Updates to Standards Autumn 2014

Draft International Standard ISO 14001:2014 – Key ChangesOn July 1, 2014, the Draft Internation-al Standard (DIS) ISO 14001 was made available to the National Standard Bod-ies, and the three-month public com-ment period began on August 28, 2014. Anyone with relevant expertise or expe-rience to offer can comment, more infor-mation about that soon. The DIS is the fourth stage of a six-stage process that will culminate in the publication of the new standard – ISO 14001:2015 – ap-proximately in the third quarter of 2015.The Main Change from the cur-rent ISO 14001:2004 to the ISO/DIS14001:2014 is a shift towards im-proving environmental performance rather than improving the management system. The design of many of the key changes connects to this shift and leverages it in various ways. The new version will include a requirement to understand the organization’s context in order to better manage risk, and the DIS places more emphasis on leaders within organizations to promote envi-ronmental management. Many of the concepts of the current version (ISO 14001:2004) still remain effective in the revision; however, the ISO/DIS 14001:2014 embodies sever-al important changes. Leaders of or-ganizations certified under the current standard should understand how the new elements in the DIS might influ-ence their Environmental Management Systems. Developing this level of

awareness is a solid step towards mak-ing the transition to the forthcoming new standard.Changes to ISO 14001Following are examples of the chang-es to the current version of ISO 14001 found in the DIS: the layout is restruc-tured; “product” is now “products and services;” risk reviews are now a for-mal part of the standard; the standard has gone from 8 sections to 10; there is no longer a requirement to document every procedure; there is a greater lev-

el of strategic direction alignment; and the DIS reflects the evolution of com-puter and cloud-based systems for run-ning management systems.The likely changes to ISO 14001 fall into three general categories:• High Level Structure: the devel-

opment of the new standard incor-porates the new High Level Struc-ture from ISO Directive Annex SL that addresses the need to eas-ily combine or integrate different management systems standards in an effective manner.

• Terminology: the DIS incorpo-

rates common terminology from ISO Directive Annex SL and oth-er definitions that clarify the new standard requirements.One new term used throughout the ISO/DIS14001:2014 is “de-termine.” The DIS definition of Determination is “Activity to find out one or more characteristics and their characteristic values.” The idea is that leaders of organi-zations will need to consider how they can provide evidence that a process of determination has taken place and that a measureable out-put from that process exists. The word “determine” is strategic in that it connects the DIS’s shift to-wards environmental performance with several modified and new ele-ments of the DIS, for example: the enhanced meaning of “leadership responsibilities” and “interested parties,” as well as the introduction of “context of the organization.”

• ISO 14001 Revisions: the DIS includes specific key changes in-troduced as part of the ISO 14001 revision process.

Key ChangesWhat follows are summaries of some of the likely key changes to the Envi-ronmental Management System (EMS) standard along with a comparison of the current requirements.Context of the Organization – The DIS incorporates a new requirement to understand the “Context of the Organi-

UPDATESTO STANDARDS

from UL DQS Inc.

zation” to help an organization identi-fy its negative and positive impacts on the environment so that it can better mitigate negative affects while lever-aging opportunities that benefit both the organization and the environment. “Context” addresses the intangible as-pects of a business – political, social, cultural, economic, and so on – while it is now helpful to think of the concept of “Scope,” used in management systems standards from the beginning, as the tangible aspects related to the system – physical and organizational boundar-ies, processes, products, and so on. The term “determine” is a key factor because the ISO/DIS 14001:2014 calls for an organization to determine the context it operates within as well as the scope of its environmental man-agement system. Understanding how the new concept of “context” and the evolved meaning of “scope” will work together will help an organization to better fit the different EMS elements to its unique circumstances, instead of taking a generic approach.Interested Parties – The definition of this term in the ISO 14001:2004 stan-dard is still applicable in its description of the many types of interested parties. The original definition includes those groups that “can affect and be affected by a decision or activity” in the envi-ronmental management system. His-torically, interested parties included – stakeholders, customers, employees, suppliers, and so on – but now the DIS includes the phrase “to perceive itself to be affected” within the definition. This puts responsibility of defining these groups throughout processes and within the community – using the or-ganization’s defined “context” when making this determination.Leadership – While the concept of de-fining Top Management as ultimately responsible for the establishment, imple-mentation and maintenance of the EMS

