Search results

How to find and choose a good certification body for ISO 27001

Elements you should consider when selecting a certification body are at least these ones:

• Reputation.
• Accreditation.
• Specialization in your industry.
• Experience.
• Integrated audit.
• Flexibility.
• Required maturity for certification.
• Language.

For further information, see:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

Regarding certification costs, this will depend on the size and complexity of the scope, so without more detailed information, it is not possible to provide you a precise estimation.

There are a significant number of variables to be considered when estimating the certification cost, such as size and complexity of the scope, number of employees, number of sites, etc.

Including opportunities in ISO 14001 register

About risks and opportunities in ISO 14001:2015 I recommend reading Annex A.6.1.1. What does your organization want from the environmental Management System (EMS)?

How is this done? With a set of action plans:

Risks and opportunities are:

What A6.1.1 tell us is:

• Look into your list of environmental aspects, which can create risks and opportunities. Your significant aspects can generate significant impacts and those can be seen as risks and opportunities
• Look into your list of compliance obligations, are there risks of failing to comply, or opportunities to be better than compliance obligations?
• Look into your context and interested parties, which can create risks and opportunities? For example, trends in environmental legislation, trends in neighborhood or client’s sentiment about your organization’s environmental performance.
  
  

Currently I’m working with an industrial organization where we considered as opportunities:

• Starting to use solar energy in order to reduce CO2 emissions
• Starting to use water-based adhesives in order to reduce use of volatile organic compounds
• Change waste operators in order to reduce amount of wastes going to landfill
   

Think about your environmental objectives and determine actions that can improve your performance towards them.

Please check this information below with more detailed answers:

• Environmental aspect identification and classification - https://advisera.com/14001academy/knowledgebase/environmental-aspect-identification-and-classification/
• Catalog of environmental aspects - https://advisera.com/14001academy/knowledgebase/catalogue-of-environmental-aspects/
• ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
• Risks and opportunities in ISO 14001:2015 – What they are and why they are important - https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

How to drive opportunity reports by IQA team

First you need to identify the opportunity. This can be done using a SWOT analysis where you look at the Strenghts, Weaknesses, Opportunities and Threats. Once you identify the opportunity, you will need to assess if it is significant or it is not. For that purpose you can use a simple criteria such as impact and probabibilty. If the opportunity is significant you will need to take the necessary actions to conduct it, defining resources needed, responsibilities, deadlines, etc. In addition you will need to assess the effectiveness of the actions taken in order to implement that oppotunity within your organization. This information should be included in the reports.

For more information about how to drive oppotunity reports see the following materials: 

- How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

- Enrol this free course - ISO 9001 Foundations course: https://advisera.com/training/iso-9001-foundations-course/

- Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

GDPR Certification Exam

1 - It is my intention to write the GDPR Certification Exam the end of this Month.

I trust that this will create the Environment that will enable me to write both ISO 27001 Lead Implementor and Lead Auditor Exams.

GDPR certification is not enough to cover all necessary knowledge for ISO 27001 Lead Implementor and Lead Auditor Exams (normally the certification path is the other way around).

Please note that GDPR defines requirements for privacy protection, while ISO 2700 provides requirements for information security in general, so ISO 27001 is more comprehensive, and someone needs more knowledge before going for ISO 27001 Lead Implementor and Lead Auditor Exams.

For further information, see:

• Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
• How an ISO 27001 expert can become a GDPR data protection officer https://advisera.com/27001academy/blog/2020/01/20/iso-27001-practitioner-becoming-a-gdpr-data-protection-officer/

2 - I would really appreciate any Communications regarding progress on Creation of Advisers POPIA Content and an opportunity to present same to a number of Corporate and Government Clients in our portfolio.

Please be assured of my commitment to broadening my ISO Certifications based upon the Advisers offerings

We have POPIA (the South African law for data protection and privacy) in our product pipeline for development, but not for at least the next twelve months.

ISO 27001 - Capacity SaaS

Even when using SaaS you can define capacity planning, but the performance indicators need to be related to the service, not hardware elements, because, as you said, these are not under your control.

In this case, you should consider elements like the number of simultaneous users, or other elements you can measure from your side, like hours of use, requests per second. In all cases, you need to consider the impact of communication links in these measurements (a bad link can make it impossible for you to achieve all performance made available by the SaaS provider).

But please note that capacity planning for ISO 27001 would be required only if relevant risks, or legal requirements, demand implementation of control A.12.1.3 Capacity management.

For further information, see:

• Implementing capacity management according to ISO 27001:2013 control A.12.1.3 https://advisera.com/27001academy/blog/2016/02/22/implementing-capacity-management-according-to-iso-270012013-control-a-12-1-3/

Information/data retention and destruction policy

Template A.11.2 - Disposal and Destruction Policy is the template to be used to define a retention and destruction policy.

This article will provide you a further explanation about information disposal:

• 5 practical tips for media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2018/10/22/5-practical-tips-for-media-disposal-according-to-iso-27001/

This material will also help you regarding information disposal:

• NIST Special Publication 800-88, Revision 1: Guidelines for Media Sanitization https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf

DPIA’s and Clients' data

Yes, you are right, DPIA is an obligation of the data controller, as a data processor you may suggest to your client to conduct a DPIA and help them in the process, but you don't need it if the controller does not require it. About data you process as a controller, you need to determine if the monitoring falls under the scope of Article 35 GDPR, if a DPIA is required, I would suggest you use the tool that the CNIL (the French Data Protection Authority implemented, it is in English and it guides controllers through the assessment process).

Here you can find more information about the DPIA process:

• 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

If you need to understand how to implement the EU GDPR you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/ 

ISO 9001 Surveillance audit

This is new for me. I never heard of such a situation. Your contract is with a particular Certification Body. So, your organization by changing the Certification Body must restart the certification process with a new Certification Body. If I were in your shoes I would contact the Accreditation Body mentioned in your certificate to ask them for guidance.

Impartiality

There are many possible impacts to compromised impartiality, it all depends what the event issue is/ was. This is the reason a risk based approach is required. For the purposes of ISO 17025 the objectives of technical competency and consistent results and any other set objectives or mandatory requirements must be protected from lack of impartiality. This means that compromised impartiality is a nonconforming event and must be addressed as a a priority. Follow your process and determine root cause and suitable corrective actions. 
For examples, and further information, have a look at my replies to similar questions:

• Assuring impartiality and confidentiality at https://community.advisera.com/topic/assuring-impartiality-and-confidentiality/
• Impartiality at https://community.advisera.com/topic/impartiality/

For more information on Impartiality, also have a look at the article How to ensure impartiality in an ISO 17025 laboratory at https://advisera.com/17025academy/blog/2020/10/12/ensuring-impartiality-in-an-iso-17025-laboratory/ 
and the ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

Method or methodology to implement ISO 27001 requirements

ISO does not prescribe a method to implement its management standards so organizations can choose the method that better suits their needs.

Widely accepted methods for ISO 27001 implementation are project management approaches based on traditional and agile frameworks like PMBoK and Scrum, but they need to be adjusted for the specific needs of an ISMS implementation project.

As a suggestion for an approach already adjusted for implementing an ISO 27001 ISMS, I suggest you take a look at the free demo of our ISO 27001 Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

With this toolkit, we have thousands of companies that have successfully implemented 27001.

For further information, see:

• ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
• How to use Scrum for the ISO 27001 implementation project https://advisera.com/27001academy/blog/2017/03/27/how-to-use-scrum-for-the-iso-27001-implementation-project/

To see an example of a project framework for ISO 27001 implementation, please access this free downloadable material:

• Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation