Search results

ISO 14001 minimum requirement

There is no minimum requirement. The whole standard is applicable. However, the application is not blind, the application will be a function of how your consulting business interacts with the environment with aspects and impacts. A small consulting business will have a small interaction with the environment.

You can find more information below:

• ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
• Risks and opportunities in ISO 14001:2015 – What they are and why they are important - https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ 

Implementation of ISMS

1 - How and where to start in project for ISMS implementation.

Roughly speaking, ISO 27001 implementation steps can be resumed in:

1. getting management buy-in for the project;
2. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3. development of risk assessment and treatment methodology;
4. perform a risk assessment and define the risk treatment plan;
5. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6. people training and awareness;
7. controls operation;
8. performance monitoring and measurement;
9. perform internal audit;
10. perform management critical review; and
11. address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you a further explanation about ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding the ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

2 - Do you have any knowledge base which talks about step by step ISO 27001 implementation state. This project involves many stakeholders like application security , database track etc. So how to manager those team, as i am alone from GRC team. I have to ensure entire service tracks are aligned with ISO 27001 requirements. So please provide your valuable inputs.

Our website provides several articles and free downloadable material that can help you with several issues related to ISO 27001 implementation, such as:

• Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001
• Checklist of mandatory documentation required by ISO 27001:2013 (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001
• Step-by-step explanation of ISO 27001/ISO 27005 risk management (PDF) https://info.advisera.com/27001academy/free-download/step-by-step-explanation-of-iso-27001-risk-management
• How to Budget an ISO 27001 Implementation Project (PDF) https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
• Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation

To see how documents compliant with ISO 27001 looks like, I suggest you take a look at the free demo of our ISO 27001 documentation toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

Risk Management and "Asset value" & Asset Criticality

1) Does ISO 27001/27005 requires the Risk Management process to use asset value as part of calculating the risk assessment level.

ISO 27001 and ISO 27005 do not prescribe the use of the asset value for risk assessment, so organizations are free to use any approach they see fit to their needs.

For further information, see:

• ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

2) Does the standard require asset valuation as part of the Risk Management process? Or can be seen as an input, rather than a direct output of the process. That is to say, asset value is important to me as Risk Manager, but I need that input from the organization. It is not my responsibility to produce it as part of the RM process

ISO 27001 requires only that risks are evaluated, so you can either obtain this value as a result of asset valuation, or any other risk management related process or from direct input from the personnel involved in the risk assessment process. Please note that in either case, the responsibility for the value is from the personnel involved in the risk assessment process, but you, as Risk Manager, must ensure the processes are performed in the right way, and with the proper personnel.

3) What is the relationship between asset value and criticality assessment (like FIPS 199/200)? Again, I see asset criticality assessment as an input to RM, alas, not something that I am responsible for as part of the RM process.

Criticality analysis is a systemic approach to identify how critical an asset is to the business, to support the evaluation of potential risks, and highlight any business impacts associated with such risks. Considering that, for this approach, you do not need the asset value, but only the identification of the asset itself (in this case, you need to evaluate the impact caused by the lack or failure of the asset).

4) Finally, have you written a solid book (like the one on 22301) that explain in details how 27005 should be applied section for section?

Since ISO 27005 is a supporting standard for ISO 27001 implementation, we did not develop a book covering this specific standard but used its guidance and recommendations to develop the ISO 27001 Risk Management in Plain English.

Inquiry about Gap Analysis

Please note that the article states that "you don't need" to perform gap analysis for clauses of the main part of the standard, not that it cannot be performed.

The provided tool in our website has a different purpose than help verify the fulfillment of a standard's requirement: it can be used by organizations in order they get an overall and general feeling of where they are in the current moment, and to find out which resources they may need to employ in order to implement ISO 27001 before any real action or project is developed and implemented.

Underscores in a file name

The underscore is used instead of spaces because some old operational systems and applications have problems handling spaces and other special characters. Since we do not know if our customers may have issues regarding these situations we make use of underscore in toolkits name files.

The use of underscore may turn filenames difficult to read by persons, so you need to verify in your own context the need or not for the use of underscore in file names.

ITIL & ISO 20000 Implementation Steps

Here are few general information about ITIL implementation: „How to implement ITIL“ https://advisera.com/20000academy/knowledgebase/how-to-implement-itil/

Some steps need to be taken care of before the implementation starts, see „ Considerations before ITIL implementation“ https://advisera.com/20000academy/blog/2014/05/21/considerations-itil-implementation/

Once you decide to start the implementation, see the article „

Ready, steady… go – Starting ITIL implementation“ https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/

„ITIL implementation diagram“ https://info.advisera.com/20000academy/free-download/itil-implementation-diagram is available in our free downloads (https://advisera.com/20000academy/free-downloads/), as well as other useful materials (e.g. Project plan, GAP Analysis tool, etc.).

How do I ensure that I am GDP compliant?

You need to evaluate how the email address is composed. In fact, a general email address like info@... is not considered as personal data, so you can send emails to companies to present your services, while email addresses with name or surname (direct contact) are personal data under GDPR. 

How did you collect emails? Did website users left it to you on your website (maybe filling a form?) In this case check your email notification and be transparent with your visitors by informing them that you will use their email address to send them news about services provided and other great content.

If you collected email on social networks or companies websites, you need to be aware that these contacts are not published to receive advertising or promoting contacts, the person who published it does not attend to receive such email (unless the text around it allow you to believe otherwise) so that it would not be appropriate to contact them. However, if you model your email as a cold email using legitimate interest as a legal ground, you can present your company and the advantages in working with you and underline that you are contacting them because they are looking for a similar profile. This would be in line with GDPR requirements. 

Here you can find more information:

• Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• How does GDPR impact marketing activities? https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/
• How does GDPR affect digital marketing? https://advisera.com/eugdpracademy/blog/2019/02/20/how-does-gdpr-affect-digital-marketing/

You can consider enrolling in our free EU GDPR Foundations Course

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Sheet metal industries (press shop) process validations

  As you know, there are CQI guides which are GM, FORD customer-specific requirements for production process such as heat treatment, casting, welding, molding, coating, etc. For the sheet metal process, there is no special process validation guide like CQI. But if you want, you can prepare a guide by deriving questions from CQIs. Or you can use VDA 6.3 format for production, quality process validation.