CLOSE
logo text
Search

author - search results

If you're not happy with the results, please do another search

    by -

    ISA is a certification body headquartered in the U.S.A., providing certification/registration to ISO 9001, AS9100 and AS9120 Quality Management Systems (QMS). Our assessors are strategically located throughout North America, Middle East and Asia. As we continue to evolve with a service oriented attitude and value added approach, we are mindful that the strategies we pursue and the certifications we issue must ultimately result in long term benefits for our clients.

    Our clients range in size from thousands to single employee and with each Quality Management Systems (QMS), large or small; ISA strives to provide the same level of professionalism, service and support.

    ISA knows the most important relationship in our business is the relationship our clients have with our auditors. ISA has built its reputation as “Registrar of Choice” by employing the most qualified and competent auditors in the field. Our certified Lead Auditors, AIEA (Aerospace Industry Experience Auditors), and AEA (Aerospace Experience Auditors) are seasoned professionals averaging more than 20 years of experience.

      by -

      SEUs – Significant energy users as defined by ISO 50001 – are the systems/equipment that consume a sizable quantum of total energy consumed and also offer a good number of energies saving opportunities and scope for energy performance improvement. Many organizations find it difficult How to identify significant Energy User? What are the criteria that could be applied to identify the SEUs?  Can we duplicate the criteria applied in similar industries? Well, these confusions could be managed with application of the experience and knowledge gained within the organization on following  

      • Energy consumption profile (6-12 months) 
      • Nature energy intensive process/systems/equipment (running hours and capacity utilization) 
      • Level of technology (Age of equipment/technology upgradation) 
      • Maturity of other standards like ISO 9001, 14001 
      • Failure rates of equipment (mostly prime movers – motors) 
      • Type of energy use (Primary or Secondary, Renewable or conventional) 
      • Skill level of shop floor personnel/operators (Qualified or trained without qualification) 

      ISO 50001 facilitates the correct identification of such systems/equipment that needs continuous monitoring of relevant and static variables to maintain and improve energy performance. The complete process can be fit into PLAN-DO-CHECK-ACT cycle as shown in Fig. 1. These are the steps could help organization to establish robust methodology to identify SEUs. 

      Step-1 

      Conduct a detailed energy audit/energy use study. The scope must be limited to establish energy use patterns across the organization – not necessary to identify saving opportunities at this stage. 

      Step-2 

      Analyse the outcome of Step-1 and discuss with all stakeholders. Gather information on the practicality of implementing effective data collection relevant to energy performance improvement. Open the findings of Step-1 and discuss on the energy use pattern with operators and motivate them to contribute innovative ideas (remember the operators/shop floor are the best energy auditors!!). Generate a report of the following: 

      • Comments/opinions received from operators, managers and heads of departments and utility manager 
      • List all the equipment/process in the order of highest to lowest energy consumption and EnPs (Energy consumed/unit of output) 

      Step-3 

      Brainstorm with energy manager and department heads and list out the tasks on priority- which department/equipment needs top priority to improve energy performance. 

      Fig.1 Process of establishing Criteria for SEUs : P-D-C-A approach 

      Step-4 

      Fix the criteria for SEUs. For example, that equipment consumes xxxx % of total energy will be categorised as SEUs. The criteria should be acceptable and implementable by all interested parties. Re-assure the commitment of top management. Review and revise energy policy, objectives and Targets. 

      Step-5  

      Communicate to all interested parties with all necessary plans of action and support to measure and monitor all relevant and static factors of SEUs. Establish procedures, methodology and frequency of energy performance assessment. Scope of energy saving potential and economic benefits shall be established and implemented. 

      Step-6 

      Monitor and review on defined interval for effective implementation to reap the benefits. Repeat steps 1-5 on a regular interval (may be once in a year initially and then the frequency may be reduced). 

      ISO 50001 thus facilitates the organization in a systematic way to improve energy performance on a continuous mode and make the process sustainable.  

      ******* 

      About the Author 

      Dr. Marudhappan Sambandam (IRCA, QCI-NBQP, CEA) based in India holds more than 30 years of experience in the Energy Conservation and Management domain and expertise in Energy Management System (ISO 5001-2018) LA/IA Training and implementation. His domain expertise is supported by 500+ energy audit projects across various industries and commercial buildings. 

      He is a Certified Energy Auditor by Bureau Of Energy Efficiency by Govt. of India and offers consultancy in energy audits. He is also a registered IRCA-UK and QCI-NBQP for Lead Auditor and Trainer for EnMS, ISO 50001. He is helping in Training and Auditing as per ISO 50001. He has trained more than 5000 participants in the area of Energy Audit and Energy Management System Audits from India and UAE. He can be reached @ +91 8523969321 / drmts1965@gmail.com 

      A New Era For HR – Above And Beyond ISO 30414

      by -
      Above And Beyond ISO 30414 - ISOUpdate.com

      Written by: Brenna Johnson

      ISO 30414 Human Capital Internal and External Reporting standard was published in 2019 and offers a new era for HR managers and to help both their organization and their stakeholders identify relevant information for more effective business management and disclose to interested parties. In this article, we will detail these four ISO standards and the areas covered.

      ISO Standard and Companion Documentation for HR

      ISO 30414, Human Resource Management – Guidelines for internal and external human capital reporting: The guidelines for internal and external human capital reporting. Companies are expected to report on 23 core metrics with the goal to increase transparency around an organization’s human capital contributions.

