Search results

Understanding ISO 14001

Below I list a set of articles about what ISO 14001 is, what its benefits are for several interested parties, and how to implement it. ISO 14001 is about improving the organization's relationship with the environment through a systematic approach with its environmental aspects and impacts. That is why I added an article on aspects and its evaluation. Perhaps you can enroll in our free ISO 14001:2015 Foundations Course. During that course, you will be provided with suggestions for articles, templates, and other materials that can introduce you to ISO 14001.

Please check this information below with more detailed answer:

• What is ISO 14001? - https://advisera.com/14001academy/what-is-iso-14001/
• 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/knowledgebase/6-key-benefits-of-iso-14001/
• ISO 14001: The benefits for customers - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/
• Project checklist for ISO 14001 implementation - https://info.advisera.com/14001academy/free-download/project-checklist-for-iso-14001-implementation
• ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
• 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/
• Free webinar on-demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Can we change the scope of ISO 27001

In fact, change in the ISMS scope is quite a common business and your organization can perform this change in the ISMS scope. The ISMS scope can be defined as the whole organization, or as part of it (in terms of locations, departments or processes), and the scope can increase or decrease in size according to the organization's needs.

These articles will provide you a further explanation about the scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

This material will provide you a further explanation about the scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

Needs and Expectations of Interested parties

Although the ISO 27001:2013 standard does not define the terms ‘needs’ and ‘expectations’ when it talks about the needs and expectations of interested parties, it is helpful to think of them in this way. Needs are those things that interested parties have clearly stated or written down, such as a law that you need to meet (e.g., GDPR), or an information security requirement in a contract. Expectations are the unwritten things that the interested parties reasonably assume you will do, such as accurate tracking of information to meet those laws or timely addressing information security incidents when they occur.

You can learn more about the requirement in this article: 

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Information security policy in contracts

ISO 27001 does not prescribe how to document your information security policies, so organizations are free to document them as they see fit.

The general practice is to have information security policies as internal operational documents, and including only references to them in contracts, as contractual clauses.

This article will provide you a further explanation about documenting policies and developing employment contracts:

• One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
• What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

Managing warranty claim department as an automobile dealership

After the warranty complaints are received by the dealer if the problem is part of the warranty scope and is not related to end-user (driver/passenger) error; the subject and the faulty part should be forwarded to the relevant automotive OEM company. Especially if it is an issue related to faulty part driver and vehicle safety than much faster reaction must be shown.

Depending on the situation, either a part replacement or temporary vehicle supply is provided. According to the investigation result of the OEM company, the customer must be answered in writing. 

Generally, this process is carried out by departments such as after-sales services, etc

Prepare the IATF 16949 certification

IATF 16949 rules have no defined time frame for the transition from ISO 9001:2015 to IATF 16949:2016. When the organization is ready according to IATF 16949:2016, it must take the stage 1 audit and, if the result is ‘’ready’’ then to start stage 2 audit, which is the main audit within 90 days after stage 1 audit. In my experience, a firm that effectively implements ISO 9001: 2015 says it will be ready for the IATF 16949: 2016 audit, with 6 months of work.

For more information, this article might be useful:

• What are the main differences between IATF 16949 and ISO 9001? https://advisera.com/16949academy/blog/2019/11/19/iso-9001-vs-iatf-16949-what-is-the-difference/

• Control of documents

  According to the IATF 16949: 2016 standard, any documented information should be under control. As you know, the documented information, all kinds of records such as procedure, instruction, control plan, processes, training records, job descriptions, etc.

  My advice is, create a form number, revision number for the to-do list so that everyone in the organization can use the same to-do list.

  Thus, the to-do list becomes a controlled document.

• Feedback on Cloud Computing

  SO 27001 does not provide specific controls for cloud computing, but you can adopt and adapt some of its controls for cloud computing.

  For example, you can use control A.8.3.2 Disposal of media (which states that media must be disposed in a secure and formal way when no longer required), considering that virtual machine as a "media".

  For specific recommendations about cloud computing, you can consult ISO 27017 and ISO 27018, which provides specifics applicable to cloud computing regarding controls from ISO 27001 Annex A.

  These articles can provide you more details on data disposal in ISO 27001:

  • 5 practical tips for media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2018/10/22/5-practical-tips-for-media-disposal-according-to-iso-27001/
  • Secure equipment and media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2015/12/07/secure-equipmentand-media-disposal-according-to-iso-27001/

  These articles will provide you a further explanation about ISO 27017 and ISO 27018:

  • ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
  • ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

• Training on ITIL

  Training on ITIL covers some topics related to information security that can provide evidence of competence that can help achieve ISO 27001 compliance.

  These articles will provide you a further explanation about competences, ITIL, and ISO 27001:

  • How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
  • ISO 27001 vs. ITIL: Similarities and differences https://advisera.com/27001academy/blog/2016/03/07/iso-27001-vs-itil-similarities-and-differences/
  • Using ITIL to implement ISO 27001 incident management https://advisera.com/27001academy/blog/2015/11/10/using-itil-to-implement-iso-27001-incident-management/t/

  This material will also help you regarding competences on information security:

  • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.