Search results

Nonconformity detection process

Remember, when ISO 14001 speaks of nonconformity, the requirements refer to the nonconformity of a process with respect to the environmental aspects associated with that process. So, you must start with determining and classifying your organization’s environmental aspects and impacts. From there your organization:

• Design monitoring activities (water discharge quality, air emissions, amounts of wastes, …);
• Develop procedures and instructions to guide behavior.
   

Now, you can use the risk-based approach. For each of these actions your organization can ask:

• What can go wrong?
• Is it relevant?
• Can we do something to prevent it from happening?
• Can we do something to detect if it happens? 

Whenever your detection scheme, your control activities, find something wrong from that list you have a nonconformity. Your organization may develop a central procedure to handle all environmental nonconformities or may have rules inserted in each monitoring plan or procedure/instruction about how to handle each specific environmental nonconformity. For example:

• What to do when air emission quality is noncompliant with legislation or permit?
• What to do when employees are not segregating wastes?
   

Please consider the following information:

• Environmental Nonconformity Management: How is ISO 14001 different from ISO 9001 - https://advisera.com/14001academy/blog/2014/10/08/environmental-nonconformity-management-iso-14001-different-iso-9001/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 270001 standard implementation

For ISO 27001 certification, a disaster recovery site is necessary only if you have relevant risks that are reduced to acceptable levels by implementing this approach, or if there are legal requirements (e.g., laws, regulations or contracts) demanding the implementation of this site.

If none of the above-mentioned conditions apply, then you do not need a disaster recovery site to be certified.

This article will provide you a further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 stakeholders

1 - Who are iso 27001 stakeholders?

Answer: For ISO 27001, stakeholders are known as interested parties and are people or entities that can affect, or be affected, by the Information Security Management System. Most common stakeholders are:
- top management
- employees
- customers
- suppliers
- regulators
- government

2 - How do we identify them?

Answer: The ISO 27001 interested parties are identified based on the analysis of organizational context (internal and external issues that can affect, or be affected, by the ISMS), and in the legal requirements (e.g, laws, regulations and contracts) the organization has to comply with.

For further information, see:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

3 - Are top managers included in the ISMS scope?

Answer: The ISMS scope is normally defined in terms of information, locations, business units or process to be protected, not people or roles.

In most cases, the managers that have the highest position in the ISMS are included in the scope - e.g. if only one department is included in the scope then this is the head of the department; if the whole company is included in the scope then this is the CEO of the company.

 What happens is that top managers take an essential role in the ISMS implementation, by setting directives and objectives and providing resources.

These articles will provide you a further explanation about the scope definition and top management responsibilities:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Business Impact Analysis report

Please note that ISO 22301 does not require a BIA report, and in most cases smaller and mid-size companies are not using such document.

Usually what happend is that the results of the BIA are summarized (reported) through the Business continuity strategy.

To see how a Business continuity strategy looks like, I suggest you take a look at the free demo of our Business continuity strategy at this link: https://advisera.com/27001academy/documentation/business-continuity-strategy/

Experience for taking up ISO27001

I'm assuming you are talking about attending the course and taking the final exam.

Considering that, there is no previous mandatory knowledge requirement for the course and the exam. What happens is that previous knowledge in certain areas, like IT, process management, audit, etc., can allow you to make better use of the course and make the final exam easier.

This material will also help you regarding ISO 27001 courses:
- Free ISO 27001 online trainings: https://advisera.com/training/iso-27001-training/

SoA and selection of controls

You have to implement a control only to the extent it reduces related risks to acceptable levels and ensures legal requirements (e.g., laws, regulations, or contracts) are fulfilled.

This article will provide you a further explanation about risk treatment:

• Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

These materials will also help you regarding risk treatment:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Preparing an e-mail policy

How to handle email is included in the IT Security Policy, folder 14.A.8 section 3.14

If you need to find more information on how to fill the document, you can check this article:

• How to structure the documents for ISO 27001 Annex A controls: https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

If you want to learn more about security controls, this eBook can help you:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• Double Option

  Is double option mandatory In Europe and if yes where I can see in what countries it is?

  I assume you are referring to double option in consent forms for different purposes. Well, if your organization is under GDPR, whether is based in EU or processes EU individual’s personal data, you will need to comply with GDPR worldwide.

  You can find more information in the following article:
  What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/  

  If you have a question about to which countries is GDPR applicable, then please use this article instead: Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/

  You can also consider enrolling in this free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

   

  To fulfill a form is always and in all the countries obligated to add the checkbox for marketing activities?

  Yes, unless the marketing activity is the main purpose of data processing. I.e. in a subscription form to be informed about promotions. The purpose of processing is clearly marketing, and the user is giving consent for it. On the contrary, if the user is purchasing anything on the website or requiring general information if you want to use email for marketing purposes, you need to add the checkbox, because the user must be aware of what are you going to do with his/her e-mail.

  You can find more information here:
  How does GDPR impact marketing activities? https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/
  How does GDPR affect digital marketing? https://advisera.com/eugdpracademy/blog/2019/02/20/how-does-gdpr-affect-digital-marketing/
  Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/

  Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

• Environmental performance report

  First, let us consider the elements of an environmental performance report.

  You can consider adapting based on these elements:

  • Introduction – a top management statement (includes a greeting, a list of actions and commitment)
  • Organization’s Profile – main business areas, facilities being operated and managed as well as their locations and activities
  • Intentions versus results - Summary of Policies, Targets, and Achievements in Environmental Efforts. Include environmental policies regarding environmental activities, summary of objectives, plans of environmental activities and achievements in environmental efforts. May also include material and energy balances.
  • State of the environmental management system – describes how the organization is to manage its operations and services to achieve its environmental objectives and targets
  • State of activities for improving relationship with the environment – presentation and analysis of the key environmental indicators and measurements against the corresponding policy, objectives, targets/milestones as benchmarks.
  • Environmental actions requiring special attention - top management, might wish to give the organization’s views on how well the organization has performed in the current year and which specific areas they would focus their efforts on in the coming year. In this part of the report, it might be worthwhile for the top management to consider the possible challenges likely to be faced by the organization.

  About the evaluation mechanisms consider developing a monitoring plan, a dashboard including each environmental indicator and the state of each action plan. Define monitoring and analysis responsibilities and frequency.

  Please consider the following information:

  • Environmental performance evaluation - https://advisera.com/14001academy/blog/2015/07/06/environmental-performance-evaluation/
  • How to perform communication related to the EMS - https://advisera.com/14001academy/blog/2015/08/31/how-to-perform-communication-related-to-the-ems/
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

• ISO 14001 in Human Resources

  That will depend from organization to organization.

  For example, if you consider a small medium company with Human Resources basically doing office work, you can ask: How does an office interacts with the environment?

  • Energy consumption
  • Paper waste
  • Electric and electronic waste

  Another example might be the Human Resources of a corporation, or a company with multiple units. In this case you might add:

  • Carbon emissions due to travel between units

  Another example is an organization where Human Resources is also responsible for general organizational behaviors such as:

  • Waste of energy, waste of water and paper. Waste management similar to urban waste. Policies for recycling paper and ink and toners

  I recommend doing this exercise, as a brainstorm, fill the remaining spaces:

  

  Please consider these sources of information:

  • Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
  • Article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
  • Article - How to identify environmental aspects in your office using ISO 14001 - https://advisera.com/14001academy/blog/2015/05/18/how-to-identify-environmental-aspects-in-your-office-using-iso-14001/
  • Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/