Search results

OCP Control Method

I think OCP stands for Operational Control Procedures. So, OCP in shop floor seems to be Operational Control Procedures used in shop floor to improve environmental aspects management and control. For example, Operational Control Procedures about segregating wastes correctly, or about good practices to minimize energy or water consumption. OCP Control Method can be, I guess, about procedure control: approval, distribution, updating, obsolete removal.

You can find more information below:

• Defining and implementing operational control in ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/
• Seven elements to control documents in the EMS - https://advisera.com/14001academy/blog/2014/12/10/seven-elements-control-documents-ems/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Info su pseudonimizzazione

Grazie

Asset metrics

We are not experts in this specific industry, but for small and midsized business all over the world, this template has helped them to identify assets for their ISO 27001 ISMSs:

• Inventory of Assets https://advisera.com/27001academy/documentation/inventory-of-assets/

This article will provide you a further explanation about managing assets:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding managing assets:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Asset List for ISO 27001 Risk Assessment (MS Word) https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/

Backup policy

ISO 27001 does not prescribe responsibilities about backup, so organizations are free to define them as best fulfill their needs.

Considering that, for defining the responsibilities for the backup process, you should analyze potential risks (e.g., lack of knowledge, human error, sabotage, etc.), and applicable legal requirements (e.g., laws, regulations, and contracts), to identify how responsibilities should be defined.

For example, through risk analysis, you may find that there are no relevant risks if the DBA is responsible for taking and storing the Backup, but you may have a contract with a client that defines a different role to be responsible for the backup process (e.g., the backup should be performed and managed by a system administrator).

To see how a backup policy compliant with ISO 27001 looks like, please access the demo template at this link: https://advisera.com/27001academy/documentation/backup-policy/

These articles will provide you a further explanation about defining responsibilities:

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
• Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

These materials will also help you regarding the definition of responsibilities:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Function segregation matrix in a small company

Existem duas formas comuns de se formalizar a segregação de funções, dependendo da forma como a organização gerencia seus processos:

• Caso a organização não possua processos documentados (ex.: por meio de políticas e procedimentos), você pode usar um único documento identificando os processos e as etapas a serem segregadas. Por exemplo: No processo de “Gestão de documentos”, o cargo A elabora documentos e o cargo B aprova documentos, e no caso de um processo de “Compras”, o cargo C solicita materiais e o cargo D aprova as solicitações.
• Caso a organização possua processos documentados, ela pode definir a segregação de funções diretamente nas políticas e procedimentos necessários.

Para mais informações sobre segregação de funções, leia:

• Segregação de funções em seu SGSI de acordo com a ISO 27001 A.6.1.2 https://advisera.com/27001academy/pt-br/blog/2016/11/23/segregacao-de-funcoes-em-seu-sgsi-de-acordo-com-a-iso-27001-a-6-1-2/

Este material também pode ajudar a entender como implementar a segregação de funções:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Certificate Maintenance

1 - The certification body has set 2 days for surveillance audit. what is cost for the second and third year and what is the cost of recertification (Roughly)?

There is no standard value for surveillance and recertification cost, so this information you need to ask directly to your certification body. Normally contracts with certification bodies are set considering a full certification cycle (i.e., certification audit and surveillance audits), so this information about costs may be included in the contract clauses (the recertification cost is similar to the certification cost). For comparison, you may use quotations from other certification bodies.

For further information, see this material:

• Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
• ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

2 - What happens if for some reason the organization didn't pay for the annual subscription for two years for example and then wanted to re-certify after that.

First is important to note that there is no such thing as an annual subscription for certification bodies. To keep your certification, you need to undergo surveillance audits at scheduled times, or your certification will be suspended, and in case of prolonged delay (that will be less than two years), the certification will be canceled, and you will need to undergo all the certification process again.

3 - Is there any hidden cost in the process of yearly audit and recertification audit?

Some hidden costs you need to pay attention are related to the auditor’s travel costs (if he or she is out of your town), as the client will be responsible for his or her lodging, and the auditors’ fee related to his or her experience in the client's industry because their feedback is considered more valuable.

For further information, see:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

Significant Aspect

No, it is not in the standard that any aspect/impact that has a legal requirement is automatically significant.

