Search results

How to implement ISO 14001?

You can say that your proposal for implementation starts with a Gap Analysis to establish a baseline, a starting point. Then, you can prepare an implementation plan to determine:

• Context and interested parties 
• Risks and opportunities 
• Aspects and impacts and
• Compliance obligations

From there you can define an environmental policy and objectives, and evaluate priorities and design a set of action plans to act upon:

• Critical risks and opportunities 
• Significant environmental impacts 
• Relevant compliance obligations and 
• Environmental objectives.

While implementing the action plans training will be identified and given, procedures will be written, monitoring plans will be designed and implemented. Then, an internal audit will be done, and a management review will take place to evaluate what was done and prepare the next management cycle iteration.

The following material will provide you more information about aspects and impacts:

- Article - Is a gap analysis desirable for ISO 14001 implementation? - https://advisera.com/14001academy/blog/2016/11/14/is-a-gap-analysis-desirable-for-iso-14001-implementation/

-ISO 14001:2015 Gap Analysis Tool - https://advisera.com/14001academy/iso-14001-gap-analysis-tool/

- Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/

- Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/

- Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/

- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/

- Enroll for free in this course – ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/

- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Methodology for opportunities

The ISO 45001:2018 standard does not dictate any specific process or format to follow for identifying and addressing OH&S opportunities. Many companies will simply do this through a brainstorming session with top management to identify what opportunities exist and what needs to be done about them; the opportunities can then be tracked through a simple spreadsheet or any other tracking mechanism used by the company for planned activities. Other companies may use a more formal SWOT analysis (Strengths, Weaknesses, Opportunities & Threats) to identify the opportunities that are available.

No matter what process you use, it is important to make sure it is a benefit for your organization and not just a complex and confusing process that you think you need to satisfy a requirement which does not provide any advantage to you.

For a better understanding of the requirements for risks and opportunities in ISO 45001:2018, see that article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/

Review of Control A13.1

First of all, you have to check the contract/service agreement your organization has with AWS regarding security clauses. Normally such reviews are performed by means of audits (internal or by AWS certification bodies), or results of penetration tests.

These articles will provide you a further explanation about handling supplier security:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

ISO standards related to ISO 27001

There are 52 standards related to ISO 27001. You can recognize them by the prefix ISO/IEC 270xx. They are not related to specific clauses, but to some processes (e.g., risk management, implementation, measurement, etc.), and to controls from Annex A, where they provide detailed implementation guidance (e.g., physical security, cloud security, privacy, etc.).

The most knowledgeable and used are:
- ISO 27002 - It provides general guidance on the implementation of Annex A controls 
- ISO 27005 - It provides general guidance on the implementation of information security risk management
- ISO 27017 - It provides specific guidance on the implementation of Annex A controls for cloud environments
- ISO 27018 - It provides specific guidance on the implementation of Annex A controls for privacy on cloud environments
- ISO 27031 - It provides specific guidance on the implementation of Annex A regarding IT disaster recovery
- ISO 27032 - It provides specific guidance on the implementation of Annex A regarding cybersecurity

At ISO site you can find a complete list of related standards: https://www.iso.org/obp/ui/#search
(filtros: standard and ISO/IEC JTC 1/SC 27)

For more information see:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
- Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/
- ISO 27001 vs. ISO 27032 cybersecurity standard https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/

2 - I was keen to understand about risk, does it make sense to just use the iso risk approach or methodology like the FAIR institute? Lost here in direction to study.

Answer: ISO 27001 does not prescribe which methodology to use for information security risk management, so you can use the approach it is best for your organization (e.g., FAIR, ISO 27005, ISO 31000, NIST RMF, etc.)

These articles will provide you a further explanation about risk management:
- How to address opportunities in ISO 27001 risk management using ISO 31000 https://advisera.com/27001academy/blog/2018/04/13/how-to-address-opportunities-in-iso-27001-risk-management-using-iso-31000/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/

ITIL Processes (Practices) Referenced in ISO 20000

Process is just one part of the practice in ITIL4, so you can use it while implementing ISO 20000.

Further on, practices in ITIL4 contain Practice Success Factors and Key Performance Indicators, both of them can be used while implementing and maintaining ISO 20000:2018 based SMS.

Processes in ISO 20000:2018 are:

1. Service catalogue management

2. Asset management / Configuration management

3. Business relationship management

4. Service level management

5. Supplier management

6. Budgeting and accounting for services

7. Demand management

8. Capacity management

9. Change management

10. Service design and transition

11. Release and deployment management

12. Incident management

13. Service request management

14. Problem management

15. Service availability management

16. Service continuity management

17. Information security management

Health Inspector qualification

ISO 14001:2015 has no particular requirements concerning those that will implement an environmental management system or be responsible for its operation, maintenance and improvement.
Each organization is free to define competence requirements for that role.
Being a Health Inspector may give you some experience with regulations and with the task of working with others to follow rules. Besides that qualification I recommend learning about ISO 14001:2015 requirements, learning about good internal audit practices, and learning about good implementation practices.
 
The following material will provide you more information about training:
Free webinar - Free webinar - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Enroll for free in this course - ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/
Enroll for free in this course - ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 27001 and scrum

ISO 27001 does not prescribe methods for secure software development, so organizations are free to adopt the approach that better fills their needs, and provided the adopted approach fulfills standards requirements, auditors will be ok with them. Unfortunately, we do not have details about the use of SCRUM in software development on ISO certified organizations, but regarding ISO 27001 implementation, it is an approach as useful and effective as any other project management framework.

These articles will provide you a further explanation about scrum and information security and ISO 27001 and controls do software development life cycle:
- How to use Scrum for the ISO 27001 implementation project https://advisera.com/27001academy/blog/2017/03/27/how-to-use-scrum-for-the-iso-27001-implementation-project/
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

Standard contractual clause and Data processing agreement difference

The Standard Contractual Clauses are documents issued by the EU Commission and are meant to be used only when transferring personal data outside the EU. The Data Processing Agreement is to be used when both controller and processor are in the EU.

Infosec policies

If this simplified security policy covers all requirements from the standard, properly address the results of risk assessment and the legal requirements your organization must fulfill and is understood and easily handled by your employees, then it is acceptable by ISO 27001 requirements and certification auditors.

Regarding our toolkit, we haven’t found a proper policy format that would meet all those criteria, so this is why we recommend the usage of the documents from the toolkit.

These articles will provide you a further explanation about developing documents:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/

Risk management manual

First is important to note that usually a methodology is written, not a manual.

To develop a risk assessment and treatment methodology compliant with ISO 27001 you must consider:
1) Define how to identify the risks that could cause the loss of confidentiality, integrity and/or availability of your information
2) Define how to identify the risk owners
3) Define criteria for assessing consequences and assessing the likelihood of the risk
4) Define how the risk will be calculated
5) Define criteria for accepting risks

To see how a Risk assessment and treatment methodology, I suggest you to take a look at the free demo of our Risk Assessment and Risk Treatment Methodology at this link: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/

This article will provide you a further explanation about Risk assessment and treatment methodology:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/