Search results

ISO 14001 Question

ISO 14001 is about an environmental management system (EMS). So, risk assessment in ISO 14001 is related with desired or undesired results about the EMS.

In a laboratory you can start by determining environmental aspects and impacts generated by laboratory operation. Then, you can determine if there are any risks and opportunities around those environmental aspects and impacts. For example, I worked in a laboratory that generated hazardous wastes. Risks could be about giving the right treatment for those wastes, working with the authorized waste operators, using practices to minimize waste generation, minimizing wastes mixture.

You can find more information below:

• ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
• Risks and opportunities in ISO 14001:2015 – What they are and why they are important - https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

ISO 14001 Question

ISO 14001 gives a great framework for doing that. Determine environmental aspects and impacts, evaluate them, and develop a set of objectives and action plans in order to improve performance around the most critical, the most significant impacts.

Please check this information below with more detailed answers:

• Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
• Catalogue of environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 14001 Processes that need to be covered

No, it is not mandatory to use the process approach with ISO 14001, but you can follow the process approach in the way you manage environmental aspects and impacts. For example, I like to draw the process of managing wastes from generation until leaving the organization, or the process of managing water from sourcing to disposal.

If you develop a register of environmental aspects and impacts it may be useful to have a column to identify the source of the aspect, and the source may be a product, a service or within the scope of a quality system process. This way it is easier to see where to act, to improve environmental performance.

You can find more information below:

• Application of the process approach in ISO 14001 implementation - https://advisera.com/14001academy/blog/2017/01/30/application-of-the-process-approach-in-iso-14001-implementation/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 14001 Measuring Effectiveness with KPIs

What is the purpose of iso 14001? ISO 14001 sets out the requirements for an environmental management system (EMS). It helps organizations improve their environmental performance.

After updating your environmental assessment, you have a list of the most significant environmental impacts of your organization. So, it seems logical that a great EMS is a system that improves performance according to those significant environmental impacts. For example, if your organization is an intensive user of energy, or generates a lot of hazardous wastes, good KPI’s are the ones that measure performance on those two areas.

Please check below more information:

• How to define EMS key performance indicators (KPIs) according to ISO 14001 - https://advisera.com/14001academy/blog/2016/05/30/how-to-define-ems-key-performance-indicators-kpis-according-to-iso-14001/
• Case study: Using ISO 14001 KPIs to reduce waste in manufacturing - https://advisera.com/14001academy/blog/2016/05/16/5135/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

Change management

First is important to note that change management exists in ISO 27001 as one control from its Annex A (control A.12.1.2 Change management), but it can be excluded under certain conditions.

Provided that your organization does not have relevant risks or legal requirements (e.g., laws, regulations, or contracts) that require the implementation of change management, it is possible to be certified against ISO 27001 without implementing this control.

To see how a change management document compliant with ISO 27001 looks like, please see the demo on this link: https://advisera.com/27001academy/documentation/change-management-policy/

These articles will provide you a further explanation about the definition of controls and change management:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

Is it necessary to supply the assessor with a record of the router configuration?

If this record of the router configuration is related to the information included in the certified ISMS scope (e.g., this router allows access to R&D servers, and R&D information is included in the ISMS scope), then it has to be audited at some point during the certification cycle (i.e., during surveillance audits), so the auditor can check if the router configuration allows access only for authorized entities, and as part of the certification process the auditor has the authorization to access this information to perform the audit.

This article may provide you further information:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

ISO 27001 Asset-based risk assessment

I'm assuming that by asset-based risk assessment you mean the asset-threat-vulnerability approach.

Considering that, even in case a set of asset-threat-vulnerability rises no risk to the information that is part of the ISMS scope, you should maintain it in the Risk Assessment, for record purposes. First, because this way you can keep track of already identified sets of assets-threats-vulnerabilities you thought were relevant, which in future assessments will save you time in risk identification (you will not need to work on the identification of these risks again), and since the risk is a dynamic variable, in a future assessment these sets may indeed raise a risk that may require treatment (e.g. due to a technological change or new legislation).

These articles will provide you a further explanation about risk assessment:

• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

These materials will also help you regarding risk assessment:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Define and formalize a Top Management involvement strategy

In ISO 27001, the involvement of top management is defined and documented in the Information Security Policy. The definition of top management involvement must consider the expected objectives from the ISMS, as well as the business objectives and strategies.

To see how an Information Security Policy looks like, see: https://advisera.com/27001academy/documentation/information-security-policy/

These articles will provide you a further explanation about the Information Security Policy:

• What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
• Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
• 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

ISO 9001 and manuals

ISO 9001 is an international standard about developing a quality management system (QMS). A manual is a particular kind of document. For example, can be used as an identity card of a QMS, explaining how it works and what are its parts. They are not the same thing.

The following material will provide you more information:

• What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
• The history and future of the ISO 9000 series of standards - https://advisera.com/9001academy/blog/2019/04/15/history-of-the-iso-9000-series-of-standards-and-what-to-expect-next/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/