Search results

Data transfer and data access

Opportunities and environmental aspects and impacts

There is no requirement in ISO 14001:2015 to incorporate the opportunities in an Environmental Aspect Impact Register.

Different organizations use different approaches to manage risks and opportunities and aspects and impacts.

For example, when I audit organizations sometimes, I see this approach:

When I work as a consultant, I use this approach:

According to the first approach, opportunities are significant positive environmental impacts. According to my approach I have two registers: one for risks and opportunities and other for environmental aspects and impacts.

The following material will provide you more information about aspects and impacts and risks and opportunities:

Article - Should you use a risk register for the ISO 14001 EMS? - https://advisera.com/14001academy/blog/2016/10/17/should-you-use-a-risk-register-for-the-iso-14001-ems/
ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/
Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
 

Quality manager requirements

ISO 9001:2015 has no requirements about the role of the Quality Manager. So, a Quality Manager can work remotely as long as the management system conforms with ISO 9001:2015 requirements and is effective.

The following material will provide you more information about roles and responsibilities:

What is the job of the Quality Manager according to ISO 9001? - https://advisera.com/9001academy/blog/2016/08/23/what-is-the-job-of-the-quality-manager-according-to-iso9001/
How to document roles and responsibilities according to ISO 9001 - https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Compliance verification

Considering ISO 22301 requirements, which are the same for other ISO management systems, such as ISO 9001 and ISO 14001, you must perform internal audits at planned intervals, but random verification can also be used if the organization considers this as a good approach for its context.

These articles will provide you further explanation about internal audit (they are focused on ISO 27001, but the general concept also applies to ISO 22301):

- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

Multi location certification

Thank you. This was my intial thought but I was getting push back " we own you and we can do what we want" attitude. I guess it will come to whether they think there is business value to maintain it. 

Risk assessment and treatment report

I have a clarification question regarding the risk assessment and treatment report. When is this report created in the process of the ISO 27001 project? Before or after implementation of the necessary controls?

The risk assessment and treatment report must be created before the implementation of the necessary controls, just after completion of risk assessment and risk treatment.

In the draft document it states that «The risk treatment was done from XX to XX.» (Risikobehandlung wurde im Zeitraum von [Tag/Monat/Jahr] bis [Tag/Monat/Jahr] durchgeführt.) Does this include that the controls are in place, or does this mean that the treatment plan etc. was created, but the controls do not have to be in place when writing the report?

This period “from XX to XX” refers to the period by which all treatment options for unacceptable risks were defined. It is not related to the implementation of controls.

Also, it says in the draft document (Heading 3.5) that «after implementation of the controls the residual risks are re-evaluated» (nach der Anwendung der Maßnahmen wurden die Restrisiken bewertet). This implies that the report is done after the controls have been implemented as the process (on which is reported) would include the residual risk evaluation after the implementation of the controls.

Please note that residual risks must be estimated after treatment option is decided, without Implementing any control, so decision makers can simulate different approaches to handle all risks.

After the controls are implemented, during the risk review, you will assess (re-evaluate) the realistic value of impact and likelihood, and this is something you need to record in the Risk assessment table – this has nothing to do with the initial Risk assessment report.

Integrated implementation

Answer: ISO 22301 shares many common requirements with other ISO management system standards, like ISO 9001:

- document control

- internal audit

- management review

- non conformities and corrective actions

These shared requirements allow an organization to save time and effort when implementing another ISO management standards, because you will only have to make minimal adjustments to ensure compliance.

Additionally, ISO 27001controls which requires implementation of business continuity capabilities also can make use of ISO 22301 practices to fulfill these requirements. Of course, if you have other standards in mind that also require business continuity capabilities, these also con benefit from ISO 22301 practices.

This article will provide you further explanation about integrated systems:

- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

This material will also help you regarding an example of integrating systems:

- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

When to certify a consultancy?

No, you do not need to be certified in any way to work as a consultant. As long as you have project management skills, as long as you have communication skills and as long as you know the management system standard you can work as a consultant.

If you have your own consulting company and you think you can benefit from ISO 14001 and or ISO 9001 certification in terms of image and credibility, you can decide to certify your business.

The following material will provide you more information about certification:

Article - 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
Free webinar on demand - Free webinar – How to sell ISO consulting services - https://advisera.com/9001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/
Enroll for free in this course – ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Implementing a newsletter delivery system

1. What should I enter as text in this mail? Is the transcription of our privacy policy updated according to the new legislation ok? (but there is a problem: it is very long …)

You need to obtain the consent from your customers if you don’t have it yet or if you do not have any records of the customers consenting to be targeted with newsletters. You should insert a link to your Privacy Policy when asking for the consent via email.

2. Do I have to insert a button in th e email to click if the user wants to keep in touch with us?

Either a consent or button or a response to your email should work as valid consent. Also, keep in mind that you need to allow the customer to opt-out at any time.

3. What should I do with users who do not confirm? Delete them from the database?

The users that do not confirm cannot be targeted by advertising campaigns.

If you want to find out more about marketing and GDPR check out this webinar How GDPR affects marketing practices https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/