Links between 14001, 27001 and 45001
The real question is are there natural linkages between 14001, 27001 and 45001 that can be built upon in developing the operating systems environment that you want to achieve, and satisfy the requirements of the three in the process. This is what we need to ensure that we're asking the best questions and tasking the people in the right direction. We look forward, not at lagging indicators, but at guiding science.
Assign topic to the user
Please note that ISO 14001, 27001, and 45001 share many similar requirements (e.g., document control, internal audit, management review, etc.) and require the adoption of a risk management approach to manage environmental risks (ISO 14001), information security risks (ISO 27001), and occupational health and safety risks (ISO 45001), so these common requirements and the need for a risk management approach (which can be fulfilled by adopting practices form the ISO 31000 standard, which defines requirements for risk management) can be considered natural links between these standards.
These articles will provide you with further explanation about these standards:
- What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
- What is ISO 14001? https://advisera.com/14001academy/what-is-iso-14001/
- What is ISO 45001? https://advisera.com/45001academy/what-is-iso-45001/
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
- How to implement integrated management systems https://advisera.com/blog/2015/10/05/how-to-implement-integrated-management-systems/
So why not push 31000 as the basis of growth to building the program and dealing with the issues as they are recognized within the organization. IT may not even be considered a risk until you examine it through an assessment process,but legal requirements may vary greatly on safety and environmental and necessitate the adoption of 14000 and 45000 to demonstrate compliance with the legislation.
Please note that ISO 31000 is only one of many available approaches for risk management an organization can adopt (other examples are NIST RMF, German BSI, USA OCTAVE-S, etc.), according to their specific business needs, and promoting a single approach over others is not an objective of ISO.
If an organization has implemented a systematic risk management approach that works for its context and is aligned with applicable legal requirements, then it is enough to be compliant with ISO management standards.
Please also note that, in general, legal requirements that demand the implementation of an ISO standard are not specific to mandatory risk management approaches.
Comment as guest or Sign in
Sep 23, 2022