Search results

ISO 14001 implementation procedures and steps

First, ISO 14001 internal auditor must be a qualified auditor, but it is your organization that establishes the qualification criteria.

ISO 14001:2015 does not mandates an EMS manual.

When I start implementing an ISO 14001 EMS I start with a Gap Analysis and with an initial determination of environmental aspects and impacts. ISO 14001:2015 has little mandatory documents. One should only consider writing procedures for those situations classified as critical. For example, you want to know legal requirements and to check if the organization complies.

The following material will provide you more information about ISO 14001 implementation:

- ISO 14001:2015 Gap Analysis Tool - https://advisera.com/14001academy/iso-14001-gap-analysis-tool/
- List of mandatory documents required by ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-mandatory-documents-required-by-iso-140012015/
- Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
- Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
 

Clause 8.3 - Design and development interpretation and implementation

Imagine design & development as a project.

You receive inputs explicitly mentioned by the client, you gather other inputs either regulated or implicit. You plan a D&D project with several activities. Between some of those activities you have D&D revisions to check if things go according to inputs. At the end you compare the output with the project inputs with a verification activity. If everything is OK you send a sample or the product to the customer to be tested in use, to validate D&D. 

The following material will provide you more information about design and development:

- The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- Procedure for Design and Development - https://advisera.com/9001academy/documentation/procedure-design-development/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – (where I use the process approach this way) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Quality Objectives document numbering

Quality objectives must be documented, they are a mandatory document according to ISO 9001:2015.

As a document, quality objectives have to comply with clause 7.5 requirements, they must have an identification, a version and an approval. Now, it is up to each organization to establish how to do document control. Numbering is one possibility for identification, not a rule from the standard.

The following material will provide you more information about documentation:

- How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

ISO VS ISM certification

The ISM, International Safety Management Code for the Safe Operation of Ships and for Pollution Prevention  is an international standard for the safe management and operation of ships focused on the protection of the environment and the safety of the crew but also the equipment. This ISM Code is mandatory for vessels that are over 500 gross tonnages.

ISO 9001:2015 specifies requirements for a quality management system which ensures that a company provides products and/or services that meet customer requirements and any applicable statutory and regulatory requirements. The main goal of ISO 9001 is to enhance customer satisfaction. This standard is non mandatory for shipping.

The following material will provide you more information about the differences between ISO 9001 and ISM code:

-  Article - How ISO 9001 improves shipping procedures: https://advisera.com/9001academy/blog/2019/07/09/how-iso-9001-improves-shipping-procedures/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Privacy notice or privacy policy

Privacy Notices need to be addressed to and made available to the data subjects whose personal data is being processed by the data controlled. Depending on whose personal data you are processing you may need to provide a Privacy Notice to both external data subjects such as customers as well as employees.

You can find several templates of Privacy Notices in our EU GDPR Premium Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/)

A6.1.5 Information Security in Project Management

Here's the article that explains the details: How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/ 

For training and awareness you do not need to have a separate document for each project - it is enough to include training and awareness sessions that are needed for your projects to your existing training & awareness plan. 

Here you can find free awareness videos that can be helpful: https://advisera.com/training/awareness-session/security-awareness-training/ 

ISO 9001 & ISO 14001 Integrated manual

Neither ISO 9001:2015 nor ISO 14001:2015 have a mandatory requirement for the existence of a management system manual (MSM). So, organizations are free to decide if they have an MSM and what would be its content. In my work with organizations I recommend the use of MSM and in integrated systems I work with an integrated MSM, one manual for the whole (9001 and 14001) management system.

The following material will provide you more information about manuals:

- Article – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

- The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Offices relocating

Unfortunately we have no materials that would cover this case, however when you change an office the first step is to perform a new risk assessment for this new office - then, based on the newly identified risks you need to correct existing controls, or introduce new controls. 

This material will help you: Step-by-step explanation of ISO 27001 risk management https://info.advisera.com/27001academy/free-download/step-by-step-explanation-of-iso-27001-risk-management 

Documentation structure

The folders in the toolkit are intentionally marked with numbers because those folders indicate the most optimal sequence of implementing the standard - in other words, if you want to implement the standard in a quickest way, you should follow the folders as they are arranged. 

Those numbers are not related to the clauses of ISO 27001. To see which clauses are covered by each document, you should open the PDF document List of documents. 

It is not necessary for you to keep this numbering for your documents - you can use your own coding system. 

Approaching asset-based risk assessment for a cloud provider

How to approach asset-based risk assessment for a cloud provider like Microsoft Azure? 

To perform an asset-based risk assessment for a cloud provider you have to consider primarily the risk assessment of the assets controlled by your organization.

For example, for an IaaS cloud provider, where the provider controls the hardware and basic operational systems, this would mean to assess risks related to your data and the software applications you manage. In case it is a SaaS provider, where the provider controls the hardware and software, this would mean to assess risks related only to your data.

This article will provide you more information to understand this issue:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

What level of detail is recommended?

ISO 27001 does not prescribe levels of detail, so an organization is free to adopt any level of detail it sees fit. Our recommendation for you is to adopt a level of detail so you can have confidence you have sufficient information to identify relevant risks and proper security controls to be implemented by your organization and the cloud provider.

These articles will provide you a further explanation:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/