Please check this picture:

If an environmental aspect has compliance obligations and they do not comply the aspect is significant, but if they are satisfied then it is up to your evaluation criteria to determine if they are or not significant.
 
Please check this information below with more detailed answers:

• Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
• ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

11.2.8 and 11.2.9

Please note that while control A.11.2.8 aims at equipment (e.g., computers and mobile devices), control A.11.2.9 has a wider coverage, including papers, removable storage media, and other equipment normally found on workstations (e.g., photocopiers).

In a sense, you can think that control A.11.2.8 can be used to implement a part of control A.11.2.9.

This article will provide you a further explanation about clear desk policy and clear screen policy:

• Clear desk and clear screen policy – What does ISO 27001 require? https://advisera.com/27001academy/blog/2016/03/14/clear-desk-and-clear-screen-policy-what-does-iso-27001-require/

This material will also help you regarding clear desk policy and clear screen policy:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Mandatory procedures

No mundo ISO, os requisitos / documentos obrigatórios estão relacionados às palavras “deve” ou “deverá”, enquanto os requisitos / documentos não obrigatórios estão relacionados às palavras “pode” ou “deveria”. Os documentos e registros obrigatórios para cumprir as cláusulas das seções principais da norma (seções 4 a 10) são:

• Escopo do SGSI (cláusula 4.3)
• Política e objetivos de segurança da informação (cláusulas 5.2 e 6.2)
• Avaliação de risco e metodologia de tratamento de risco (cláusula 6.1.2)
• Declaração de aplicabilidade (cláusula 6.1.3 d)
• Plano de tratamento de risco (cláusulas 6.1.3 e e 6.2)
• Relatório de avaliação de risco (cláusula 8.2)
• Registros de treinamento, habilidades, experiência e qualificações (cláusula 7.2)
• Resultados de monitoramento e medição (cláusula 9.1)
• Programa de auditoria interna (cláusula 9.2)
• Resultados das auditorias internas (cláusula 9.2)
• Resultados da análise crítica da gestão (cláusula 9.3)
• Resultados das ações corretivas (cláusula 10.1)

Outra situação é que alguns documentos são necessários para cumprir controles que são obrigatórios se pelo menos uma dessas situações acontecer:

• Existem riscos inaceitáveis que justificam a aplicação do controle
• Existem requisitos legais (por exemplo, leis ou cláusulas contratuais) aos quais a organização deve cumprir que demandam a aplicação do controle
• Existe uma decisão da alta administração para implementar o controle, considerando-o como uma boa prática.

Se nenhuma das condições acima acontecer, não há necessidade de implementar um documento relacionado a esse controle.

Além dos documentos para cumprimento das cláusulas das seções principais, sem uma avaliação detalhada de uma organização, não é possível definir quantos documentos uma organização teria e quais seriam um exagero.

Estes artigos fornecerão mais explicações sobre os documentos ISO 27001 e seleção de controles:

• Lista de documentos obrigatórios requeridos pela ISO 27001 (revisão de 2013) https://advisera.com/27001academy/pt-br/knowledgebase/lista-de-documentos-obrigatorios-requeridos-pela-iso-27001-revisao-de-2013/
• A lógica básica da ISO 27001: Como a segurança da informação funciona? https://advisera.com/27001academy/pt-br/knowledgebase/a-logica-basica-da-iso-27001-como-a-seguranca-da-informacao-funciona/
• 8 critérios para decidir quais políticas e procedimentos da ISO 27001 escrever https://advisera.com/27001academy/pt-br/blog/2014/07/31/8-criterios-para-decidir-quais-politicas-e-procedimentos-da-iso-27001-escrever/

ISO 14001 and engaging an external consultant

No, it is not a requirement to engage an external consultant to help develop and implement a management system.
That is precisely one of the reasons for the existence of Advisera, to help organizations to work without the need of a consultant. Please check this article - Do you really need a consultant for implementation of ISO 14001? -  https://advisera.com/14001academy/blog/2019/02/28/do-you-really-need-a-consultant-for-implementation-of-iso-14001/

Please consider our courses to help practitioners, you can enroll for free:

• Enroll for free in this course - ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/