Search results

ISO 14001 clauses and corresponding documents

I recommend you to learn the requirements of each clause so you will be able to understand what are the documents and records necessary to comply with the standard. Be aware that here are two terms used in ISO 14001 that define the mandatory documents that an organization needs to comply with, the documented information that needs to be retained, which corresponds to mandatory records, and the documented information that needs to be mainated, which corresponds to mandatory documents (e.g. environmental policy and objectives). 

Here you can find a white paper that explains each clause of ISO 14001:2015 - Clause by clause explanation of ISO 14001:2015: https://info.advisera.com/14001academy/free-download/clause-by-clause-explanation-of-iso-140012015

In this article you can find the list of mandatory documents and those most commonly used in ISO 14001:2015 - List of mandatory documents required by ISO 14001:2015: https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-mandatory-documents-required-by-iso-140012015/

The following material will provide you more information about documentation:

- How to structure ISO 14001 documentation: https://advisera.com/14001academy/blog/2016/11/28/how-to-structure-iso-14001-documentation/

- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Annex A

1. I love your videos. I want to be clear on something. How do the clauses and the Annex A controls work together for ISO 27001?

In the main part of the standard, clause 6.1.3 d), ISO 27001 requires to select applicable controls based on the result of the risk assessment; on the other hand, Annex A provides a catalog of 114 controls that can be selected to control the risk.

This article will provide you further explanation about work the standard works:

• The basic logic of ISO 27001: How does information security work?   https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ 

2. Please does the workshop explain and takes a person through the implementation process.

If you are taking the ISO 27001 Lead Implementer Course, then during the workshop you will learn how to manage the project according to the standard ISO 20700. To learn about the implementation steps, see this webinar:

• ISO 27001: An overview of the ISMS implementation process [free webinar] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/

To get the know-how for the implementation, see this ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

Cryptography Controls

1. Which areas we need to implement in an organization.

According to ISO 27001, the application of a control (in your case, the areas where you need to implement cryptography) must be based on the results of risk assessment, applicable legal requirements (e.g., laws, regulations, or contracts), and/or in decision of top management.

Broadly speaking, areas with identified needs to protect the confidentiality and integrity of communications channels and information, would the most probable areas to implement cryptography control.

For example, you can use cryptography control to encryption of sensitive data sent over email or through removable media, or to digitally sign a document, ensuring you are the author of the document or that it was not changed.

 For further information see:

• How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2. Example of encryption and decryption policies.

To see how an encryption policy looks like, I suggest you t take a look at this free demo: Policy on the Use of Encryption https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/

IATF 16949 Cl. 4.4.1.2 - Product Safety

Product safety officer 

Leadership requirements

(I have already done the diagnostic phase, in the implementation part I have made macro improvements to cover the points that the institution does not meet, in a macro improvement I have the leadership part, what can I develop to fulfill the leadership aspects? Taking into account that the process is a printed lottery

First is important to note that ISO 27001 requirements for leadership are the same regardless of the organization industry and size, so there are no additions or exclusions regarding a printed lottery process.

Considering that, to cover leadership requirements you must:

• develop an information security policy and define information security objectives, aligned with business strategies
• engage personnel around information security initiatives
• define and communicate responsibilities and authorities for relevant roles to information security

To see how an Information Security Policy looks like, please see this link: https://advisera.com/27001academy/documentation/information-security-policy/

These articles will provide you further explanation about leadership requirements:

• What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
• Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

ISO High-Level Structure for standards

I'm assuming that by HLS you mean "High-Level Structure" adopted by ISO management standards since 2012.

Considering that, please not that ISO does not have an official position regarding mapping of PDCA improvement model to its management system standards. Since 2012, ISO has excluded explicit reference to PDCA from its management systems, in favor of a more open approach, where organizations can adopt any improvement model that best fits their needs (e.g., DMAIC, 8S, A3/PSP, etc.).

With this in mind, there is no "correct" answer when mapping clause 7 in the PDCA model. It mostly depends on how you viewing the clause, as a whole or element by element. For example, resources and documented information elements are more related to the "PLAN" step (focus on long term planning), while competence, awareness, and communication are more related to the "DO" step (short term plans and focus on implementation).

We particularly adopt the approach of clause 7 as a whole and part of the "PLAN" step.

This article will provide you further explanation about PDCA in ISO 27001:

• Has the PDCA Cycle been removed from the new ISO standards? https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/

Procedures for validation and verification of methods

What are the procedures for validation and verification of methods, how to apply it,

The ISO 17025 toolkit includes the procedure for validation and verification of methods, named Test and Calibration Method Procedure, along with two supporting douments Test Method Development, Verification and Validation Register and Test Method Development, Verification and Validation Record. The techniques for method validation are listed as well as the required records. It is the responsibility of the laboratory to choose the suitable technique, plan experiments, reference sector specific guidelines and meet specific regulatory and accreditation body requirements. The procedure is also available separately at https://advisera.com/17025academy/documentation/test-and-calibration-method-procedure/

what's procedure for personal competence?"

The ISO 17025 toolkit includes the necessary procedure for Competence, Training and Awareness Procedure, were the laboratory defines needs, planning and methods for training and assessment of training results in order to ensure employees are competent. There are also four appendices related to the procedure;  namely the Training Program, Training Record and Performance Monitoring, Record of Attendance and Competence Approval, and Authorization Record. The Competence, Training and Awareness Procedure is also available as a separatel document at https://advisera.com/17025academy/documentation/competence-training-and-awareness-procedure/

You can read more about the ISO 17025 toolkit, preview all the documents, as well as purchase the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/