      Below we have highlighted some relevant companion documentation available to help organizations understand terminology and help with requirements:

      • ISO 30400, Human Resource Management – Terminology: breaks down the fundamental terms used in the HRM (Human Resource Management) Standards.
      • ISO 30409, Human Resource Management Workforce Planning: helps organizations plan and adjust their staffing protocols.
      • ISO 30408, Human Resource Management – Guidelines on human governance: provides the necessary guidelines for establishing human governance system.
      • ISO/TS 24179, Human resource management – Occupational health and safety metrics: The first in a large series of technical specifications and guidance documents to provide comparable measures for internal and external reporting in human resource management. Specifically relates to occupational health and safety data and highlights issues that should be considered with interpreting it such as lost time from work-related injuries, accidents, etc., and the rate of people who have undertaken training on OH&S and shows comparisons over time for target tracking.

      Areas Covered In ISO 30414

      The ISO standards provide guidelines on the following core Human Capital Reporting areas:

      • Costs
      • Leadership
      • Organizational culture
      • Workforce evaluation
      • Productivity
      • Recruitment
      • Turnover
      • Diversity
      • Workforce availability
      • Skills and capability

      Note: ISO 30414 is a guidance standard; meaning organizations cannot become certified to it. If you are looking for certification to a related standard, ISO 45001:2018 Occupational Health & Safety might be of consideration.

      Why HR Should Go Above And Beyond ISO 30414

      Every Industry Is Different

      As with most ISO standards, ISO 30414 is generic in nature and not specifically tailored for health, agriculture, or banking industries. This means that it is easily applicable to any industry and decided to allow organizations to tailor each requirement to how they best run their business. For best results, an HR manager should have autonomy within their scope of work to achieve the requirements of the standard in a manner that serves the needs of their industry and their people. Without applying insight into your company’s best practices and the functionality of the work, strict compliance with these guidelines can lead to unexpected losses or resistance from the organization. There is no “one cap fits all” model in business, and the same should be considered for the application of an ISO Standard.

      Consider utilizing a consultant to help you tailor-fit your processes to meet the requirement with how you best run your business. Looking for a consultant? Find an expert consultant in your area here.

      Maximizing Productivity and Profits

      If the goal of your business is to maximize profits and productivity; ISO Standards are designed to help you achieve this.

      ISO Standards help organizations do this by reducing inefficiencies in processes and procedures. When everyone knows what they are doing, it saves time and energy and increases productivity. By doing so, companies often see an increase in profitability and employee satisfaction.

      Results May Not Meet Expectations

      While effective implantation of ISO Standards often increases profits and productivity through efficient processes and procedures; results may vary. It’s up to the HR leaders and top management to go the extra mile. Without support and effort from management to meet and maintain the requirements of the standard, maintaining an effective ISO 30414 management system will not be possible.

      The People Factor

      The HR department first and foremost deals with people – the company’s workforce, who have the most significant impact on the company or organization’s performance. If ISO guidelines are followed without amendments or improvements to how the workers’ function, it is the workers who suffer for it.

      Reports Aren’t Everything

      If reports and reporting are taken too seriously, and other vital areas like working conditions are overlooked, workers will be badly affected, and productivity may decline. HR leaders should be strategic, considering that they’re dealing with people who have feelings before implementing standards. If the standards produce unfavourable results, they should be quick to switch to a more suitable business model.

      ISO 30414 gives a clear set of guidelines for evaluating and reporting human capital. While this is convenient for monitoring productivity. However, reporting doesn’t necessarily make workers more productive; rather, it’s a strategy used to organize and mobilize them.

      In addition to a sound reporting system, there should be a sound people strategy/relationship. HR managers go beyond the reporting requirements to build the right system for people analytics, partnerships, and a culture that helps the company achieve its goal. Workforce data should be carefully analyzed to make for better working relationships, not just for employee retention, but for employee satisfaction. In short, advanced data analysis is far more powerful than reporting for business transformation.

      Summary

      ISO 30414 serves as a guideline for effective human capital reporting and paired with the companion documentation, it’s an extremely helpful resource for HR managers. For an organization to stay top of its class, continuous improvements are vital. Implementation of these guideline standards could mean the difference between hiring the best in the industry or increasing market share due to increased consumer satisfaction from your productivity. And because ISO 30414 is generic in nature, any organization can benefit from it. Everyone wants to increase productivity and profits, what will distinguish a particular company from others is whether or not they can go beyond these standards to create advanced policies of their own. Help set yourself apart from the rest, and go above and beyond the call of duty for HR.

      Pick an HR system!

      About the Author:

      Brenna Johnson is an HR professional based in New York, with a passion for technology and modernizing our industry. Brenna helps shape selectsoftwarereviews.com as senior editor, providing expert advice on the best HR and recruiting software.

      by -
      ISO Terms Explained - ISOUpdate.com

      To the novice quality manager, ISO jargon can be extremely overwhelming. What is an NCR? What do you mean by OFI? Are we certified or accredited? But before you go and pull out your hair, let’s take a moment to go over some of the most frequently used terms and their definitions with regards to ISO and Management System Certification.

      Are you Accredited, Certified or Registered to an ISO Standard?

      First things first. You are not certified to an ISO Standard, your company’s management system is certified. Individuals cannot be certified to an ISO Standard. However, individuals can receive training to become auditors to audit companies against an ISO Standard. For example, you may seek training and personnel certification to become an ISO 27001 Lead Auditor. You cannot be certified to ISO 27001.

      The terms ‘’accreditation’’ “registration” and ‘’certification’’ are sometimes used interchangeably, but they don’t share the same meanings, technically.

      CERTIFICATION:

      An organization is considered certified to an ISO Standard if they have developed and maintained a compliant management system that has been audited by a third-party auditor from an accredited Certification Body (CB). To maintain certification, the organization will undergo annual audits from the CB to verify continuing compliance to the specific standard. A certification document or a certificate will be issued as an attestation of conformity of an organization’s management system to a specific management system standard or other normative requirements. Certification can be revoked if regular audits are not conducted, or if your management system persistently or seriously fails to meet certification requirements.

      ACCREDITATION:

      Accreditation is how an authoritative body provides formal recognition that an organization is competent to carry out specific tasks. Accreditation Bodies (AB) accredit Certification Bodies (CB) that demonstrate competence to audit and certify organizations conforming with management system standards. The accreditation process ensures impartiality and competence and fosters confidence and acceptance of the CB’s certifications by public and private sector end users. Accreditation provides assurance to customers that CB’s operate according to internationally accepted criteria.

      REGISTRATION:

      Registration is another term for Certification. The terms Registration and Registrar are not used much anymore in this industry and Certification is now the preferred term.

      Audits, Auditing & Auditors

      Auditing:

      Auditing is the systematic process of collecting and evaluating information about an organization’s management system to determine their level of compliance with the standard they are being audited against.

      Types of Auditors

      Consultants:

      Management system consultants provide organizations with specific advice, instructions or solutions towards the development, implementation, and maintenance of a management system. They may also prepare or produce manuals or procedures for the management system.

      Internal Auditors:

      An internal auditor is a company employee who independently and objectively evaluates the operations of an organization’s management system. Internal auditors perform internal assessments of the organization and prepare reports for management.

      Note: Internal audits are required by ISO management system standards but cannot be used to grant certification to an organization.

      Third-Party or External Auditors:

      Individual(s) who conducts the audit(s) on behalf of the certification body. Unlike a consultant or internal auditor, third-party auditors are impartial. Their job is to collect and evaluate objective evidence to determine if the management system complies with the ISO Standard. Based on these findings, the CB will make a recommendation for certification.

      Certification Body:

      A Certification Body (CB) is an accredited third-party organization that audits and issues certificates to companies seeking certification to various ISO Standards. CB’s obtain accreditation to be able to certify to a specific ISO Standard(s). CB’s are audited by Accreditation Bodies (AB) to ensure impartiality and conformity of their work and processes.

      Accreditation Body:

      An Accreditation Body (AB) is an organization that provides accreditation services. AB’s provide formal, third party recognition that a Certification Body is competent to issue certification to specific ISO Standards.

      The ISO Lingo – Commonly Used Term & Definitions:

      The following Terms & Definitions are from ISO/IEC 17021-1

      Certified Client

      organization whose management system has been certified

      Impartiality

      presence of objectivity ; freedom from conflict of interest / bias

      Note 1 to entry: Objectivity means that conflicts of interest do not exist, or are resolved so as not to adversely influence subsequent activities of the certification body.

      Client

      organization whose management system is being audited for certification purposes

      Auditor

      person who conducts an audit

      Competence

      ability to apply knowledge and skills to achieve intended results

      Guide

      person appointed by the client to assist the audit team

      Observer

      person who accompanies the audit team but does not audit

      Technical Area

      area characterized by commonalities of processes relevant to a specific type of management system and

      its intended results.

      Note: The term “technical area” is applied differently depending on the management system standard being considered. For any management system, the term is related to products, processes and services in the context of the scope of the management system standard. The technical area can be defined by a specific certification scheme or can be determined by the certification body. It is used to cover a number of other terms such as “scopes”, “categories”, “sectors”, etc., which are traditionally used in different management system disciplines.

      Nonconformity (NCR)

      non-fulfilment of a requirement

      Major Nonconformity (Major NCR)

      a nonconformity that affects the capability of the management system to achieve the intended results.

      Note: Nonconformities could be classified as major in the following circumstances:

      • if there is a significant doubt that effective process control is in place, or that products or services will meet specified requirements;
      • a number of minor nonconformities associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major nonconformity.

      Minor Nonconformity (Minor NCR)

      a nonconformity that does not affect the capability of the management system to achieve the intended results.

      Technical Expert

      person who provides specific knowledge or expertise to the audit team. Specific knowledge or expertise is that which relates to the organization, the process or activity to be audited.

      Certification Scheme

      conformity assessment system related to management systems to which the same specified requirements, specific rules and procedures apply

      Audit Time

      time needed to plan and accomplish a complete and effective audit of the client organization’s management system

      Duration of management system certification audits (Audit Duration)

      part of audit time spent conducting audit activities from the opening meeting to the closing meeting, inclusive.

      Audit activities normally include:

      • conducting the opening meeting;
      • performing document review while conducting the audit;
      • communicating during the audit;
      • assigning roles and responsibilities of guides and observers;
      • collecting and verifying information;
      • generating audit findings;
      • preparing audit conclusions;
      • conducting the closing meeting.

