Search results

How to define authorities

Authority is about the power of decision, the power of command. Responsibility is about obligation. For example, an operator may have the responsibility to perform quality control and identify the nonconforming product (he or she has the obligation to do it, he or she is expected to do it), and may not have the authority to decide what to do with the identified nonconforming product.

An organization can be modeled as a set of interrelated processes. Each process can be described through a flowchart:

Responsibilities are those activities that someone has to perform without alternatives.

Authorities are those activities where someone has the power to stop the process, has the power to make decisions about the process. For example, in the flowchart above the Production operator has the authority, has the power to decide when is the process ready to start normal production. For example, in a commercial context someone has the responsibility to write a proposal, and someone has the authority to approve the proposal before sending to the customer. For example, in a warehouse context someone has the responsibility to identify the need to order a component, and someone has the authority to approve that need, and another person may have the authority to choose the supplier.

The following material will provide you with information about roles and responsibilities:

• ISO 9001 – How to document roles and responsibilities according to ISO 9001 -https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
• Enroll for free - [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - Discover ISO 9001 :2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

ISO 14001:2015 Internal Auditor OR Lead Auditor Training?

Thank you very much 

Risk assessments

As for a practical example of risk assessment, I suggest you take a look at this free downloadable material: Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

The diagram shows the ISO 27001 Risk Assessment and Treatment process, considering an asset – threat – vulnerability approach.

Please note that included with your toolkit there is access to a video tutorial that can help you understand and fill in the risk assessment and risk treatment tables, using real data as an example.

These articles will provide you a further explanation about risk assessment:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• Risk assessment tips for smaller companies https://advisera.com/27001academy/blog/2010/02/22/risk-assessment-tips-for-smaller-companies/
• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

ISO 27001 security-driven culture

1. How can we create an ISO 27001 security-driven culture in an organization?

To develop a security culture you must consider these points:

• definition of clear objectives and targets
• definition of roles and responsibilities
• providing awareness about the importance of information security and the consequences of incidents and non-compliances
• providing training about how to perform required activities
• measure and analyze performance and provide feedback

For further information, see:

• What are the benefits of security awareness training for organizations? https://advisera.com/27001academy/blog/2019/03/27/what-are-the-benefits-of-security-awareness-training-for-organizations/
• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

This material will also help you regarding awareness and training:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

2. What are the success factors to ensure ISO 27001 compliance?

Some common main success factors to ensure ISO 27001 compliance are:

• top management support
• clear objectives (aligned with business objectives)
• clear roles and responsibilities
• trained personnel
• regular performance review

These articles will provide you a further explanation about some success factors:

• 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
• Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
• Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

Productivity and surpasses performance target

First is important to note that the purpose of ISO 27001/ISMS is not to ensure productivity nor to surpass performance targets, but to protect information.

However, ISO 27001 can indirectly influence productivity. With a well-performed risk assessment and treatment, only the necessary controls will be selected and applied, and this can help productivity by:

• avoiding excessive security
• decreasing the occurrence and impact of information related incidents on productivity

For example, by ensuring the integrity of product specifications, it helps avoid rework and resource waste. By ensuring the availability of operational procedures in the workplace, it helps employees to work on proper activities.

These articles will provide you a further explanation about security objectives:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
• Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

Risk Assessment

Please note that before the certification audit you need to have evidence that all requirements from ISO 27001 clauses 4 to 10,

 and applicable controls are implemented and working as expected.

Considering that, you need to perform at least one internal audit, covering all requirements and applicable controls, and one management review before the certification audit (corrective action you need to performed only if you identify any nonconformity during the implementation process). The lack of internal audit and management review will make impossible for the certification auditor to start stage 2 of the certification audit.

These articles will provide you a further explanation about the certification audit:

• Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

This material will provide you a further explanation about the certification audit:

• What to expect at the ISO certification audit: What the auditor can and cannot do https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit

Software validation procedure

This is helpful, and I would be interested in hearing more about this in one of your webinars, perhaps? Many thanks.

Examples in "Organizational knowledge"

When I work with organizations, facilitating the implementation of a quality management system according to ISO 9001:2015, about clause 7.1.6 “Organizational Knowledge, I draw the following matrix:

The first and second paragraphs of clause 7.1.6 are about quadrants 1 and 2.
Quadrant 1 is about what we know that we know – that is written in procedures, work instructions, tables, specifications. Normally, is listed or codified in job descriptions and when someone starts in a new position human resources plans an integration program with that knowledge transfer. For a construction contractor this is the engineering knowledge acquired at universities, this is empirical knowledge translated into your documented procedures and templates.

Quadrant 2 is about what we don’t know that we know – that is work experience not codified, unwritten rules. Normally, is transferred through coaching with more experienced job partners. For a construction contractor this can be the know-how about using explosives to blast rock in a constrained environment. You know, it is different studying that kind of technique in a book or through experience. For a construction contractor this can be the ability to manage a lot of work fronts at the same time in a same site. Again, things that you learn with experience and are difficult to transmit in a classroom.

The third and fourth paragraphs of clause 7.1.6 are about quadrants 3 and 4.
Quadrant 3 is about what we know that we don’t know – that is information that when an organization realizes that is missing can be obtained through training, books, seminars, consultants, suppliers, technical magazines. For example, this question fits in this quadrant. For a construction contractor this can be working with a university or another partner to find a technical solution to solve an architectural challenge.

Quadrant 4 is about what we don’t know that we don’t know – I call it the radar. How does the organization keep a radar working relevant information that can change the future of the business? Normally, organizations keep track of anything new through books, magazines, blogs, conferences, networking, suppliers, …

The following material will provide you information about organizational knowledge:

• ISO 9001 – How to manage knowledge of the organization according to ISO 9001 – https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
• Free online training ISO 9001:2015 Foundations Course –https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Reducing risks from prosecution, pollution, and reputational damage

ISO 14001:2015 states that organizations when determining environmental aspects and impacts should consider the lifecycle of its products and services. ISO 14001:2015 uses the word “consider” because each organization must be aware of its context. A small organization has little power or impact over suppliers. A small organization has little influence over its customers and/or customers’ customers.

Consider the example of a large organization with a big brand power and with its production subcontracted. If one or more of those subcontractors has no concern for the environment and generates pollution, the big brand has a risk of reputational damage because for consumers the manufacturer is invisible it is only the brand that counts. Acting proactively to improve the environmental aspects may open a lot of opportunities for improving efficiency, reducing wastes and environmental costs.

You can find more information below:

• Article - How does product life cycle influence environmental aspects according to ISO 14001:2015: https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
• Article - Lifecycle perspective in ISO 14001:2015: what does it mean: https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
• Enroll for free online training - ISO 14001:2015 Foundations Course: https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/

GDPR privacy policy - and Facebook

From your question I understand that you are using the Facebook page as an influencer, for your product promoting activity and your earning comes from affiliate marketing. If so, you should have a privacy notice implemented with reference to Facebook pages saying that profile data will be managed by the Facebook privacy policy and terms and conditions.

Of course, if your group is a personal group and your contacts are friends, family, and people you know in your everyday life, GDPR does not apply to private activity.

Here you can find some useful material:

• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
• Addressing GDPR compliance of Facebook fan pages for companies: https://advisera.com/eugdpracademy/blog/2019/04/15/how-to-make-a-facebook-business-page-gdpr-compliant/
• How does GDPR affect digital marketing? https://advisera.com/eugdpracademy/blog/2019/02/20/how-does-gdpr-affect-digital-marketing/
• How does GDPR impact marketing activities? https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/

You may also consider enrolling in this online EU GDPR Foundations Course:

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//