are still present, there are more specific requirements and duties specified in ISO/DIS14001:2014 related to this area. Top Management is now expected to have specific involvement in the EMS and implement system requirements into the organization’s overall business strategy ensuring that intended outcomes are met for EMS goals.Life Cycle - This is a new concept for the ISO 14001 standard that introduc-es a requirement not only to review the significant aspects and impacts the

client identifies related to their specif-ic processes, but also to ensure that upstream and downstream processes related to the significant aspects are controlled or influenced. In regards to environmental compliance, the “cra-dle-to-grave” concept has always been present; the new thinking on life cycle incorporates this idea into the organi-zation’s thought process on systems. The DIS defines life cycle as “consecu-tive and interlinked stages of a product system, from raw material acquisition or generation from natural resources to end-of-life treatment.” Furthermore, life cycle involves activities, products, and services and may include procured goods and services, as well as end-of-life treatment of products and delivery of services. Following are examples: design, manufacture, transport, pack-aging and end-use or disposal. Preparing for ChangeFirst, it is important to remember that you don’t have to do anything until the fi-nal standard has been published (towards

the end of 2015) and the requirements are known. Organizations are granted a three-year transition period after the revi-sion has been published to migrate their environmental management system to the new edition of the standard.If your organization is currently cer-tified you should do the following: monitor changes, talk with your client manager or assessor, consider the inte-gration opportunity that the High Lev-el Structure provides with other exist-ing management systems, and make senior management aware that change is coming that will require a transition plan and resources. Also, consider purchasing the ISO/DIS14001:2014 and providing commentary from a practical perspective. You can pur-chase the DIS from ISO using this link, www.iso.org/iso/catalogue_de-tail?csnumber=60857.How to CommentAnyone with expertise or experience to offer can comment. Please sub-mit all contributions and comments via your national member body. The American National Standards Institute (ANSI) is the national member for the US. The following link provides a list of and links to all ISO national mem-ber bodies, http://www.iso.org/iso/home/about/iso_members.htm. Shift Towards Environmental Per-formanceWhile the DIS/ISO 14001 reflects the original requirements and intent of the original standard it also shifts the emphasis from improving the manage-ment system to improving environ-mental performance.The evolving ISO 14001 standard will require the identification and incor-poration of internal and external fac-tors within the organization’s overall strategy – both short term and long term. Our next article on the DIS ISO 14001:2014 will further explore other new requirements, such as risk based thinking and environmental perfor-mance. Stay tuned and please do send us your questions and comments.

Updates to Standards Autumn 2014

2

UPDATESTO STANDARDS

Responsible Care® -14001:2013 and RCMS:2013 Standard RevisionsRC-14001 and RCMS Standards, the chemical industry’s environmental, health, safety, and security perfor-mance initiative (originally released in 2002) recently underwent a revision to a 2013 re-release. The revision in-corporates changes based upon issues identified by members, partners, regis-trars, and board recommendations on waste and energy efficiency. Addition-ally, the task force working on the re-vision ensured that any changes would provide value and would align with the American Chemistry Council’s Pro-cess Safety Codes. The program revi-sions address the principle to enhance the performance and credibility of the chemical industry through Responsible Care. What follows is a brief summary of changes to the RCMS and RC-14001 Standard.RCMS® Responsible Care Manage-ment System Element 1.1 now includes a require-ment for the policy to be made avail-able to the public. Element 2.1, which initially required the site to identify hazards and prior-itize risks, now requires organizations to consider NEW items – including ac-tivities associated with its operational energy efficiency and waste minimiza-tion, reuse and recycling. Sites are not necessarily required to have energy or waste prioritized risk aspects; they just have to show they considered them.Element 3.4 adds the requirement that sites verify competency for persons performing tasks directly related to the organizations prioritized EHSS risks. Element 3.5.2 states that – in addition to having a process for making prod-

uct stewardship information publicly available – process shall now include product safety information.Element 4.2 now requires the organiza-tion to periodically evaluate its compli-ance with relevant health, safety, secu-rity and environmental legislation and regulations, as well as conformance with other Responsible Care®-related requirements to which it subscribes. Element 4.3 adds the requirement that an organization conduct internal audits

on the effectiveness of its Responsible Care management system to determine whether it has been properly estab-lished, implemented and maintained. Additionally, audits shall occur at planned intervals with audit frequency commensurate with risks associated with the operations, results of previous audits, and changes to the management system.Element 4.4 states that (commensu-rate with risk) the organization shall have a process to use (as appropriate) that reviews and assesses: custom-ers, suppliers, contract manufacturers, carriers, distributors, contractors, and third-party logistics providers based on Responsible Care or other health, safety, security and environmental per-formance criteria established by the organization.Element 4.6 previously required root cause analysis of incidents, accidents

and non-conformities within Manage-ment System and now is modified and split into two sub-elements:• 4.6.1 – Identify, investigate and

assignsignificance• 4.6.2 - Based on the determined

levelofsignificance… • Identify root causes• Address and mitigate any ad-

verse impacts• Initiate and complete correc-

tive and preventive actions• Share key findings and associ-

ated corrective and preventive actions with relevant internal and external stakeholders, and

• Review efficacy of corrective and preventive actions taken

Element 5.1 adds the new requirement: outputs from the management review shall include any decisions and actions related to possible changes to the pol-icy, goals, objectives and targets, and other elements of the Responsible Care management system. Other modifications include an up-dated glossary and terms appendix, a listing of current ACC member/partner company requirements, and updated web links for ACC documents. RC-14001 – Responsible Care Man-agement System plus ISO-14001: 2007Section 4.3.1 Aspects and Impacts identification now includes some addi-tional wording that requires the orga-nization to consider operational energy efficiency, waste minimization, as well as reuse and recycling when identify-ing its aspects and impacts.Section 4.4.6 Operational Control in-cludes a wording change to sub-ele-ment “h” to ensure that an organization has a process to use, as appropriate, that reviews and assesses the follow-

3

Updates to Standards Autumn 2014

UPDATESTO STANDARDS

ing: customers, suppliers, contract manufacturers, carriers, distributors, contractors, and third-party logistics providers based on Responsible Care

or other health, safety, security and environmental performance criteria es-tablished by the organization.

Section 4.5.3 Non-conformity, cor-rective, preventive action changes the language of incident and accident investi-gation to ensure that the organization has “A process to identify, investigate cause(s) and assign signifi-cance to incidents and accidents. Appropri-ate corrective and/or preventive action(s) shall be taken to avoid recurrence.”

Additional changes made to the RC-14001 Standard include the following:• Use of the Responsible® Care

logo (Introduction section – bot-tom of page 5)

• Definitions and Interpretations (Appendix 1). New note 2 on page 20 – “other requirements to which it subscribes”

• ACC RC Requirements (Appendix 2)

• Responsible Care federations’ website listing. (Appendix 3).

• ACC website listings.Since January 2014, UL DQS Inc. has conducted audits pursuant to the 2013 revisions and makes recommendations to upgrade certificates as appropriate.

UPDATESTO STANDARDS

Updates to Standards Autumn 2014

4

New Version of ESD S20.20 Re-leased

The Electrostatic Discharge Associ-ation (ESDA) just released the 2014 version of the ESD S20.20 standard – “Protection of Electrical and Electron-ic Parts, Assemblies and Equipment (Excluding Electrically Initiated Ex-plosive Devices”). ESDA posted the new S20.20-2014 standard on its website and is offering a complimentary PDF version, reg-istration required. The normal pur-chase price for a PDF of this standard is $130-list, or $100-for members. But, get yours free using this link: http://www.esda.org/Documents.htm-l#s2020. The URL will take you to a summary of the standard; click the yel-low download button; a pop-up login box will appear; at the top you’ll see “To download document, click here to register.” Registration takes less than one minute.

For certified organizations, the follow-ing transition plan and new certifica-tion timeline applies:• 2014: S20.20-2007 will continue

as the basis for certification• 2015: Organizations can choose

between the 2007 and 2014 ver-sions as the basis for certification

• 2016: All audits will reflect the 2014 version and 2007-version cer-tificates transitioned to the new ver-sion. The ESDA will not renew cer-tificates based on the 2007 version.

Additional points to remember:• Both versions of the standard are

available for downloading using the link above throughout 2015.

• ESDA is in the process of updat-ing the auditor checklist associat-ed with the 2014 version for use during audits.

• ESD S20.20 auditors at UL-DQS have upgraded their qualifications

and are ready to use the 2014 ver-sion. Also, our next “Update to Standards” will provide a summary of the changes in the new standard.

UL DQS Inc. has the capability to per-form ESD S20.20 audits integrated with the ISO 9001, TL9000 and ISO 13485 standards. If your organization is not currently certified to the ESD S20.20 standard and you want more information about our program, please contact Regional Account Manager.

Updates to Standards Autumn 2014

UPDATESTO STANDARDS

5

ISO 27001:2013 Highlights of Change to the New Revision

ISO has released a new version of its information security management standard ISO IEC 27001 in Septem-ber 2013. The supporting guideline ISO IEC 27002 has also been updat-ed. All organizations already certified under ISO IEC 27001:2005 have to transition to the new version by Octo-ber 2015. The effective use of these standards can help companies achieve best practices in information security risks, such as loss of proprietary infor-mation, hacking of network, spread of malware, data compromise, and fail-ures of service providers to understand and meet customer requirements.Thousands of companies have adopt-ed ISO IEC 27001 and 27002 as their standards for information security pro-grams and controls. Together, they are the de facto standards and provide the requirements and code of practice for security requirements. ISO IEC 27001 also enables organizations to achieve regulatory compliance with laws like FISMA, HIPAA and GBLA. Both ISO IEC 27001 and 27002 provide a base-line for initiating, implementing, main-taining and improving an information security management system in any size organization.ISO 27001:2013The increased scope of security risk will include enterprise risk assess-ment. This will enable organizations to use it for their Governance, Risk and Compliance (GRC) program – a major change towards the right direction. Also, this simplifies documentation requirements to a great extent by re-placing the phrase “documented proce-dure” with “documented information.”

Also, this new standard simplifies the list of controls in Annexure A by re-ducing the number of controls from 133 to 114. However, the scope of ap-plication of controls has significantly expanded. Here are some of the major changes to controls:• Inclusion of System engineering

and project management: New controls added to address infor-mation security in project man-agement (A.6.1.5), Secure devel-opment policy (A.14.2.1), Secure system engineering principles (A.14.2.5).

• Mobile device policy (A.6.2.1): This addresses the increasing use of mobile devices in information processing and also the use of per-

sonal devices to access organiza-tional information assets.

• System security testing (A.14.2.8): This states that information pro-cessing systems should be tested for compliance with security re-quirements. This testing is in ad-dition to the regular system accep-tance test conducted after system changes.

Many of the changes will better align security objectives with business goals and objectives. That alignment will help everyone across the whole orga-nization to better appreciate the im-portance of information security to the company’s sustainability, viability and reputation.