      Opportunity for Improvement (OFI)

      Situations where the evidence presented indicates a requirement has been effectively implemented, but based on auditor experience and knowledge, additional effectiveness or robustness might be possible with a modified approach.

      by -

      Written by: Narendra Sahoo

      Introduction

      ISO 27001 is a comprehensive international standard on information security management. Organizations trying to achieve ISO 27001 Certification for the very first time may find this to be a challenging task. Organizations that have developed a management system for information security will need to implement Internal Audits on a regular basis to ensure conformity to the standard. In this article, we will detail a 5-step method for the success of your internal audits.

      Stage 1

      Scope & Risk Assessment

      Before you can begin, you first must determine the scope of your audit, i.e., the focus and identify which areas are of higher priority and need to be audited more frequently, and which areas are of lower priority or risk and can be audited less frequently. All areas affected by the standard must be included in an audit eventually, however not all areas need to be audited at the same frequency. This is called a risk assessment. You are required to conduct a risk-based assessment to determine the areas of higher risk for the audit. For this, your team/consultant will need to understand the business operations, controls, and systems from you and accordingly define the scope as applicable.

      An experienced auditor/consultant will understand which areas in your business are of high risk or priority; if you are unsure, consulting an expert is never a bad idea! Looking for experts? Check out [link to consultants]

      ?It is important that your organization’s audit scope is in alignment with the ISMS policy. This is the first thing that an auditor will check and sets the stage for the remainder of the audit.?

      Once you have identified areas in your processes that fall in scope for your internal audit, you will need to prioritize your resources and prepare for the audit.

      Want to learn more about Risk within the context of ISO 9001? Read this

      Stage 2

      Documentation Review

      After you have completed determining the scope of your audits and conducted necessary risk assessment you should begin reviewing the documents of the organization concerning the administrative and business operations that are in place.

      Documents reviewed at this stage of the audit would be concerning the scope of your management system, policies, procedures, and processes, documents required by the standard, and other necessary documents deemed necessary by the organizations for effectively maintaining the management system. Documents reviewed here should also be within the scope of the audit as covered in step 1. Documents should also be reviewed using a sampling method, as depending on the size of your organization and the vastness of your documentation a full audit into all documentation may not be possible.

      Here the auditor does a high-level review of your documents supporting the management systems, processes and establishes whether the internal audit is in place. Reviewing the documents is an essential stage to plan and prepare for the upcoming audit process. The analysis of the documents will allow specific frameworks to be set that may be required during the internal audit process. Moreover, the documentation review helps verify whether the established documents are in alignment with the requirements of the standard.

      Want to learn more about Document Review and Control within the context of ISO 9001? Read this

      Stage 3

      Onsite Audit

      Once the audit scope is defined and the documents are thoroughly reviewed the next stage would include performing an onsite audit to gather evidence and identify gaps in the management systems and processes.

      This is an evidence-gathering process that includes interviewing employees, managers, and other stakeholders of your organization associated with the ISMS. The onsite audit determines if your organization has met minimum requirements of the standard and is ready for the ISO 27001 certification audit.

      An onsite audit includes observing the established practices in your organization, interviewing staff and verifying processes and their effectiveness. Records are reviewed, evidence is collected, and a full audit report is created detailing the gaps identified, areas of nonconformity, and possible improvements in the management system.

      Stage 4

      Evidence Analysis 

      After the onsite audit has concluded evidence collected is analysed and sorted to classify the risks identified during the audit process.  The audit analysis helps identify gaps against the base criteria and requirements of ISO 27001 Standard. The auditors compile these results, reveal the gaps in enforcement, and may further identify areas of ISMS that require additional testing.

      Stage 5

      Audit Reporting

      Audit Reporting is the final stage of the assessment process. Here the auditor presents the findings of their audit. The internal audit report should be a detailed document comprising the scope, objective, high-level analysis, and key findings. The report will also include recommendations and corrective actions needed. The audit report should be presented and discussed with management for a further plan of action.

      Final Thoughts

      ISO Audits are extensive and require time and resources invested successfully achieve  ISO 27001 Certification. Organizations need to prepare before taking the final plunge. Systematically following the above-mentioned audit process will not just ease the journey but also help ensure your organization meets the standard requirements and achieves ISO 27001 Certification. Understand that like anything in business, the participation of top management in internal audits is critical. Top management ensures company-wide buy-in for developing effective audit plans, defining roles and responsibilities, and ensuring the enforcement of policies, procedures, and processes.

      Author Bio

      Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA

      InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

      by -

      An accredited ISO certification is beneficial for any organization, regardless of its size or industry. As discussed in an article called ‘What Are the Benefits of Getting an ISO Certification?’, what makes the internationally recognized ISO certification so important is that it helps organizations develop processes and procedures that benefit everyday operations and ensure consistent outputs, while also increasing customer satisfaction. ISO 9001:2015 is an international standard that gives organizations a framework with which they can develop an effective quality management system. This improves employee performance, boosts company efficiency, reduces waste, and enhances the customer experience — increasing your credibility with all stakeholders.

      However, many business owners may not necessarily know how to get ISO certified, especially if they’re just starting. Moreover, they could also be struggling to get their fledgling business off the ground. According to the Bureau of Labor Statistics (BLS), approximately 20% of new businesses fail during the first two years of being open. In fact, only 25% of new businesses make it to 15 years or more — numbers that have been consistent since the 1990s. It’s time for business owners to place emphasis on meeting quality standards to ensure success, even as they begin operations.

