Search results

Driving factors and increased importance of OHS

The reason that the context of the organization has been included in the ISO 45001 standard is to ensure that an organization thinks about the internal and external issues that can affect their OH&S processes, as well as understanding who the interested parties are for the OHSMS and what their additional needs and expectations are for OH&S management so that these can be included in the scope. These expectations will include business issues and risks that will need to be addressed to better prevent injury and ill health in the workplace. This is because an organization cannot simply meet the requirements of ISO 45001 for a management system, but need to also include legal and other requirements from interested parties within these processes.

You can read a bit more about the context of the organization requirements in the article:

• Defining the context of the organization according to ISO 45001 https://advisera.com/45001academy/blog/2016/02/03/defining-the-context-of-the-organization-according-to-iso-45001/

• Relation of GxP to MDR in Medical Software

  No, we do not. However, our Documentation toolkit for ISO 13485 and MDR is based on Good manufacturing practice. 

• Using CVSS as Risk Management Methodology for ISO 27001

  The proposed way to handle likelihood and impact in the paper sounds good, and would be acceptable to fulfill the standard’s requirements for risk assessment, although it is a bit complex when compared with other risk assessment approaches, like the asset-threat-vulnerability approach commonly adopted for ISO 27001 ISMS.

• Methods to collect objective evidence during audit

  Auditors use their checklist to go into reality, within the audit scope, to collect objective audit evidence with interviews and observations.Auditors interview auditees. What auditees say are not facts, what auditees say are pseudofacts. So, what auditees say must be corroborated with documents or records or direct observation.Auditors basically use documents, records, and direct observation to collect objective evidence. The following material will provide you with more information:

  • Free webinar How to perform an ISO internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-internal-audit-free-webinar-on-demand/
  • ISO 14001 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

• Implementing ITIL in a Start-up - Major milestones

  Generally, you should focus the ITIL implementation based on the following elements (your milestones):

  1.      Strategy – Define: where do you want to be? Who are your customers? Which market do you serve? How do you intend to achieve those goals?

  2.      Customer journey – define your activities (and related resources) throughout the customer lifecycle

  3.      Products and services – define activities related to your products and/or services. Define related methodologies.

  4.      Operation – once you have your products/services – define needed activities to support and maintain them. This also includes related resources (and their capabilities) as well as respective value streams

  Measurement and metrics – define (and implement) appropriate measurements and metrics in order to ensure efficiency in service delivery

• Can the Health and Safety policy be combined with the Environmental policy?

  First, yes you can have integrated health, safety, and environmental policy. Second, whether or not that is the best approach for your organization, will depend on the effective integration of the two systems. Third, in theory, I always try to integrate management systems because people in an organization do not work according to each management system, in particular, they simply do their work.  The following material will provide you with information about implementing integrated systems:

  • How to implement integrated management systems - https://advisera.com/articles/how-to-implement-integrated-management-systems/
  • Free webinar – How to integrate ISO 9001:2015 and ISO 14001:2015 - https://advisera.com/9001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar-on-demand/
  • ISO 9001, ISO 14001 and ISO 45001 Integrated Documentation Toolkit - https://advisera.com/9001academy/iso-9001-iso-14001-iso-45001-integrated-documentation-toolkit/
  • book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • ISO 27001 - Microsoft Office

    The standard by itself does not have limitations regarding technologies that can be used.

    Any restriction related to the use of Microsoft Office regarding the certification process will depend on the results of risk assessment of applicable legal requirements, i.e., relevant risks that can be treated only by not using the software, or laws, regulations, or contracts that need to be fulfilled by the organization that prevents the use of the software.

    In case there are no relevant risks or applicable legal requirements preventing the use of the software, its use will be accepted regarding the ISO 27001 certification.

  • Impartiality risk assessment

    You can use 05. Appendix 1 Registry of Key Risks and Opportunities. 

    As per the definition of impartiality, and referring to clause 4.1.4, consider any risks to the presence of objectivity, i.e risks that could result in conflicts of interest, bias, prejudice, unfair practices 

    Consider risks that could arise from the activities, organisational relationships, or from the relationships of personnel. Examples are provided in ISO 17025 that such relationships that threaten the impartiality of  the  laboratory  can  be  based  on  ownership,  governance, management, personnel, shared resources, finances, contracts, marketing (including branding), and payment of a sales commission or other inducement for the referral of new customers. List these and all possible risks, even of they do not exist, and indicate how they are controlled. If a risk does exist, list the control to remove the risk, or reduce to a low level that is not significant. Examples of controls are clear independent organisational structure with clear roles and authorities, through contract review, supplier evaluations and personnel contracts to look at for and protect impartiality.

    For more information, see my response to a question Assuring impartiality and confidentiality at https://community.advisera.com/topic/assuring-impartiality-and-confidentiality/

  • Becoming ISO 27001 lead auditor

    Hello,
    
    You can also consider doing the ISO27001 Lead Implementer and ISO27001 Internal Auditor course, and provide consulting services for implementing ISO27001 in organizations and conducting internal ISO27001 audits.