Search results

ISO 14001:2015 Internal Auditor OR Lead Auditor Training?

Thank you very much 

Risk assessments

As for a practical example of risk assessment, I suggest you take a look at this free downloadable material: Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

The diagram shows the ISO 27001 Risk Assessment and Treatment process, considering an asset – threat – vulnerability approach.

Please note that included with your toolkit there is access to a video tutorial that can help you understand and fill in the risk assessment and risk treatment tables, using real data as an example.

These articles will provide you a further explanation about risk assessment:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• Risk assessment tips for smaller companies https://advisera.com/27001academy/blog/2010/02/22/risk-assessment-tips-for-smaller-companies/
• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

ISO 27001 security-driven culture

1. How can we create an ISO 27001 security-driven culture in an organization?

To develop a security culture you must consider these points:

• definition of clear objectives and targets
• definition of roles and responsibilities
• providing awareness about the importance of information security and the consequences of incidents and non-compliances
• providing training about how to perform required activities
• measure and analyze performance and provide feedback

For further information, see:

• What are the benefits of security awareness training for organizations? https://advisera.com/27001academy/blog/2019/03/27/what-are-the-benefits-of-security-awareness-training-for-organizations/
• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

This material will also help you regarding awareness and training:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

2. What are the success factors to ensure ISO 27001 compliance?

Some common main success factors to ensure ISO 27001 compliance are:

• top management support
• clear objectives (aligned with business objectives)
• clear roles and responsibilities
• trained personnel
• regular performance review

These articles will provide you a further explanation about some success factors:

• 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
• Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
• Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

Productivity and surpasses performance target

First is important to note that the purpose of ISO 27001/ISMS is not to ensure productivity nor to surpass performance targets, but to protect information.

However, ISO 27001 can indirectly influence productivity. With a well-performed risk assessment and treatment, only the necessary controls will be selected and applied, and this can help productivity by:

• avoiding excessive security
• decreasing the occurrence and impact of information related incidents on productivity

For example, by ensuring the integrity of product specifications, it helps avoid rework and resource waste. By ensuring the availability of operational procedures in the workplace, it helps employees to work on proper activities.

These articles will provide you a further explanation about security objectives:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
• Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

Risk Assessment

Please note that before the certification audit you need to have evidence that all requirements from ISO 27001 clauses 4 to 10,

 and applicable controls are implemented and working as expected.

Considering that, you need to perform at least one internal audit, covering all requirements and applicable controls, and one management review before the certification audit (corrective action you need to performed only if you identify any nonconformity during the implementation process). The lack of internal audit and management review will make impossible for the certification auditor to start stage 2 of the certification audit.

These articles will provide you a further explanation about the certification audit:

• Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

This material will provide you a further explanation about the certification audit:

• What to expect at the ISO certification audit: What the auditor can and cannot do https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit

Software validation procedure

This is helpful, and I would be interested in hearing more about this in one of your webinars, perhaps? Many thanks.

Examples in "Organizational knowledge"

When I work with organizations, facilitating the implementation of a quality management system according to ISO 9001:2015, about clause 7.1.6 “Organizational Knowledge, I draw the following matrix:

The first and second paragraphs of clause 7.1.6 are about quadrants 1 and 2.
Quadrant 1 is about what we know that we know – that is written in procedures, work instructions, tables, specifications. Normally, is listed or codified in job descriptions and when someone starts in a new position human resources plans an integration program with that knowledge transfer. For a construction contractor this is the engineering knowledge acquired at universities, this is empirical knowledge translated into your documented procedures and templates.

Quadrant 2 is about what we don’t know that we know – that is work experience not codified, unwritten rules. Normally, is transferred through coaching with more experienced job partners. For a construction contractor this can be the know-how about using explosives to blast rock in a constrained environment. You know, it is different studying that kind of technique in a book or through experience. For a construction contractor this can be the ability to manage a lot of work fronts at the same time in a same site. Again, things that you learn with experience and are difficult to transmit in a classroom.

The third and fourth paragraphs of clause 7.1.6 are about quadrants 3 and 4.
Quadrant 3 is about what we know that we don’t know – that is information that when an organization realizes that is missing can be obtained through training, books, seminars, consultants, suppliers, technical magazines. For example, this question fits in this quadrant. For a construction contractor this can be working with a university or another partner to find a technical solution to solve an architectural challenge.

Quadrant 4 is about what we don’t know that we don’t know – I call it the radar. How does the organization keep a radar working relevant information that can change the future of the business? Normally, organizations keep track of anything new through books, magazines, blogs, conferences, networking, suppliers, …

The following material will provide you information about organizational knowledge:

• ISO 9001 – How to manage knowledge of the organization according to ISO 9001 – https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
• Free online training ISO 9001:2015 Foundations Course –https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Reducing risks from prosecution, pollution, and reputational damage

ISO 14001:2015 states that organizations when determining environmental aspects and impacts should consider the lifecycle of its products and services. ISO 14001:2015 uses the word “consider” because each organization must be aware of its context. A small organization has little power or impact over suppliers. A small organization has little influence over its customers and/or customers’ customers.

Consider the example of a large organization with a big brand power and with its production subcontracted. If one or more of those subcontractors has no concern for the environment and generates pollution, the big brand has a risk of reputational damage because for consumers the manufacturer is invisible it is only the brand that counts. Acting proactively to improve the environmental aspects may open a lot of opportunities for improving efficiency, reducing wastes and environmental costs.

You can find more information below:

• Article - How does product life cycle influence environmental aspects according to ISO 14001:2015: https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
• Article - Lifecycle perspective in ISO 14001:2015: what does it mean: https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
• Enroll for free online training - ISO 14001:2015 Foundations Course: https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/

GDPR privacy policy - and Facebook

From your question I understand that you are using the Facebook page as an influencer, for your product promoting activity and your earning comes from affiliate marketing. If so, you should have a privacy notice implemented with reference to Facebook pages saying that profile data will be managed by the Facebook privacy policy and terms and conditions.

Of course, if your group is a personal group and your contacts are friends, family, and people you know in your everyday life, GDPR does not apply to private activity.

Here you can find some useful material:

• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
• Addressing GDPR compliance of Facebook fan pages for companies: https://advisera.com/eugdpracademy/blog/2019/04/15/how-to-make-a-facebook-business-page-gdpr-compliant/
• How does GDPR affect digital marketing? https://advisera.com/eugdpracademy/blog/2019/02/20/how-does-gdpr-affect-digital-marketing/
• How does GDPR impact marketing activities? https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/

You may also consider enrolling in this online EU GDPR Foundations Course:

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Compliance with the access control policy

  COVID-19 represents a significant change in the organizational context, so according to ISO 27001, clause 8.3, you must perform a risk assessment to identify if new risks have arisen (e.g., related to access control when working from home), or if current risks have changed. Based on the results of this new risk assessment you can decide if the access control policy needs change or not. This way you can ensure your access control policy will continue compliant with standards requirements.

  Specifically about the use of cards and biometrics, maybe you should consider implementing an alternative way of identification and authentication (e.g., locks with keys only) in pair with video monitoring, or adopting cleaning practices in the input devices, according to manufacturers' recommendations. 

  This article will provide you a further explanation about risk assessment and risk treatment:

  • ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  These materials will also help you regarding risk assessment and risk treatment:

  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/