Search results

Reducing risks from prosecution, pollution, and reputational damage

ISO 14001:2015 states that organizations when determining environmental aspects and impacts should consider the lifecycle of its products and services. ISO 14001:2015 uses the word “consider” because each organization must be aware of its context. A small organization has little power or impact over suppliers. A small organization has little influence over its customers and/or customers’ customers.

Consider the example of a large organization with a big brand power and with its production subcontracted. If one or more of those subcontractors has no concern for the environment and generates pollution, the big brand has a risk of reputational damage because for consumers the manufacturer is invisible it is only the brand that counts. Acting proactively to improve the environmental aspects may open a lot of opportunities for improving efficiency, reducing wastes and environmental costs.

You can find more information below:

• Article - How does product life cycle influence environmental aspects according to ISO 14001:2015: https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
• Article - Lifecycle perspective in ISO 14001:2015: what does it mean: https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
• Enroll for free online training - ISO 14001:2015 Foundations Course: https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/

GDPR privacy policy - and Facebook

From your question I understand that you are using the Facebook page as an influencer, for your product promoting activity and your earning comes from affiliate marketing. If so, you should have a privacy notice implemented with reference to Facebook pages saying that profile data will be managed by the Facebook privacy policy and terms and conditions.

Of course, if your group is a personal group and your contacts are friends, family, and people you know in your everyday life, GDPR does not apply to private activity.

Here you can find some useful material:

• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
• Addressing GDPR compliance of Facebook fan pages for companies: https://advisera.com/eugdpracademy/blog/2019/04/15/how-to-make-a-facebook-business-page-gdpr-compliant/
• How does GDPR affect digital marketing? https://advisera.com/eugdpracademy/blog/2019/02/20/how-does-gdpr-affect-digital-marketing/
• How does GDPR impact marketing activities? https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/

You may also consider enrolling in this online EU GDPR Foundations Course:

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Compliance with the access control policy

  COVID-19 represents a significant change in the organizational context, so according to ISO 27001, clause 8.3, you must perform a risk assessment to identify if new risks have arisen (e.g., related to access control when working from home), or if current risks have changed. Based on the results of this new risk assessment you can decide if the access control policy needs change or not. This way you can ensure your access control policy will continue compliant with standards requirements.

  Specifically about the use of cards and biometrics, maybe you should consider implementing an alternative way of identification and authentication (e.g., locks with keys only) in pair with video monitoring, or adopting cleaning practices in the input devices, according to manufacturers' recommendations. 

  This article will provide you a further explanation about risk assessment and risk treatment:

  • ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  These materials will also help you regarding risk assessment and risk treatment:

  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• Checklist of Mandatory Documentation Required by ISO/IEC 27001 (2013 Revision)

  Please note that requirements in the main section of the standard (sections 4 to 10) related to roles and responsibilities do not require these to be documented.

  On the other hand, to fulfill controls A.7.1.2, A.13.2.4, the roles and responsibilities need to be documented.

  This article will provide you further explanation documentation of roles and responsibilities:

  • How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

• Finding internal and external auditors

  First of all, sorry for this misunderstanding.

  We are not aware of specific jobs, boards or professional associations of ISO 27001 internal auditors, so your best approach would be looking for them on professional social networks like LinkedIn, ISO 27001 security group on Google Groups, or organizations which issue certificates for information security professionals like ISC2 or ISACA.

• Plan-Do-Check-Act model stages and purpose

  An Environmental Management System (EMS) is a framework that helps an organization achieve its environmental goals and improve its environmental performance.

  The Plan-Do-Check-Act model or PDCA cycle is also called the improvement cycle.

  The PDCA cycle is a continuous loop of planning, doing, checking, and acting. It provides an approach for solving problems and managing change. Let us use an example: An organization wants to improve the quality of the wastewater discharged into a river to comply with its permit.

  Plan – the organization has to study the present situation, has to study different alternatives to improve the wastewater quality, has to decide what to do and make a plan about how to do it.

  Do – the organization has to implement the plan.

  Check – the organization has to verify that the plan is being implemented and that results are being met.

  Act – the organization has to act based on the conclusions of the Check phase. The decision may be to review the plan or to keep its implementation.

  The same PDCA cycle can be applied to the top management level:

  Plan - define a general orientation, an environmental policy and translate it into environmental objectives and a plan of action.

  Do – implement the action plan.

  Check – verify implementation progress and results

  Act – decide to keep implementing the action plans or reviewing them.

  You can find more information below:

  • Plan-Do-Check-Act in the ISO 14001 standard - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/plan-do-check-act-in-the-iso-14001-standard/
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

• ISO 27001 Risk Assessment

  ISO 27001 does not prescribe a risk assessment approach, it only requires a risk assessment process to be defined, so you can perform risk assessment only by writing risks without writing threat and vulnerability.

  This article will provide you a further explanation about alternatives to risk assessment:

  • How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
  • ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/

  This material will also help you regarding risk assessment:

  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• Environmental aspects and impacts

  For all the emergency situation as an environmental aspect I wrote "waste generation" and for the environmental impacts "pollution of the sol, water, pollution with waste, influence of the flora and fauna".

  Answer:

  Perhaps thinking visually will help you:

  

  Please check use of the word environmental aspects in this article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/

  For the fire another environmental aspects is "heat generation" 
  For the fire as aspect I wrote "water consummation" and for the environmental impacts "resource consumption" and "gas emission" with impact "air pollution". Am I right? Do I miss something?

  Answer:

  For fire events of the main vectors for environmental aspects are runoff waters. Those waters are normally heavily contaminated. Environmental aspects in that case are soil contamination and water pollution with environmental impacts around influence on the flora and fauna, and even on communities. There are several cases of runoff waters contaminating underground water table used in important public drinking water source.

  Considering the article mentioned above, about the use of terminology: water consumption, resource consumption, gas emissions, are all environmental aspects. Impacts are about the consequences, like attack on the ozone layer, or promoting greenhouse effect.

  You can find more information below:

  • ISO 14001 emergency preparedness and response - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-emergency-preparedness-and-response/
  • Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

• Implementation of ISO Standard in software

  Please note that ISO 27001 prescribes "what" needs to be achieved in terms of information security, not "how" to do that.

  The definition of which is important depends on the results of risk assessment and the identification of relevant requirements (e.g., customer's requirements, laws, regulations, contracts, etc.).

  Considering that, for the identification of what needs to be recorded for validation and storage, you need to check:

  • which risks related to changes they consider relevant?
  • which laws, regulations, and contracts are related to this demand?

  With these answers, you will have the bases for the requirements to be implemented in your software.

  This article will provide you a further explanation about requirements and risk assessment:

  • ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
  • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
  • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  These materials will also help you regarding ISO 27001:

  • The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Non-compliance departure

  ISO 9001:2015 do not use the words compliance or departure. The wording “non-compliance and departure” is used in contract agreements and conditions for Tender

  Non-compliance is something not according to the tender or agreement specifications.

  Departure is about any condition of sale, quotation, offer or proposal of any nature appearing on any documents submitted with or within the Tender which constitutes any variation of, or omission from or addition to the Request for Tender.