Search results

How to conduct an internal audit

1. I invite you to watch the free webinar on-demand - How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar/
2. When auditing an immature environmental management system internal audits can be very similar to external audits, but as the system matures it makes sense for internal audits to devote more time to assess the effectiveness of processes and systems 
3. You can check the previews for internal audits at Advisera’s ISO 14001:2015 Documentation Toolkit - https://advisera.com/14001academy/iso-14001-documentation-toolkit/
4. You can check the previews for nonconformities at Advisera’s ISO 14001:2015 Documentation Toolkit

You can find more information about audits below:

• Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
• How to make an ISO 14001 internal audit checklist - https://advisera.com/14001academy/blog/2016/06/27/how-to-make-an-iso-14001-internal-audit-checklist/
• Using internal audits to drive real improvement in ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/using-internal-audits-to-drive-real-improvement-in-iso-140012015/
• Free online training ISO 14001:2015 Internal Auditor Course – https://advisera.com/training/iso-14001-internal-auditor-course/
• Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

Assuring impartiality and confidentiality

Impartiality and confidentiality are two requirements that are vital for maintaining the trust and confidence that the users of tests and calibrations place in laboratories. In the context of an accredited internal company laboratory, companywide policies should be established and adopted, setting a course of action across the company to safeguard confidentiality and impartiality of the laboratory.  

The extent to which impartiality and confidentiality need to be addressed will depend on your company structure. For example, if the company is small and there are shared incentives or resources between production and the quality assurance department or laboratory, either involving personnel or equipment; there is a threat to the impartiality of the laboratory. Identify possible confidentiality and impartiality issues as part of addressing risks and opportunities (another requirement of ISO 17025:2017); and using a Registry of Key Risk and Opportunities. Look at the organisational structure, processes and possible risks. For example, to minimise confidentiality risks, the laboratory should only reveal results and information to authorised personnel. To safeguard impartiality, identify possible commercial, financial, or other pressures from other departments, that may compromise activities and the quality of results. Consider internal issues, personal relationships, or other conflicts of interest. These risks must be addressed and resolved.

For more information, have a look at the advice answers

• Compliance with the ISO/IEC 17025:2017 requirement for Impartiality - https://community.advisera.com/topic/compliance-with-the-isoiec-170252017-requirement-for-impartiality/
• Procedure for impartiality - https://community.advisera.com/topic/procedure-for-impartiality/

The ISO 17025 document template: Registry of Key Risks and Opportunities, is available for purchase -https://advisera.com/17025academy/documentation/registry-of-key-risks-and-opportunities/

Risk assessment

https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ does not address question 2

First of all, thanks for the feedback.

The issue about exiting controls is, in fact, missing in the step 2 risk assessment implementation. The proper text is:

"Once you know the rules, you can start finding out which potential problems could happen to you – you need to list all your assets, then threats and vulnerabilities related to those assets, as well as controls you already have implemented, assess the impact and likelihood for each combination of assets/threats/vulnerabilities, considering controls you already have in place, and finally, calculate the level of risk."

We will provide this adjustment ASAP.

With regards to ISO 27001, what is the correct sequence in evaluating risk vs current controls?

Please note that there is no sequence here.

Since current controls have a direct influence on impact and likelihood, the components of the risk, the risk, and current controls have to be assessed at the same time.

For example for the risk of data loss, if you already have a backup solution implemented, it does not make sense to evaluate the risk of data loss without considering the backup. This would result in an unrealistic risk and unnecessary work to evaluate the risk again, now considering the control. The proper approach is to consider the risk of data loss considering the effects of the backup solution.

Internal audit

1. Must first internal audit be executed before certificate audit?

Internal audit is a mandatory requirement of ISO 27001 (clause 9.2), so at least one audit cycle, covering all ISO 27001 requirements must be performed before going for a certification audit.

For further information, see:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

This material can also help you:

• ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/

2.  If so, must it cover every area or is it ok to audit some areas after certification audit?

For certification purposes, the internal audit must cover the whole ISMS scope before the certification audit.

ISO 9001 KPIs

Please consider our free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 -

 https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/ There you can find the rationale for developing KPIs both for processes and quality objectives.

The following material will provide you information about indicators:

• Analysis of measuring and monitoring requirements in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/analysis-of-measuring-and-monitoring-requirements-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Differences between Opportunities and Objectives

Objective is a result to be achieved, while an opportunity is a situation, or set of circumstances, that makes it possible to do something.

For example, decrease information security incidents by 10% in the next quarter is an objective. Using the internal newsletter to raise awareness about preventing security incidents is an example of opportunity.

This article will provide you further explanation about information security objectives:

• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

Incident response training

Broadly speaking, you should consider the following trainings:

• training related to the incident management process adopted by your organization, or on which your own process is based to (e.g., based on ISO 27035, based on ITIL framework, based on ENISA good practices, etc.)
• training related to process and technologies your team hat to support to (e.g., Microsoft solutions, Linux solutions, Apple solutions)

The point is, there is no definitive answer, so you have to consider training on the methodology to manage incidents and in the technologies and process you will have to recover in case of an incident.

This article will provide you further explanation about managing incidents:

• How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/

Toolkit content

The scope for the BCMS can be found in the Business Continuity Policy template, section 3.4, located on folder 08 Annex A >> A.17 Business Continuity >> 01 Business Continuity Policy.

Controls for Acceptable Use Policy and awareness

Thanks so much. Very revealing 

GDPR and the relation whit CCPA

CCPA and GDPR have a similar approach to data protection yet with different perspectives. While GDPR is focused on consent and information to the user, CCPA is focused on transparency and the consumer's right to opt-out. Most of GDPR rules make you compliant with CCPA.

First of all, you should check if you are a business under CCPA, also remember that it refers to California residing consumers. 

Businesses, under CCPA, require: