Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Auditing Environmental Compliance
Answer:
First, a clarification: ISO 14001:2015 does not ask for an internal compliance audit. ISO 14001:2015 asks for a complete verification and several actions if needed (clause 9.1.2).
In my country auditors want to check the actual Environmental Compliance Register. Certification auditors are bounded by confidentiality. Some organizations prepare a kind of legal document for the auditor(s) to reinforce that confidentiality. If an organization has any non-compliance that will appear, for example, in the management review record, a basic document for any certification audit.
The following material will provide you more information about legislation in an environmental management system:
Compliance requirements according to ISO 14001:2015 – What has changed? - https://advi sera.com/14001academy/blog/2015/09/14/compliance-requirements-according-to-iso-140012015-what-has-changed/
How to achieve regulatory compliance in ISO 14001 - https://advisera.com/14001academy/blog/2015/06/15/how-to-achieve-regulatory-compliance-in-iso-14001/
Enroll for free in this course – ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ -
ISO 14001 and legislation
Answer:
ISO 14001:2015 has no specific requirements for shipboard waste oil incinerator. You have to check which national or international legislation your organization has to comply. Different countries have different air emission limits for each chemical.
The following material will provide you more information about legislation in an environmental management system:
How to achieve regulatory compliance in ISO 14001 - https://advisera.com/14001academy/blog/2015/06/15/how-to-achieve-regulatory-compliance-in-iso-14001/
Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ -
ISO 27001 and ISO 22301
Answer:
First it is important to note that it is not mandatory to implement ISO 27001 to implement and get certified against ISO 22301.
Regarding performing BIA complaint with ISO 22301 you need:
- to identify activities that support the products or services you want to ensure the continuity
- to assess the impact over time in case these activities are disrupted
- to define prioritized timeframes for returning these activities
- to identify dependencies and supporting resources
These materials will provide you further explanation about performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/ -
Lead Auditor or Lead Implementer
What do you suggest please? Lead Auditor or Implementer, and is you provider have better reputation than IRCA?
Answer:
You must consider your personal and business objectives to define the proper approach. If you plan to implement an ISMS, then you should go for Lead Implementer certification, but if you plan to work as an auditor, then Lead Auditor would be probably better for you.
These articles will provide you further explanation about ISO 27001 certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
Regarding reputation, both Examplar Global and IRCA are well seen in the market, the difference being that Exemplar Global is more recognized in North America, Pacific and Australia; IRCA is more popular in Europe. -
BS25999 and ISO 22301
Answer:
BS 25999 is the British standard from which ISO 22301 was developed, and we decided to leave both references in the toolkit's name to make it easier for customer that it can cover a Business Continuity Management System based on both standards.
These articles will provide you further explanation about BS25999:
- What is BS 25999? https://advisera.com/27001academy/what-is-bs-25999/
- ISO 22301 vs. BS 25999-2 – An Infographic https://advisera.com/27001academy/blog/2012/05/22/iso-22301-vs-bs-25999-2-an-infographic/ -
AS9100: Process risk vs operational risk
I received a further related question:
>Risk Mitigation techniques like PFMEA and DFMEA are deployed for which category of risks? Usually they are for a manufacturing process or design of a product.
Answer:
It is important to note that the AS9100 Rev D standard does not include requirements of how you will perform your risk assessments or risk management. As such, it does not specify the use of FMEA in any risk mitigation activities, how you do this is up to you. As you have stated FMEA can be used for many different implementations such as product design (operational risk) or process design (could be management risk or operational risk). You should use the tool where you find it useful, and of course where it is a requirement of the customer. -
Procesos en empresa de servicios
Aunque la producción de agua potable se realice bajo normativa, si su organización ha introducido nuevos servicios en los últimos cinco años, o si se publicaran nuevas especificaciones o requisitos en la legislación su organización deberá de planificar e introducir esos cambios. En ese caso la cláusula 8.3 sería aplicable. Si esto no ocurriera, entonces podría excluir esta cláusula.
Los siguientes materiales pueden ayudarle con las exclusiones de la norma ISO 9001:2015:
- ISO 9001 – What clauses can be excluded in ISO 9001:2015?: https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- Curso gratuito en línea ISO 9001:2015 - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Libro – Discover ISO 9001:2015 Through Practical Examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Confidentiality level of a document
Answer:
This policy normally defines the rules for use of cryptographic technologies, so due to its technical nature, and the risks associated to non IT personnel having access to its content, it is normally given a classification which restricts its assets to IT personnel (normally it is not necessary for regular users to have access to this policy).
This article will provide you further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Difference between Risk Treatment Plan and Corrective Actions
Answer:
Risk Treatment Plan and Corrective Actions fulfill different purposes and requirements, that's why we provide different documents.
You use the Risk Treatment Plan to define actions to treat risks, i.e, actions to prevent them to happen, or to minimize their impact in case they occur.
On the other hand, you use Corrective actions to treat controls or processes that failed to fulfill their objectives, or are not performing as planned.
For example, to treat a risk of data loss you can define the implementation of a backup process in the Risk Treatment Plan.
Now consider that this backup process is implemented, and it was identified that for some reason the backup was not performed as scheduled, or that the process has failed (in both situations the original data wasn't lost). To treat this situation you have to open a Correcti ve Action.
These articles will provide you further explanation about risk treatment plan and corrective actions:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/ -
Performing risk assessment
Answer:
The reason why we do not have articles on defining the asset value is that it is not prescribed by the standard, and it only complicates the risk assessment if you already assess the level of impact. The point is, if you use the asset-based approach you need to identify risk by listing assets (without evaluating them), threats and vulnerabilities, evaluate impact (taking into account C-I-A) and likelihood, calculate the le vel of risk, and define the risk owner - nothing more.
This article can provide you further information about asset-based risk assessment:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
This material will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/