Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Assessing maturity level of ISO/IEC 27001 implementation

    Although there is no specific model for assessing the maturity level of ISO/IEC 27001 implementation, some models you can use with minor adaptations are:

    • COBIT
    • CMMi
    • OPM3
    • SSE-CMM
    • ISO/IEC 15504

    This article will provide you a further explanation about the use of maturity levels:

    These materials will also help you regarding ISO 27001:

  • ISO 14001 legal cadastre

    Setting up a database of compliance obligations may differ from country to country because legal and regulatory information may be more or less accessible in terms of easiness and completeness.

    Start with your environmental assessment to determine environmental aspects and impacts. Then, you have to search the list of legislation applicable to your organization concerning each environmental aspect and impact. In my country, I use the services of an organization that sends me an email every day informing if there are changes in legislation at local, national and European Union level. Through them, I have access to all the environmental legislation of my country. I know organizations that have a similar service from their sector association, or some legal service from lawyers’ firms. Other organizations keep the information updated by searching frequently if any new or revised law was published.

    You can find more information below:

  • ISO 14001 methods

    To determine significant environmental aspects, start by thinking in the environmental impacts caused by each environmental aspect.

     

    Why do you need to determine significant environmental aspects? Because resources are scarce, and you don’t have any chance of improving if you decide to act on all aspects. So, an efficient method for classifying aspects/impacts is a method that help you focus your attention and resources where they are more needed.

     

    If you’re implementing an environmental management system you already have, or you will have an environmental policy. In that environmental policy your organization is committed to meeting compliance obligations (including legal requirements). So, a first step for determining significant environmental aspects and impacts is to check if compliance obligations are met:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/170688f0-e1fa-4964-a716-2b4199535cf5

    If compliance obligations are not met, you have a problem! This is a priority for action, for improvement.

    If there are no compliance obligations or if they are being met, you need to use other criteria to assess environmental impacts.

    Frequently, organizations use as other criteria parameters like:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/83389ffa-3c17-4796-8335-213a55f5a440

    For each parameter you may have a classification range or scale like, for example:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/f2b5231b-828d-407f-9f51-179f4fb9aeef

    Considering all the parameters with its own scales you apply a formula to get a score. The formula is up to you to decide how to apply, and what weight to each parameter.

    From there you get:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/16810d1a-5f03-4f6a-9010-e48fd651a37e

    STOP – means an environmental aspect/impact without compliance obligations and not significant. You can forget it until next evaluation.

    B – means an environmental aspect/impact with compliance obligations that are being met and it is not considered significant. Just keep monitoring according to compliance obligations or system requirements.

    C and D – means environmental aspect/impact with or without compliance obligations that are being met and it is considered significant. You have to decide which environmental aspects/impacts in these groups you want to improve.

    Danger sign – means an environmental aspect/impact with compliance obligations that are not being met and it is considered significant. Action is mandatory.

    Please check this information below with more detailed answers:

  • Defining an ISMS scope

    Considering that, if you are a small organization, it is best to define the whole organization as part of the ISMS scope (so in terms of Organizational Units you can state that all organization is part of the scope). If you include only one part of your organization, then under the 'Organizational Units' you list only your departments that will be included in the scope.

    Regarding processes and services, these would be related to the information you want to protect. For example, if you want to protect customer financial data, then the financial processes and services would be included in the scope. In case it is the software you provide to the customer, then you should consider the development and operation processes related to the software (ISO 27001 cannot be used to certify products and services).

  • ISO 14001 benefits

    The standard way of answering your question can be a mix of topics from these articles - 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/ and - ISO 14001: The benefits for customers - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/ - you can use one or more topics from the articles to support your proposal.

    Can your organization win new clients that demand ISO 14001 certification? Can your organization reduce costs due to a systematic improvement of environmental issues? For example, while implementing an environmental management system I was able to reduce costs, and improve productivity, by changing to water-based adhesives instead of solvent-based ones or reduce energy consumption due a systematic attack on compressed air leaks or reduce cost with waste disposal due to better segregation and different and better destinations instead of just dumping in a landfill. If you can attach money to your promise, you can make them see ISO 14001 as an investment, what can be earned in return for an implementation cost.

    You can find more information below with more detailed answers:

     

  • ISO 9001 external documents

    thank you

  • CSP - CSC - end user in iso 27017

    In this scenario, Company A needs to be considered both cloud service customer and cloud service provider.

    This happens because company A needs to fulfill customers’ requirements related to cloud security (in this case it acts as a cloud provider), and at the same time it needs to enforce these requirements, and its own, on its suppliers (in this case it acts as cloud customer).

    This article will provide you a further explanation about ISO 27017:
    - ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

  • Performing Risk management according to ISO 27005

    ISO 27005 is a supporting standard to ISO 27001, detailing how to implement risk management for information security (basically covering ISO 27001 clauses 6.1.2 and 6.1.3).

    Considering that, general steps for risk assessment and treatment are:

    • Definition of a risk assessment and treatment methodology
    • Performing of risk assessment (risk identification and risk analysis)
    • Performing of risk treatment (risk evaluation and controls selection)
    • Elaboration of a risk treatment report
    • Elaboration of Statement of Applicability (SoA)
    • Elaboration of Risk Treatment Plan and acceptance of residual risks

    This article will provide you a further explanation about implementing risk management:

    These materials will provide you a further explanation about implementing risk management:

    If you want to see how a risk management process compliant with ISO 27005 looks like, I suggest you take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

  • ISO 9001 non-conformities

    Non-conformities can be about:

    • The product or service
    • Process performance
    • System conformance
       

    Non-conformities derived about the product or service are detected during quality control activities or following a complaint.

    Non-conformities derived about process performance are detected during analysis and evaluation of process performance data.

    Non-conformities derived about system conformance are detected during internal audits or during management review.

    The following material will provide you information about nonconformities:

  • ISO 9001 non-conformities

    I’m afraid your question is a symptom of a common mistake in quality management systems while treating product or service non-conformities.

    When treating product or service non-conformities you must, it is mandatory, to eliminate the non-conformity (correction) and treat its consequences. And the timer is ticking, you should do that as fast as possible to prevent unintended use:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/6deea509-4321-4593-9820-f09dcd0f00ee

    Once eliminated the non-conformity you should evaluate your current practices. That is why I recommend using the SDCA cycle from Shoji Shiba.

    You have a standard (S) way of doing things, written or unwritten, it is the way your organization works. You do the work (D) according to the standard and you check (C) the results. And you detect non-conformities. And you treat the non-conformities. After treating the non-conformities, the urgency stops, and you think about your standard way of doing things:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/4b6cb650-e510-4743-8dff-9ade33ef1582

    You ask should we improve, or should we keep the current standard? If your organization decides that can live with the current performance there is no need for corrective action, you continue in the SDCA cycle. If, when you ask if the improvement is needed, you realize that it is a systematic failure, there is a trend or a serious situation, you are concluding that the situation calls for improvement. That means, you can no longer trust your current standard, you must jump into the PDCA cycle to develop corrective action, an action to eliminate the cause(s) of the non-conformity.

    If your organization considers that the situation is “beyond our control” you are concluding that no corrective action is needed. However, I would prefer writing “No corrective action needed” instead of “beyond our control”. I worked as a quality manager in a manufacturing plant more than 25 years ago and we had problems with power failure, we picked the priority machines and established an emergency supply operation with diesel generators.

    Please search for the "Deming funnel tampering" about the problem of tampering with a system, when one tries to improve a system after each non-conformity. 

    You can find more information below:
Page 186-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +