Back

Establish, implement, and maintain an occupational health and safety policy.


CONTROL ID
00716
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an occupational health and safety management system., CC ID: 16201

This Control has the following implementation support Control(s):
  • Involve interested personnel and affected parties in occupational health and safety management system processes., CC ID: 16274
  • Disseminate and communicate the occupational health and safety policy to interested personnel and affected parties., CC ID: 16270
  • Include a commitment to continuous improvement in the occupational health and safety policy., CC ID: 16267
  • Include risks and opportunities in the occupational health and safety policy., CC ID: 16287
  • Include management commitment in the occupational health and safety policy., CC ID: 16264
  • Include occupational health and safety objectives in the occupational health and safety policy., CC ID: 16262
  • Post evacuation plans and evacuation procedures throughout facilities., CC ID: 06073
  • Maintain a 1 to 2 day supply of water and nonperishable food at the facility in case public utilities are interrupted., CC ID: 06074
  • Install duress alarms in susceptible public areas., CC ID: 06075
  • Require regular vacations for personnel using restricted information or sensitive information., CC ID: 06550
  • Establish, implement, and maintain health and safety personnel disinfecting procedures., CC ID: 06802
  • Provide protective face masks for critical personnel, as necessary., CC ID: 06803
  • Establish, implement, and maintain food preparation procedures., CC ID: 06804
  • Establish, implement, and maintain food handling procedures., CC ID: 11765
  • Vaccinate critical employees, as necessary., CC ID: 06805
  • Protect personnel from work-related intimidation., CC ID: 07046
  • Establish, implement, and maintain a travel program for all personnel., CC ID: 10597


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • App 2-1 Item Number VI.4.1(1): The organization must ensure the work environment is managed properly by improving IT in accordance with healthcare considerations. App 2-1 Item Number VI.4.1(2): Personnel must receive regular medical examinations and counseling about their physical and mental health. (App 2-1 Item Number VI.4.1(1), App 2-1 Item Number VI.4.1(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O86: The organization shall implement health care management for all employees. O86.1: The organization shall ensure all personnel involved in operating the computer systems have regular medical examinations, counseling, and other health care management measures depending on work content, work style… (O86, O86.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • For those who are involved in operation of computer systems (including part-time staff, temporarily employed workers, and other outsourcee's staff), regular medical examinations and counseling and other health care management measures should be conducted depending on the work style, the contents of … (C19.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The organizational policy statement must ensure that the scope of the organizational resilience management system includes a commitment, as the first priority, to community and employee life safety. (§ 4.2.1(b), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Policies and procedures shall be established for maintaining a safe and secure working environment in offices, rooms, facilities and secure areas. (FS-01, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • The organization shall establish requirements for cleanliness, health, and clothing, if contact between the product or work environment and the personnel could adversely affect quality. (§ 6.4(a), ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization shall monitor the operation of the system to verify it is operated in a way that is compliant with occupational safety and environmental protection regulations. (§ 6.4.9.3(c)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Procedures should be implemented to ensure there is an appropriate level of health and safety protection for personnel at all recovery sites, including fire safety and building inspections. Service providers should consider using non noxious gases for fire detection and suppression systems. If this … (§ 6.4.16, § 6.10.7, § 6.12.5, § 6.13.1, § 6.13.2, § 6.13.5, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • When securing rooms, offices, and facilities, relevant health and safety regulations and standards should be taken into account. (§ 9.1.3, ISO 27002 Code of practice for information security management, 2005)
  • ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; (§ 6.8.3.4 ¶ 2 e), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Top management shall establish, implement and maintain an OH&S policy that: (§ 5.2 ¶ 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • ensuring that the OH&S policy and related OH&S objectives are established and are compatible with the strategic direction of the organization; (§ 5.1 ¶ 1 b), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • be relevant and appropriate. (§ 5.2 ¶ 2 Bullet 4, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • be available as documented information; (§ 5.2 ¶ 2 Bullet 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • includes a commitment to provide safe and healthy working conditions for the prevention of work-related injury and ill health and is appropriate to the purpose, size and context of the organization and to the specific nature of its OH&S risks and OH&S opportunities; (§ 5.2 ¶ 1 a), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • At multi-employer workplaces, the organization shall coordinate the relevant parts of the OH&S management system with the other organizations. (§ 8.1.1 ¶ 2, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • If contact between the personnel and the environment or product could adversely effect product quality, a medical device manufacturer shall establish and maintain health, personal practices, cleanliness, and clothing requirements. (§ 820.70(d), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • The physical protection of the cyber components and data associated with the ICS must be addressed as part of the overall security of a plant. Security at many ICS facilities is closely tied to plant safety. A primary goal is to keep people out of hazardous situations without preventing them from do… (§ 6.2.11 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Information system contingency plans are rarely developed or executed on their own. When an incident occurs that impacts information system operations, it often impacts the organization's personnel. Proper considerations for the safety, security, and well-being of personnel should be planned for in … (Appendix D ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • To determine how the ISCP will be implemented following a system disruption or outage, it is essential to assess the nature and extent of the disruption. The outage assessment should be completed as quickly as the given conditions permit, with personnel safety remaining the highest priority. When po… (§ 4.2.3 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Disasters may take a heavy psychological toll on personnel, especially if there has been loss of life or extensive physical destruction. Organizations should be prepared to provide grief counseling and other mental health support. The Employee Assistance Program (EAP), which is available to all fede… (Appendix D Subsection 3 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))