      At ISOUpdate, we offer online resources and advice, for free. However, there is nothing quite like having tangible hardcopy resources on hand for reference. Below we have highlighted four books that we believe are great starting resources to help you better understand international standards and their benefits to your organization.

      Discover ISO 9001:2015 Through Practical Examples by Carlos Pereira da Cruz

      Discover ISO 9001:2015 Through Practical Examples is a primer for beginners in quality management systems (QMS), although it’s also helpful for those with moderate to expert knowledge of ISO 9001. Veteran quality practitioners will appreciate over 50 case studies, charts, diagrams, and tables that show readers a practical, relevant method of applying ISO 9001 principles to your own business. Instead of blindly following policies or procedures, author and quality management consultant Carlos Pereira da Cruz offers a straightforward way to adapt a QMS into your business and meet ISO 9001:2015 requirements.

      Standards, Strategy, and Policy: Cases and Stories by Peter Grindley

      Since 1995, author Peter Grindley’s Standards, Strategy, and Policy: Cases and Stories have left a lasting impact on research literature for standards. Grindley establishes “standards” to represent technical specifications for quality, compatibility, and connectivity, and the book discusses how compatibility standards can ensure business success. Grindley provides readers with examples to analyze problems in establishing a new market standard and winning standards contests. He also provides practical analyses on how to maintain standard profitability, as well as how to compete within established standards.

      The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers by Ben Horowitz

      What happens after you start a business? Many books and blogs talk about how great the beginning is, but no one ever likes to talk about the nitty-gritty of daily business operations with candor. In his book The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers, author Ben Horowitz shares some hard-earned, practical wisdom on managing the tough problems business school won’t cover. With the insights he’s gained from buying, developing, managing, selling, investing in, and supervising technology companies, Horowitz will teach you how to grow a business and let you in on the key to success: not quitting.

      Built to Last: Successful Habits of Visionary Companies by James Collins and Jerry Porras

      Pursuing Big Hairy Audacious Goals (BHAGs) is probably the most memorable part of Built to Last. Authors James Collins and Jerry Porras researched 18 successful companies over the course of six years to uncover how each one managed the transition from start-up to a large corporation. They found that the secret is to never settle for just being good enough and to chase down BHAGs. Rather than following existing standards, Built to Last recommends setting even higher standards as your goal. The book also highlights an important truth: profit is not the primary focus. Rather, products, services, and employees are the true heart of the business. With purpose and principles, you can’t go wrong.

      Additionally, along with purchasing the ISO 9001:2015 Standard, ISO has released companion documents to help you understand the terminology, references and meanings for each clause. Below is a list of companion resources we recommend taking a look at:

      ISO 9001 – Debunking the myths –

      ISO 9001:2015 for Small Enterprises – What to do?

      ISO 9001 Auditing Practices Group (ISO 9001 APG)

      About The Author

      Jorine Bibi Author LogoJorine Bibi is an environmental blogger. She hopes that her articles provide her readers with information on what the world can do to reduce its energy use. She also believes that if we don’t address the issue of climate change soon it will be too late. In her free time, she likes to tend to her garden.

        by -

        B4Q Management Ltd. is specialized in value added services for the entire range of management system certification ISO 9001, ISO 27001. B4Q Management Ltd. is an accredited certification body from IAS,USA vide accreditation number MSCB-236. IAS is MLA of IAF. Unaccredited certification is also available to ISO 14001, ISO 22000, ISO 27701, ISO 45001 & ISO 20000-1.

        B4Q is Authorized Training Provider of Exemplar Global Inc from USA. Exemplar Global Inc. is formerly RABQSA International, having rich experience in personal certification. B4Q provides training, examination and certification services in multiple fields, including, but not limited to, Information Security, Privacy and Data Protection, Business Continuity, Quality and Service Management, Risk Management and Sustainability.

        by -
        Effective ISO 27001 Risk Assessment

        Organizations of all types and sizes collect, store, process and transit information that is valuable to them and to their clients. Safekeeping that information is vital to protect against threats both deliberate and accidental. The adoption of ISO/IEC 27001 helps organizations keep this information secure.

        ISO/IEC 27001 is an international standard for Information Security Management which details the requirements for the adoption of a risk management system and process for reviewing and confirming security controls in an organization. The standard helps organizations ensure their processes in place are in line with regulatory, legal, and contractual obligations and are working towards the end goal of security. Risk Assessment is an integral part of the ISO/IEC 27001 Standard as it helps organizations determine, analyze, and evaluate vulnerabilities in their Information Security Processes. In this article ISOUpdate and Narendra Sahoo cover the significance of Risk Assessment and steps to an effective ISO/IEC 27001 Risk Assessment.

        Why is Risk Assessment Important for your Organization?

        Risk Assessment relating to information security is imperative for organizations to understand various threats and risks to their critical data and what or who their infrastructure is or could be exposed to. It is an essential step to consider when developing an information security management system as it forms a strong foundation for the organization’s security program. The process of Risk Assessment helps identify threats and further helps mitigate the various risk of incidents that could affect the operations of an organization. The process of conducting regular risk assessments helps direct an organization’s focus towards the most critical and highly risk-prone areas of the organization’s infrastructure and determining where weaknesses lie. Below are steps to effective ISO/IEC 27001 Risk Assessment to help your organization.

        Risk Assessment Framework

        ISO/IEC 27001 Standard (Clause 6.1.2) asks organizations to define and apply a Risk Assessment process that is objective, identifies the information security risks and their owners, analyses and evaluates the risks and provides consistent and comparable results. Organizations shall adopt an approach that addresses the core security requirements in terms of regulatory and contractual requirements. Organizations must tailor their approach based on the following parameters to establish a strong Risk Assessment framework.

        The risk parameters include:

        • Risk scale which is based on the likelihood of an incident occurring (frequency of occurrence) and the level of impact (financial loss, reputational damage, operational disruption) that the incident may have on the organization.   
        • Risk appetite which determines the acceptable level of risk to which the organization can withstand.
        • Scenario-based risk which determines the possible events that might affect the security of assets.
        • An asset-based (or process based) risk assessment that determines critical assets (records of personal data, financial data, and medical data) that may be exposed to various risks.

        As defined in Clause 6.1.1, when planning your information security management system, risks and opportunities relating to the management system should be addressed to ensure its intended outcomes can be achieved. Risks and opportunities should also be addressed to allow the system to prevent or reduce undesired effects and allow for continual improvement.

        As an organization, you must have a process in place to consistently address your plans and actions to identify, assess and treat these risks and opportunities, and how as an organization you will integrate and implement them into your information security management system and its processes as well as the process owners who will champion these tasks. As said by ISMS “Quite simply this means documenting the process for risk identification, assessment and treatment, then showing that is working in practice with management of each risk” – source

        Identifying Risks

        Identifying risk is the most critical part of Risk Assessment. Identifying risk typically involves determining critical assets that require protection, a possible threat that may impact business operations, and the vulnerability in the business process or asset management or security controls that may result in an incident that impacts the organization.

        Asset-Based vs Risk-Based Approach to Risk Assessment

        Risk-based approach is a systematic method that identifies, evaluates, and prioritizes threats facing the organization. It is a customizable method that enables the business to tailor their cybersecurity program to specific organizational needs and operational vulnerabilities. By utilizing a risk-based approach to risk assessment organizations use risk to balance the operational performance of the assets against the asset life-cycle cost.

        Asset-based approach asks organizations to conduct a risk assessment to determine where your weaknesses are, how likely it is that those weaknesses will be exploited and the impact each one will cause.

        The Risk Assessor needs to identify potential risks that may compromise the confidentiality, integrity, or availability of assets and analyse the impact of the organization. Your organization should determine which approach works best for your organization, and what resources you need to ensure its success. This process of risk assessment should be continual and consistent within your organization.

        Source: Conducting an asset-based risk assessment in ISO 27001 by Vigilant

        Analysing Risks

        Risk analysis involves understanding and determining the way an incident may occur and affect your business. This involves identifying possible ways in which identified vulnerabilities found from your asset-based on risk-based approach process can be exploited internally or externally. The analysis must also include an assessment of the likelihood of the incident occurring and the level of impact that it would have on business.

        Risks should also be analysed based on whether the organization has in place baseline security controls for effectively addressing the identified risks.

        Organizations shall identify controls in place to strengthen the security measures. This should further include evaluating the current controls to determine whether they work appropriately or should be replaced, modified, or supported by additional controls.

        Evaluating Risks

        The identified and analysed risk(s) must now be evaluated and rated based on their severity. This evaluation should include rating the risk level on a scale of low, medium to high or your internal scale that makes sense for your organization. Risk grading is subjective by nature and should be standardized or based on a set criteria for consistency across your management system.

        Evaluating the risk also helps identify whether or not the risk falls within “acceptable levels” of risk. Based on the risk rating, the organization must identify the highest rated risks and, prioritize their resources accordingly to address risks based on their level of severity. With this, the organization must also evaluate the impact of risk on internal and external business and its impact.

        Risk Management & Treatment Options

        Once the identified, analysed, & evaluated risks are classified, the organization should make an informed research-based decision to mitigate the risk. Generally, the response to addressing the identified risks is classified into four categories. This includes:

        • Modification which involves implementing security controls.
        • Retention of risks which means accepting that the risk falls within the acceptable levels.
        • Avoiding the risk by altering the circumstances causing the eventuality of risk.
        • Share risk with an insurance firm or with a third party who is equipped to manage the risk

        The organization needs to identify current controls that are in place and controls that should be established to mitigate and/or reduce risk. 

        Reviewing and Monitoring

        An organization must consistently review, update and improve the information security management system (ISMS) to ensure that the controls added or in place are effective, appropriately established, and working as intended. The Risk Assessment process must be repeated consistently to ensure your organization has accounted for all the changes and the constantly evolving threat landscape. This process of identifying, analysing, evaluating and monitoring should be seen as an opportunity to continually improve the ISMS and implement control that can address the evolving risks.

        Final Thought

        Risk Assessment is an ongoing process and should be conducted on an ongoing and consistent basis to ensure your organization is mitigating, eliminating and controlling risks to internal and external threats to your information security. Re-evaluating the security controls and risks regularly can help businesses devote resources accordingly and address the potential threats periodically. Further, Risk Assessment helps businesses make an informed decision for establishing strong security measures and progressive outcomes for the business. 

