Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Environmental aspects and objectives
Answer:
The main requirements regarding significant environmental aspects is not to set environmental objectives regarding them (although it is recommendable) but to set operational controls to keep the impact of the aspects within acceptable boundaries. The objectives are short term and they provide effects withing their deadline while the operational controls are long term measures to decrease environmental impact.
You do not need to set a new objective regarding this environmental aspect but you should set the operational control for it. For more information about environmental aspects and operational controls, see: Defining and implementing operati onal control in ISO 14001:2015 https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/ -
How to speed up OHSAS 18001 implementation
Answer:
There are different approaches in implementation of OHSAS 18001 and some are faster than the other. The best way to speed up the implementation is by hiring the consultant and he will develop the documentation and provide you with information on what you need to do to achieve full compliance, but this is the most expensive solution.
The second way to speed up the implementation is to use some of online tools such as our documentation toolkit. This approach requires you to fill in the documents and apply new procedures by yourself but you will receive know how and support from us.
For more information about different approaches in OHSAS 18001 implementation, see: Compare OHSAS 18001 implementation options https://advisera.com/18001academy/comparison/ -
Controlling emissions to air
Answer:
There is not much you can do once the pollutant is in the air, but you can install filters and they can reduce the amount of the pollutant released in the air. Not every significant environmental aspect can be reduced to zero, but the company should do its best to reduce the pollution and this is done through the operational controls. For more information on how to establish operational controls, see: Once a pollutant is emitted to air, what can we do to reduce its impact? https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/ -
Risk assessment in OHSAS 18001 and ISO 9001
Thx -
Performing Risk Assessment and Treatment
Answer: I assume you are referring to the Risk Assessment Table and the criteria provided in the Risk Assessment and Treatment Methodology document. The existing controls must have to be taken into account when determining the total risk, and they must be informed in the "Existing Controls" column from the Risk Assessment Table.
2 - For example, if I do consider existing controls and assume they are good enough so that when combined with impact the total risk is 0, 1, or 2 – which I have defined as acceptable – would I have to write anything in “Means of implementation” on the Risk Treatment Table?
Answer: If a risk you identified in the Risk Assessment Table already has a control implemen tend to treat it, you only would have to include it in the Risk Treatment Table if the existing control needs to be improved. Otherwise, you can keep the record only in the Risk Assessment Table.
3 - If the existing control that I have judged to be strong is a control that directly matches a control in the ISO Appendix A, do I say on the Statement of Applicability that it is applicable?
Answer: Yes, if you can macth the implemented control with a control in the ISO 27001 Appendix A, you can state that that control is applicable in the Statement of Applicability.
4 - Do my questions make sense?
Answer: Yes, your questions make all sense, and your perception of what should be done is right. :)
These materials will also help you performing the risk assessment and treament:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Continuing Professional Education (CPE) and ISO 270001
Answer: The total CPE points you will earn after completing a ISO 27001 educational activity will depend upon the duration of the activity you attended (e.g., lead auditor training course, lead implementer training course, ISO 27001 workshops, etc.). The general rule is you will get one CPE point for each hour of learning activity, but you have to check the CPE earning rules used by the organization to which you will report the activity.
These articles will provide you further explanation about some ISO 27001 educational activities:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
Documenting the control A.17.1.2
Answer: ISO 27001:2013 in its Annex A has control A.17.1.2 which says "organization shall ... document ... procedures ... to ensure the required level of continuity".
By the way, in the article you're referring to we have said "Please note that documents from Annex A are mandatory only if there are risks which would require their implementation." - this means that control A.17.1.2 needs to be applied (and documented) only if it is applicable according to the results of the risk assessment.
These materials will also help you regarding business continuity and information security:
- article How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
- webinar ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/es/webinar/iso-27001-iso-22301-why-is-it-better-to-implement-them-together-free-webinar-on-demand/ -
PCI DSS documents and standards
Answer: PCI DSS documents and standards can be found at PCI's Document Library page (https://www.pcisecuritystandards.org/document_library). In this page you can find specifications, tools and other resources to help securely handle cardholder information.
2) Do we need to purchase it ?
Answer: PCI DSS standards are free of charge, but you have to accept a license agreement in order to download them. Other PCI DSS related documents (e.g., supporting documents, reporting templates and FAQs you can download normally.
These articles will provide you further explanation about PCI DSS:
- PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences - https://advisera.com/27001academy/knowledgebase/pci-dss/
- PCI-DSS vs. ISO 27001 Part 2 – Implementation and Certification - https://advisera.com/27001academy/knowledgebase/pci-dss/ -
Implementing ISO 27001 polices
Answer: I assume you are referring to Information Security Policy. Like other policies, a successful information security policy implementation involves properly aligning it with your needs (e.g., requirements and objectives), writing it in a clear and understandable way, and ensuring it is communicated to, understood by, all who needs to follow it.
This article will provide you further explanation about policy implementation: Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
These materials will also help you regarding policy implementation :
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Good Documentation Practice - GDocP
But I cannot find a direct link to them. Is this a completely separate thing from ISO? Does a separate body do the auditing and registration for this?
Answer:
Good documentation practice (commonly abbreviated GDP, recommended to abbreviate as GDocP to distinguish from "good distribution practice" also abbreviated GDP) is a term in the pharmaceutical industry to describe standards by which documents are created and maintained. GDocP has a lot of similar requirements as ISO 9001 but they have a lot of additional requirements and ISO 9001 would not be enough to cover GDocP.
GDocP is published by FDA (U.S. Food and Drug Administration) and WHO (World Health Organization) and it is not related to ISO, so other independent bodies are conducting the audit and they are called GMP regulators.