Search results

Compliance verification

Considering ISO 22301 requirements, which are the same for other ISO management systems, such as ISO 9001 and ISO 14001, you must perform internal audits at planned intervals, but random verification can also be used if the organization considers this as a good approach for its context.

These articles will provide you further explanation about internal audit (they are focused on ISO 27001, but the general concept also applies to ISO 22301):

- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

Multi location certification

Thank you. This was my intial thought but I was getting push back " we own you and we can do what we want" attitude. I guess it will come to whether they think there is business value to maintain it. 

Risk assessment and treatment report

I have a clarification question regarding the risk assessment and treatment report. When is this report created in the process of the ISO 27001 project? Before or after implementation of the necessary controls?

The risk assessment and treatment report must be created before the implementation of the necessary controls, just after completion of risk assessment and risk treatment.

In the draft document it states that «The risk treatment was done from XX to XX.» (Risikobehandlung wurde im Zeitraum von [Tag/Monat/Jahr] bis [Tag/Monat/Jahr] durchgeführt.) Does this include that the controls are in place, or does this mean that the treatment plan etc. was created, but the controls do not have to be in place when writing the report?

This period “from XX to XX” refers to the period by which all treatment options for unacceptable risks were defined. It is not related to the implementation of controls.

Also, it says in the draft document (Heading 3.5) that «after implementation of the controls the residual risks are re-evaluated» (nach der Anwendung der Maßnahmen wurden die Restrisiken bewertet). This implies that the report is done after the controls have been implemented as the process (on which is reported) would include the residual risk evaluation after the implementation of the controls.

Please note that residual risks must be estimated after treatment option is decided, without Implementing any control, so decision makers can simulate different approaches to handle all risks.

After the controls are implemented, during the risk review, you will assess (re-evaluate) the realistic value of impact and likelihood, and this is something you need to record in the Risk assessment table – this has nothing to do with the initial Risk assessment report.

Integrated implementation

Answer: ISO 22301 shares many common requirements with other ISO management system standards, like ISO 9001:

- document control

- internal audit

- management review

- non conformities and corrective actions

These shared requirements allow an organization to save time and effort when implementing another ISO management standards, because you will only have to make minimal adjustments to ensure compliance.

Additionally, ISO 27001controls which requires implementation of business continuity capabilities also can make use of ISO 22301 practices to fulfill these requirements. Of course, if you have other standards in mind that also require business continuity capabilities, these also con benefit from ISO 22301 practices.

This article will provide you further explanation about integrated systems:

- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

This material will also help you regarding an example of integrating systems:

- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

When to certify a consultancy?

No, you do not need to be certified in any way to work as a consultant. As long as you have project management skills, as long as you have communication skills and as long as you know the management system standard you can work as a consultant.

If you have your own consulting company and you think you can benefit from ISO 14001 and or ISO 9001 certification in terms of image and credibility, you can decide to certify your business.

The following material will provide you more information about certification:

Article - 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
Free webinar on demand - Free webinar – How to sell ISO consulting services - https://advisera.com/9001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/
Enroll for free in this course – ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Implementing a newsletter delivery system

1. What should I enter as text in this mail? Is the transcription of our privacy policy updated according to the new legislation ok? (but there is a problem: it is very long …)

You need to obtain the consent from your customers if you don’t have it yet or if you do not have any records of the customers consenting to be targeted with newsletters. You should insert a link to your Privacy Policy when asking for the consent via email.

2. Do I have to insert a button in th e email to click if the user wants to keep in touch with us?

Either a consent or button or a response to your email should work as valid consent. Also, keep in mind that you need to allow the customer to opt-out at any time.

3. What should I do with users who do not confirm? Delete them from the database?

The users that do not confirm cannot be targeted by advertising campaigns.

If you want to find out more about marketing and GDPR check out this webinar How GDPR affects marketing practices https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/

Presentation to feed a management review

I have no specific examples from the cement industry.

What I can do is to invite you to develop your presentation considering three stages:

Look into the past and report past performance (ISO 14001:2015 clause 9.3 – a) c) d) f))

Look into the context and report trends (ISO 14001:2015 clause 9.3 – b) e) g))

Look into the future and list the outputs, decisions and actions, that should come out the management review.

According to my experience, consider sending in advance the presentation to all attendees. Make the meeting more about decisions and actions than about presentation and analysis.

The following material will provide you more information about management review:

Article – The importance of management review in the ISO 14001:2015 process – https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/the

Free webinar on demand – Free webinar – How to perform management review according to ISO 14001:2015 – https://advisera.com/14001academy/webinar/how-to-perform-management-review-according-to-iso-14001-2015-free-webinar/

Enroll for free in this course – ISO 14001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/

Book – The ISO 14001:2015 Companion – https://advisera.com/books/the-iso-14001-2015-companion/

Compliance verification

Considering ISO 22301 requirements, which are the same for other ISO management systems, such as ISO 9001 and ISO 14001, you must perform internal audits at planned intervals, but random verification can also be used if the organization considers this as a good approach for its context.

These articles will provide you further explanation about internal audit (they are focused on ISO 27001, but the general concept also applies to ISO 22301):

- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

Controlling a Table of Contents

ISO 9001:2015 does not require a Table of Contents.

However, as soon as you consider a Table of Contents as part of your set of manufacturing controlled documents, that Table of Contents becomes a document requiring control.

The following material will provide you more information about document control:

New approach to document and record control in ISO 9001:2015 –  https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

– Enroll for free course – ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

- Book – Managing ISO Documentation: A Plain English Guide – https://advisera.com/books/managing-iso-documentation-plain-english-guide/