Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Performance evaluation in an EMS
Answer:
When considering how to evaluate the overall environmental performance of a company I consider two criteria:
Alignment with the strategic orientation; and
Consistency with the results of the environmental assessment.
Considering the strategic orientation - for example:
if a company competes based on cost, I want to measure indicators that assess efficiency, reduction of wastes, reduction of unitary consumptions;
if a company competes based on service and interaction, I want to measure indicators that assess the progress of partnerships like shared resources, recycling and reusing;
if a company competes based on innovation, I want to measure the relationship of innovation with a lower environmental footprint.
Considering the results of the environmental assessment, I want to measure the progress of the interaction of the company with the environment. That is done through measuring indicators related with significant environmental impacts like: waste amount; quality and quantity of wastewater; unitary consumption of raw materials, water and energy, quality of air emissions, number of accidents or incidents.
2. What are the waste management requirements for ISO 14000?
Answer:
About waste management requirements of ISO 14001 I can list:
comply with law and regulations by working with legal waste operators;
comply with law and regulations in segregating, labeling, storing and transporting wastes;
prepare for emergencies, train people to handle wastes;
if it is a significant environmental aspect work to reduce waste generation, and or promote waste reuse or recycling
keep records.
The following material will provide you information about measuring performance and managing waste:
- ISO 14001 – Environmental performance evaluation - https://advisera.com/14001academy/blog/2015/07/06/environmental-performance-evaluation/
- 7 steps in handling waste according to ISO 14001 - https://advisera.com/14001academy/blog/2016/11/07/7-steps-in-handling-waste-according-to-iso-14001/
- ISO 14001 case study: Waste management in a construction company - https://advisera.com/14001academy/blog/2017/02/27/iso-14001-case-study-waste-management-in-a-construction-company/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- ISO 14001 document template: Guideline for Electronic Waste Management - https://advisera.com/14001academy/documentation/guideline-for-electronic-waste-management/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Retention time for environmental records
Answer:
ISO 14001 does not set any retention time. I use two criteria to establish retention times:
Follow the retention time defined by law or regulations when that is the case;
Follow a retention time of 4 years to ensure that all records from one certification cycle are kept during the cycle.
Remember, this is just my criteria.
The following material will provide you information about retention times and records control:
- ISO 14001 – ISO 14001 Control of Records - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-control-of-records/
- Free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
ISO 27001 templates content
Answer: If you choose the option "accept risk", you should document such risks in section 4 of our Statement of Applicability template (in section 3 you list all applicable and non-applicable controls).
2. Regarding chapter A.14: A webhosting company which doesn't develop software at all might be applicable to some of the controls in chapter A.14 if they are buying a 3rd party CRM, the previous time that I've asked you, you have responded the following to me: "mainly those related tor definition of security requirements and system acceptance.", which other controls besides A.14.1.1 are we talking about in case of buying a 3rd party CRM system?
Answer: Another controls to be considered are 14.2.3 Technical review of applications a fter operating platform changes, and 14.2.9 System acceptance testing.
3. If an asset isn't used by anyone, do I still have to add it in the 'Inventory of assets' ?
Answer: If an inventory of assets is applicable to your context, you only have to include assets that are involved with the information you want to protect. So, if an asset isn't used by anyone, there is no need to include it in the inventory.
4. Security Procedures for IT Department 6.5.1 Describe the technology used for erasing data from media in the equipment: We don't have any specific tool for the removal of data. Let us say a customer wants to end his services at our company then all we have to do is press the "Delete client" button on the tool(s) that we use for the administration (both facturation and webhosting). Is this okay or do we really need a tool which we are specifically using for the removal of data?
Answer: If this "Delete client" functionality can ensure the data cannot be recovered by any means, then you can use it to fulfill the requirement from section 6.5.1 from the Security Procedures for IT . -
Time to implement ISO 27001
Answer:
Considering present date, without further information about your scope (e.g., number of employees, which processes, locations, etc.) we cannot provide a precise answer.
To help you estimate the time to implement ISO 27001, I suggest you to use our ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/ -
Asset inventory
1. I have seen a number of different examples of an IAR so was inquiring as to what the actual requirement is to meet the standard.
Answer: If ISO 27001 control A.8.1.1 (Inventory of assets) is applicable to your organization you should consider at least the name of the asset, its owner and its information classification level. Of course you can add more information to fulfill additional needs from other requirements, like GDPR.
2 . As for the Information Assets themselves. How granular do I need to be when defining them? EG Can I have the finance system as a asset, or should it be broken down into Sales, Purchase & General ledger. Or even further into Purchase Orders, Credit Notes, Invoices etc?
Answer: ISO 27001 does not prescribe any level of granularity, so you can adopt the levels you understand that will better fulfill your needs. Regarding your examples, all of them are valid fo r an ISO 27001 compliant inventory of assets.
3. Is the location of an Information Asset required as in Server Name or directory path or a simple description EG Local drive, remote server, Sharepoint?
