Search results

Environmental Aspects Criteria

When identifying significant environmental aspects for an organization, you don't necessarily have to refer exclusively to ISO 14001 criteria, but ISO 14001 can be a valuable framework to guide your efforts. You can consider, for example:

• Legal and regulatory compliance
• Interested parties expectations
• Risks and Opportunities

You can find more information in:

• Catalogue of environmental aspects
• 4 steps in identification and evaluation of environmental aspects

Create a Performance Mindset

To create a performance mindset in accordance with ISO 9001:2015, business leaders should:

Set Clear Objectives: Define clear and measurable quality objectives aligned with the organization's strategic goals.
Lead by Example: Demonstrate a commitment to quality and continuous improvement through their actions and decisions..
Engage Employees: Involve employees at all levels in quality initiatives, encourage their input, and recognize their contributions.
Provide Resources: Allocate resources, including training and technology, to support quality improvement efforts.
Monitor and Measure: Regularly assess performance using meaningful metrics and key performance indicators (KPIs).
Continuous Improvement: Foster a culture of continuous improvement, where identifying and addressing opportunities for improvement is encouraged.
Communication: Communicate the importance of quality and performance to all stakeholders, both internally and externally.
Feedback Loop: Establish mechanisms for feedback and learning from both successes and failures to drive ongoing improvement.
 

By embracing these leadership efforts and approaches, businesses can cultivate a performance mindset that leads to sustained excellence and quality in their operations and outcomes.

I recommend starting with one or two examples that can be used to set an example and motivate the whole team.

You can find more information:

• Article - How to Write Good Quality Objectives
• Free webinar on-demand - Measurement, Analysis, and Improvement According to ISO 9001:2015
   

Is Statement of Applicability required for ISO 14001?

The statement of applicability is a unique part of ISO 27001 where you identify the controls applied, and this is not required for ISO 14001. Both standards have a scope and policy for the management system, but only ISO 27001 has a statement of applicability.

You can read a bit more on the ISMS statement of applicability in the article:

• Statement of Applicability in ISO 27001 – What is it and why does it matter?

A.15.2.2 Managing changes to supplier services

Control A.15.2.2 Managing changes to supplier services can be implemented by means of a change management process considering the following steps:

1. identification of what needs to be changed (e.g., hardware, software, documentation, etc.) and on which systems;
2. assessment of the criticality of the systems, information, and processes affected by the change;
3. re-assessment of the risks related to the systems, information, and processes affected by the change (e.g., current risks that may change, risks that may arise);
4. formal approval of proposed changes
5. development of an implementation plan, including, when necessary, procedures for aborting and recovering from unsuccessful changes and unforeseen events;
6. testing of the proposed changes before and after deployment of changes in production environment
7. communication of changes performed to all relevant persons.

You can use your change management procedure as a basis to manage changes related to your supplier.  

You can read more about managing changes in an ISMS according to ISO 27001 A.12.1.2 on our blog.

Missing ISO27001 References in List of Documents

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/0363839e-433b-4db0-bd3b-c44dcdac5764

Screening and vetting policy

Please note that ISO 27001 does not require a Screening and Vetting Policy to be documented, and this is not a common document used in an ISO 27001 implementation.

Considering that, to reduce the administrative effort in managing documents, guidelines for screening and vetting are included in the:

• Statement of Applicability, as implementation method for control A.6.1 – Screening. The SoA can be found in folder 07 Applicability of Controls
• Supplier security Policy template, section 3.2 – Screening. This template can be found in folder 09 Annex A Security Controls

Asset and Risk Owners - can it be a role and also a name of an employee

ISO 27001 does not prescribe how to define asset/risk owner, so both role and name (used together or separated) are acceptable alternatives, compliant with the standard, for defining the asset/risk owner.

We recommend always using only the role of asset/risk owner because changing a role as owner is less frequent than changing an employee, and this way, you will have less administrative effort. 

For more information, check out how to handle an asset register/asset inventory.

Read this article to find out the difference between risk owners and asset owners.

A.15.2.2 Managing changes to supplier services

I have read the implementation guidance in ISO 2002 but I am still not sure of what type of controls we should implement to be compliant with the control A.15.2.2 (ISO27001:2013). I understand that this is regarding changes in supplier agreements and/or Terms and conditions, changes in how our company uses the supplier services etc. Could anyone share how you have implemented this control? We have a non conformance from our recent audit regarding this hence my question. 

Thank you in advance!

Risk Treatment Advice

Hi Rhand,

Many thanks for the comprehensive response.

Annual calibration

Calibration laboratories only certify to ISO 17025. As a testing laboratory, any equipment needing calibration must be calibrated by a competent laboratory that provides a calibration report that meets ISO 17025 clause 7.8.4 Specific requirements for calibration certificates. Typically such laboratories would be accredited. You would need the performance parameters of the device being calibrated and the metrological traceability of the calibration. i.e. the equipment used by the calibration lab has its own calibration and certificate traceable to national and or international standards / SI units. Furthermore, they need the expertise to provide you with the measurement of uncertainty of the measurements/performance of the equipment they calibrate for you.
For more information on ISO 17025 refer to Advisera ISO 17025 – Where to Start? at https://advisera.com/iso-17025/