        Author Bio

        Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA
        InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

        by -
        Myths of ISO 9001 Certification - ISOUpdate

        This article was originally published by ISO.org here and has been expanded and updated by Aurion ISO Consultants and ISOUpdate.

        ISO 9001:2015 Certification is seen by many as an essential Standard all organizations should opt for to enhance customer satisfaction and delivering quality first products and services. Implementing a certified Quality Management System through the framework of ISO 9001:2015 aids your organization in building a robust control system to help with quality control, achieve quality objectives, and business goals.

        However, there are some myths and misconceptions that tend to surround ISO 9001:2015 that might be affecting your view or opinion of the Standard and Quality Management Systems that someone you know or work with might have. In this article, we will highlight some common myths of ISO 9001:2015 certification and explain why they just are not true!

        Here are some of the common myths of ISO 9001:2015 Certification and the reality:

        Myth 1 – ISO Is Complicated

        ISO Certification guidelines and procedures at first instance seem a bit complicated. They are written with terms and words that we might not be familiar with or phrased in such a way that is not always the easiest to understand for newbies. We get it – there is a reason why companies offer whole courses dedicated to “understanding ISO 9001:2015”.

        However, starting with the fundamentals of the quality management principles gives way to a more structured process that any organization can easily follow.

        If you can overcome the initial confusion, there are a few simple steps you can take to better wrap your head around the standard.

        Step 1: Consider Training

        You might want to investigate what courses are available to you, either through your Certification Body, through recommendations from your consultant or auditor, who will often have ample information on ISO standards, tried and tested checklists, and frameworks to easily implement the system standard in any type of organization. You can also view courses listed on ISOUpdate.com or other reputable online sources or even YouTube!

        Step 2: Companion Documentation

        ISO 9001:2015 has several companion documents that are available to you to help understand the standard. For example:

        • ISO 9002:2016 – Guidelines on the application of ISO 9001:2015
        • ISO 9002:2015 – Quality management – Quality of an organization – Guidance to achieve sustained success
        • ISO 10005:2018 – Quality management – Guidelines for quality plans

        If you want to learn more, visit the ISO Subcommittee for Quality Systems website here.

        Myth 2 – ISO Follows Very Old Documentation

        ISO 9001 was first published in 1987 and historically has been revised and updated every few years. Updates has been made due to feedback, industry trends, and worldwide demand changes. Updates and revisions are made to make ISO 9001 relevant and practical to users. “ISO 9001:2015 incorporates elements such as a stronger focus on stakeholders and the wider context of an organization to fit the evolving needs of modern business” – source.

        ISO 9001:2015 framework can be used across organizations of any size of business activity.

        It focuses on a holistic approach by following the plan, do, check, act enabling a well-defined structure for organizations to follow. It helps in providing quality services and continually improving the processes.

        Note: the year noted after the semi-colon refers to the year the revision was released. As of publishing this article, ISO 9001:2015 is the current revision of the standard. Companies certified to anything older are not considered certified.

        Myth 3 – ISO 9001:2015 is Only for Large Businesses

        ISO Certification Standards are designed to be generic and flexible to allow organizations to customize to their needs. Any organization can utilize the framework regardless of the size of the business type.

        Note: In a smaller organization, implementing ISO 9001 could be quite easy as there will be limited staff to train, and business processes could be easily optimized to the ISO quality benchmarks.

        ISO 9001 Standard is about defining, measuring, and improving processes. It provides the organization with quality guidelines and frameworks to ensure employees of all levels follow continuous improvements and best practices.

        In large or small organizations, the process of the QMS System implementation is the same. Differences only occur in how each clause of the standard translates to how you do business. Custom-fit your QMS to how you best run your business and ISO 9001:2015 will work for you!

        Myth 4 – ISO 9001:2015 Certification is Very Expensive

        ISO Certification cost is determined by various factors such as employee size, nature of the business activity, level of technology adoption, scope of the quality management system implementation, employee training requirements, ISO Consultant reputation, ISO Certification body selected, and more.

        The cost of ISO Certification implementation for an organization is often negotiable (to an extent) and does not have a fixed cost structure. It varies depending on the complexity of the ISO Certification implementation.

        Note: Trusted ISO Consultants like AURION will guide you in getting ISO Certified at the lowest cost and best-in-class ISO certification implementation service.

        Fixed costs are noted from Accreditation Bodies for the Certification of your QMS which is dictated by the number of employees your organization has. This will determine the number of days your audit will have to take place and is not negotiable.

        Read this article to learn more about the cost of ISO 9001:2015 Certification.

        Myth 5 – ISO 9001:2015 is Only for Manufacturers

        The ISO 9001:2015 Certification Standard is widely in use across many industries such as hospitals, banks, universities, software companies, and other service or manufacturing businesses.

        ISO Certification helps organizations to demonstrate their capabilities in delivering quality first products & services. ISO Certification is an internationally recognized standard for quality and standardization of products & services of any organization.

        Guidelines and best practices apply to all types of organizations for streamlining their business operations and focus on improving the quality of services and enhance customer satisfaction.

        Myth 6 – ISO 9001:2015 Requires a lot of Paperwork

        Technically, there is no required documented processes or procedures in ISO 9001:2015. However, you do have to maintain documented information to support the operation of your processes and retain documented information to show processes are being carried out as planned.

        Also, if you have deemed it important or necessary for your operations, you must keep documented information necessary for the effectiveness of the QMS. If you say you need it documented, you should keep it documented.

