.g., number of sites and departments). Normally for a smaller to mid-size company a project manager will need to spend ca 20% of his total work time (e.g. one day a week) during the implementation period.
This article will provide you additional support:
- Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/ -
Data controller or data processor
Answer:
It is not likely for a company to only be a data processor. As long as that company has employees it would be acting as a controller regarding their (employees) data. The same goes for the data of their business contacts.
However, there are certain documents which are not relevant when you are only a processor such as : the privacy notices, the data subject access request documents as well as the data breaches notifications.
To learn more about controllers and processors check out our “EU GDPR Foundations Course” ( https://advisera.com/training/eu-gdpr-foundations-course//). -
Cross border processing
1. Does this mean we have to establish a lead supervisory authority fort his activity?
2. If the client from another country manipulates his own data on our server does this constitute a cross border activity?
Answers:
1. First of all when describing your activity you seem to be a processor as regards to the data of your client, so is them (your clients) not you that could identify the lead supervisory authority. Identifying the lead supervisory authority is not mandatory under the GDPR.
2. Cross border data transfer means (under the GDPR) when an Exporter located in a EEA country transfers data to a Importer w hich is located outside the EEA. In your case since you are located in the EEA when you receive data there is cross border data transfer. -
MAO vs RTO
Answer: MAO and RTO are similar things, but not the same. MAO is maximum outage for a particular activity, whereas RTO is targeted time for recovery, and is usually shorter then MAO.
It works like this: first you define MAOs for all your activities, then see if there are any interdependencies, and once you realize that e.g. activity A depends on activity B, you will need to decrease the activity B's RTO to the time that will fit the MAO of the activity A.
This principle is explained further in this article: How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
ISO 9001:2015 to AS9100 Rev D transition
1. Is AS9102 part of AS9100?
2. Is there a Standard that we need to purchase...such as I did for ISO 9001? If so, what do I use for reference to make sure I get the correct one?
3. Does the revised AS9100D include everything I would need to get us started and take us through the most current for certification?
4. Is there duplication that can be omitted or copied from the ISO 9001:2015 for certification for AS9100?
5. Is there any other information that would be helpful to me to present to upper management?
Answer:
The changes from ISO 9001:2015 to AS9100 Rev D is to include some additional requirements for the aerospace indus try onto the QMS you already have in place, here3 are the answers to your questions.
1. AS9102 is a separate standard that defines how to do first article inspections (FAI), including the forms to complete. This is referenced in AS9100 Rev D but is not formally required by AS9100. The AS9102 document is one way to do the required FAI, but unless it is a requirement of a customer to follow this specific process you can perform FAI as it suits your company.
2. You will need to get the AS9100 Rev D standard which was released in 2016. This can be found at www.sae.org, or other standard suppliers. The same can be said for AS9102, always get the most recent version of a standard.
3. The AS9100 Rev D standard includes everything. It actually includes all of ISO 9001:2015 with the additional requirements written in bold and italics so that you can see what has been added.
4. As hinted at above, the AS9100 standard uses the ISO 9001:2015 standard requirements in their entirety and simply adds to them, in fact by being certified to AS9100 Rev D you are also certified to ISO 9001:2015. So, if you are going from ISO 9001:2015 to AS9100 then the QMS you have will simply need to have some additions. For instance, a process for prevention of counterfeit parts, and some additional things to include in your corrective action process.
5. I would consider looking through our whitepaper on the AS9100 clauses, which can be compared to what you already have for ISO 9001 to see what sort of things are added. https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d -
Response to AS9100 certification NC
Answer:
While it is true that AS9100 does not specify a timeline that you need to close a corrective action, certification bodies do have their own rules about responding to non-conformances found in certification audits. They are not able to certify your company if they have found a problem and you have not completely fixed that problem (i.e. closed the corrective action); if you only have a plan to fix the problem they cannot grant certification. An expectation to have the certification audit non-conformances fixed and closed in 30 days is a standard timeline from certification bodies, I have not seen expectations that give m ore time.
I would recommend looking at this 9001Academy blog post on how to proceed once a corrective action is identified as it is applicable to the AS9100 QMS as well: https://advisera.com/9001academy/blog/2016/09/20/how-to-proceed-once-qms-corrective-action-is-defined/ -
Benefits of ISO 27001
Answer: You need to show to your director what are the benefits of ISO 27001, which basically are 4: Compliance, Marketing edge, Lowering expenses and putting your business in order. To know more about these benefits, please see this article “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
This free webinar can be also interesting to know how to obtain the management support “ISO 27001 benefits: How to obtain management support” : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/ -
Documenting risks and opportunities
2. How do we document risk and opportunities from environmental aspect?
Answer:
1. You don´t need to document risks and opportunities at department level, you just have to identify the risks and opportunities that are present for your EMS, decide which need to be addressed, and keep documentation of the risks and opportunities you will address.
2. You can create a formal Risk Register within the EMS where identification, discussion, actions, outcome, and monitoring can all be listed and results clearly evaluated. Again you just need to document those risks that arise from environmental aspects and need to be addresed.
These materials can help you with the risks andopportunities:
- Article - Risks and opportunities in ISO 14001:2015: what they are and why they are important: https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
- Article - ISO 14001 r isks and opportunities vs environmental aspects: https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/
- Book - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- ISO 14001:2015 Foundations Course: https://advisera.com/training/iso-14001-internal-auditor-course/