Answer: Again the level of details will depend on your needs, but you also have to consider the controls to be implemented. For example, if you have an information asset on a server that is accessed by personnel in general, you may have to specify the directory path to ensure it has the proper access control definition. On the other hand, if the server is accessed only by personnel allowed the access this asset then you can specify only the server, because where the asset is located on the server will be irrelevant on this case.
This article will provide you further explanation about Inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 How to handle Asset register (Asset inventory) according to ISO 27001
This material will also help you regarding inventory of asset:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Becoming a quality manager
Answer:
I try to put myself in the shoes of someone wanting to find someone competent to be a quality manager. I would do questions to try to find if a person has the right attitude and experience because, before the job interview, I would already have sort candidates by their knowledge and a cademic background (knowledge of standards, of auditing, of statistics).
I would like to find a candidate that is good at:
Communication – communication with colleagues, with top management, with regulators, with customers, with auditors, with suppliers (includes reporting skills)
Project management skills – more and more work is done through projects involving people from inside and outside the organization
Problem-solving – use and help others use quality tools for problem-solving, for root cause analysis
Practical thinking – someone that avoids bureaucracy and is focused on sustainable results
Customer focus – someone that can work as an inside ambassador of the customers, those that support the existence of the organization
The following material will provide you information about being a quality manager:
- ISO 9001 – What is the job of the Quality Manager according to ISO 9001? - https://advisera.com/9001academy/blog/2016/08/23/what-is-the-job-of-the-quality-manager-according-to-iso9001/
- What is the job of the quality management representative? - https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/
- Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Protecting against external and environmental threats
Do you have a template that covers A11.1.1-4? If not, would you recommend that I create a new doc for those or append them to the Working in Secure Areas doc? We’re a small company (45 people) and I’m trying to keep the count down.
Answer:
Controls A.11.1.1 (Physical security perimeter) to A.11.1.4 (Protecting against external and environmental threats) are not commonly applicable on small companies, neither a policy to cover them is mandatory for ISO 27001, that's why a document covering them is not included in the toolkit.
Since you identified these controls are applicable to your context, and it refers to physical protection, we recommend you to create a new document, since the information on Procedures for Working in Secure Areas is not much related to it.
If you understand you need support to develop such document, you can schedule a meeting w ith one of our experts through this link: https://advisera.com/27001academy/consultation/
These articles will provide you further explanation about Protecting against external and environmental threats:
- How to protect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/ -
Information Security Management course for non IT professionals
Answer:
Information Security Management courses based on ISO 27001 standard do not require previous IT knowledge, so these courses also can be, and should be, attended by non IT professionals, so they can also be aware on how to protect information properly.
This article will provide you further explanation about ISMS based on ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
This material will also help you regarding ISO 27001:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Scope definition
1 . With regards to the scope, please could you help me understand what we need to include and how to complete part 3 of the scope document. We have an office which is leased and is on the ground floor of the building and our two servers are on the 3rd floor in the server room (this room is shared by all the different companies in the building). We also occasionally work from home using the business laptops.
Answer: Considering your stated scenario, you should include in the ISMS scope the office you work in, your two servers and, of course, the processes/services and information you want to protect. The information about the situation of the server room and the homeworking should be considered on the risk assessment and treatment process.
These articles will provide further information:
- How to define the ISMS scope https://ad visera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
2 . Also, you have a laws and regulations list on your website for the different countries? Do we just need to comply with all the ones listed for the UK or how do we identify the laws and regulations that apply to our company?
Answer: In the following article you can find a list of some laws and regulations required on United Kingdom:
- Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
Unfortunately, this list is not fully up-to-date because it depends on voluntary contributions from our readers – therefore, it is likely that not all regulations related to United Kingdom are listed.
Regarding compliance with them, you need to identify which ones are applicable to your industry and to the specifics of you business, and for this we recommend you to hire a local legal adviser, to make sure you have identified all relevant laws and regulations. -
Gap Analysis and planning audits
1. Scope of ISMS audit/Gap Analysis, assuming that an organization is not yet implemented ISMS.
Answer: Considering you stated that the organization has not yet implemented the ISMS, then you must consider a Gap Analysis, not an audit, to identify how much of required criteria the organization has already implemented. Considering that, I suggest you to take a look at this free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
It has a simple question-and-answer format to help you visualize which specific elements of information security management system based on ISO 27001 standard are already implemented, and what still has to be done.
2. Estimate the audit effort
Answer: The main criteria to estimate the audit effort are number of employees and audit complexity. The document you must consider is the IAF MD 5:2015 "Determination of Audit Time of Quality and Environmental Management Systems" and you can find it at this link: https://www.iaf.nu/upFiles/IAFMD5QMSEMSAuditDurationIssue311062015.pdf
Although it's title refers to QMS and EMS it also can be applied to estimate audit days for an ISMS certification audit.
These articles will provide you further explanation about certification audit:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
These materials will also help you regarding certification audit:
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/