Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11275 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Integrating OHSAS 18001 and ISO 14001

Answer:

First step in the integration process is to identify all common requiremnets of both standards and start with implementing them first, and then you need to focus on specific requiremnets of ISO 14001 and OHSAS 18001.

For example, the common requiremnets are control of documents and records, policies, objectives, competence and awareness, communication, nonconformities, corrective actions, internal audit etc.

For more information on how to integrate OHSAS 18001 and ISO 14001, see: How to integrate OHSAS 18001 and ISO 14001 https://advisera.com/18001academy/blog/2016/08/31/how-to-integrate-ohsas18001-and-iso14001/
Risk assessments

Answer: To ensure you identify the most relevant risks related to an asset (you do not have to identify all risk), you should ensure an approach from as many points of view as possible. Think about including in the same risk identification session people from different areas and processes. For example, if you are evaluating sales process, try to bring in people from IT, financial and legal department. For sure all of them will have different interest on information security and will point out different risks.

And even if you didn't identify all the risks, you will probably identify them during the next review of your risk assessment - no one expects you to do it perfectly the first time, risk assessment is something that is continually improved.

These articles will provide you further explanation about Risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

These materials will also help you regarding Risk assessment Risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Cláusula 4.1
La norma ISO 14001 requiere a las organizaciones definir el contexto de la organización mediante la determinación de cuestiones internas y externas que son relevantes para sus objetivos y que afectan la capacidad de alcanzar los resultados esperados en su SGA. Este término de "resultados esperados" se refiere a lo que es requerido de la organización y lo que quiere alcanzar implementando el SGA. Los resultados mínimos previstos bajo el estándar incluyen la mejora del desempeño ambiental, el cumplimiento de las obligaciones legales y con los objetivos ambientales

Puedes llevar a cabo un análisis DOFA o un análisis PEST a la hora de determinar el contexto de la organización, o programar una sesión de tormenta de ideas con el personal relevante de tu organización. Los resultados de esos análisis o un registro con los minutos de la sesión de tormenta de ideas probarán que se han considerado todas las cuestiones dentro del SGA.

Además es posible determinar qué partes de la organización deberían de formar parte del SGA dependiendo de las razones para la implementación de la norma, por ejemplo si se trata de un requerimiento del consumidor o si es un requerimiento de la propia compañía.
NIST, COSO and ISO 27001

Answer: In fact these frameworks are not competitors, but they complement each other. COSO gives you a corporate view for risk management, and NIST SP 800 series provides security practices for IT environments. As for ISO 27001, it provides you a framework for managing information security, considering not only IT environments, but also physical and human aspects, as well as business objectives.

That said, while ISO 27001 is more prepared to manage information security than NIST standards and COSO, it can benefit form the other two frameworks for complementing its approach regarding IT controls and understanding of risk in business context.

These articles will provide you further explanation about these frameworks:
- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/
- How to use the NIST SP800 series of standards for ISO 27001 implementation h ttps://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
Career on Information Security
I want to take up training and certification for ISO27001, and gradually move up ladder with CISA .
Here is dilemma like should i opt for ISO certification at this stage or not . And what approach to follow to attain same . What study material should i follow , do you take up training session, what action plan should i follow since post this data center project , there is high probability i would be aligned to different project for same role.
As of now i am finding myself in a situation while taking up decisions, since the decisions i take , my team would have to live with them for long . My self dont have prior experience in this domain and finding bit difficult to gauge CIA parameters.
I have expertise in Service operations , Incident , Change and Event management . Good knowledge of Serve r admin role and basics of network .

Answer: By what you described, my suggestion for your development would be first to consider obtaining knowledge on the requirements of the standard and how to conduct an implementation process. For that you can find on market ISO 27001 Lead implementation courses. Your previous knowledge on ITIL, servers administration and network will help, but information security covers much more issues, like human resources and legal requirements.

Second would be obtaining knowledge on audit aspects of ISO 27001, and for that you can consider either ISO 27001 Internal audit courses or ISO 27001 Lead auditor courses (for immediate or low budget you can go for internal audit courses, but since you are thinking about CISA, the lead auditor course can help you more regarding that goal).

Regarding training sessions, you can take a look at some of our online courses:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

These articles will provide you further explanation about courses on ISO 27001:
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/

These materials will also help you regarding ISO 27001:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Risk assessment

Answer: For creation of a risk assessment you should consider:
- Definition of how to identify the risks to information security
- Definition of how to identify risk owners
- Definition of criteria for assessing consequences and likelihood of the risk
- Definition of how calculate the risk
- Definition of criteria for accepting risks

Regarding the risk analysis, the main approaches are qualitative and quantitative analysis

These articles will provide you further explanation about Risk assessment:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Qualitative vs. quantitative risk assessments in information security: Differences and simila rities https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/

These materials will also help you regarding Risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

For environmental impact assessment, I suggest you to take a look at these articles:
- ISO 14001:2015 – How to set criteria for environmental aspects evaluation https://advisera.com/14001academy/blog/2016/10/31/iso-140012015-how-to-set-criteria-for-environmental-aspects-evaluation/
- ISO 14001 risks and opportunities vs. environmental aspects https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/
ISO 20000 and ISO 9001

Answer:
This free material explains mentioned relationship:
"ISO/IEC 20000-1:2011 vs. ISO 9001:2015 matrix" https://info.advisera.com/20000academy/free-download/iso-iec-20000-1-2011-vs-iso-9001-2015-matrix
Scope of EMS, 2015 version
How can I define the Scope of the EMS for a manufacturing company, according to 2015 version of ISO 14001, without going too far that is impossible to manage? (company uses minerals, metals, chemicals, etc). Could you provide an example?
Defining context of the organization

Answer:

When determining context of the organization, you need to examine all internal and external issues that can affet your QMS (Quality Managemnet System). When it comes to internal issues, you need to consider products and services, organizational structure, roles, and responsibilities, organizational culture, capabilities, etc. For external issues, the organization needs to consider culture of the markent where it operates, legislations, customer requirements and habits, competitors, etc.

Even for the companies that conduct the same type of business in the same country, the context of the organization can be different because of the various elements of the context that need to be considered.

Here you can find case study for context of the organization that can be helpful: ISO 9001:2015 Case study: Context of the organization as a success factor in manufact uring company https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
Requirements of the clause 8.3.2 in ISO 9001

Answer:

The clause 8.3.2 j) requires that during design an development planning the organization to consider documented information needed to demonstrate that design and development requirements have been met. This doesn't mean that you need to provide these documented information during the planning phase but to define what documented information must exist at the end of the design and development process to demonstrate that the requirements have been met. For example, in the project plan or project task you will define what documented information will be created as the design and development output, e.g. CAD drawings.

For more information, see: Specific use of ISO 9001 design and development in the machining process https://advisera.com/9001academy/blog/2017/03/14/specific-use-of-iso-9001-design-and-development-in-the-machining-process/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11275 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Integrating OHSAS 18001 and ISO 14001

Risk assessments

Cláusula 4.1

NIST, COSO and ISO 27001

Career on Information Security

Risk assessment

ISO 20000 and ISO 9001

Scope of EMS, 2015 version

Defining context of the organization

Requirements of the clause 8.3.2 in ISO 9001

Didn’t find an answer?