        While documentation is required, the true number of things is limited, and especially in the 2015 revision. Historically documentation has been seen as a massive undertaking, however, ISO 9001:2015 is more flexible than previous revisions.

        The integration of ISO Certification Standard into an organization system is more of a practical exercise than a policy manual preparation and documentation.

        Documentation in ISO 9001:2015 is more flexible and your company is encouraged to document in a way that is appealing to your organization and in a way that makes sense for how your organization operates.

        Myth 7- You Need a Perfect System to Get ISO Certified

        In short, no – but it must be functioning. While ISO 9001:2015 offers guidelines to transform an existing management system or develop one from scratch, certification requires a few more steps. For your company and its QMS to become certified, you will need to implement the quality management system practices effectively – meaning the ISO 9001:2015 framework needs to be followed, tailored to your organization, processes need to be documented where applicable, and systems need to be audited in regular intervals.

        Certification happens over a few stages and lasts for 3-year cycles including an internal and an external audit. To learn more about the Stages of ISO Certification, read this article.

        What is helpful for new quality management systems is that it is a forgiving system and auditors are not auditing to find faults in your system but rather find opportunities for improvement. If you receive help from organizations like Aurion or any other local consultant, your organization can be ready for certification in approximately 3 months.

        Your system does not need to be perfect – you want to have findings (non-conformances or opportunities for improvement), as it is a way to learn from your mistakes and grow – what the industry calls Value-Added Auditing.

        About the Author

        John Wick is an ISO Consultant working with Aurion ISO Consultants in Dubai. John likes to write on ISO Training, ISO Consulting, latest changes in ISO Standards, industry-wise benefits from getting ISO Certified. Reach out for expert consultation on any ISO related queries.

        About Aurion

        aurion-logo

        Aurion ISO Consultants, Dubai offers world-class ISO Services such as Training, Consulting, Certification, Implementation, and Audits in Dubai, UAE and Worldwide.

        Aurion ISO Consultants is an Award-Winning Consultant firm in Dubai, UAE and one of the fastest-growing ISO Service provider in the UAE and GCC region. We have assisted 1800 clients across several countries globally.

        by -

        Written by: Narendra Sahoo

        Introduction

        Data protection and Privacy are today the top-most priority for organizations dealing with sensitive and confidential data. There are many regulatory frameworks established around it to ensure organizations adopt industry best practices to secure their environment.

        GDPR Regulation is one such framework established in the EU to ensure Data Protection and Privacy. However, due to the stringent regulation and security requirements, most organizations struggle to achieve Compliance. 

        For those organizations looking to achieve GDPR Compliance, implementation of ISO/IEC 27001’s framework will make your compliance journey a lot easier. 

        In today’s article, we have discussed how implementing ISO/IEC 27001 Standard will help in achieving GDPR Compliance.

        ISO 27001 Standard and GDPR Compliance

        ISO/IEC 27001 Certification is a recognized international standard for information security management. Although the standard is not exclusive to Personal Data Protection, yet many requirements are in common with the GDPR Regulation. 

        Implementing the ISO/IEC 27001 Standard makes it a lot easier in achieving GDPR Compliance. But, ISO/IEC 27001 and GDPR can by no means be used interchangeably. ISO/IEC 27001 simply provides a framework to ensure certain measures are implemented that also facilitates the GDPR compliance regime. 

        Let us take a closer look at the standard and the regulatory requirement to understand what all does ISO27001 cover in the GDPR Compliance:

        What is in common between ISO 27001 Standard and GDPR Compliance?

        ISO/IEC 27001 Standards can be used for achieving compliance. Given below are some standard framework that overlaps with GDPR Compliance requirements.

        Risk Assessment

        Risk Assessment which forms an integral part of ISO/IEC 27001 Standard, is also an essential part of GDPR Compliance. Similar to the ISO/IEC 27001 standard which includes identifying risk and applying control measures to reduce the risks to an acceptable level, GDPR requires organizations to conduct a Data Protection Impact Assessment (DPIA) to implement measures to reduce the level of risk exposure.  

        Implementing ISO/IEC 27001 Standard as an integrated part of your Risk Management program will also help you meet the GDPR risk assessment requirement.  

        Breach Notification 

        Articles 33–34 of the GDPR Regulation requires organizations to notify authorities within 72 hours of a breach of personal data. Similar requirements in ISO/IEC 27001, which addresses information security incident management controls require organizations to report security incidents promptly and communicate the events in a way that facilitates timely and corrective actions to be taken.

        Data Protection by Design

        As under Article 25 of the GDPR Regulation organizations are required to implement technical and organizational measures that ensure data protection and privacy by design. It also requires organizations to protect data privacy by default and ensure only essential information required for a specific purpose must be processed and used. 

        So, Privacy by Design which is a mandatory GDPR requirement can be achieved with ISO/IEC 27001 standard which also outlines requirements to ensure information security is an integral part of information systems across the entire lifecycle.

        Retention of records 

        The GDPR Regulation Article 30 requires organizations to maintain records of processing activities, including categorizing of data, the purpose of processing, and general description of the relevant technical and organizational security measures in place. GDPR also calls for personal information to be not stored for longer than needed. 

        Similarly, ISO/IEC 27001 requires organizations to document their security processes, and details of their security risk assessments and risk treatment as per Clause 8. Further, it requires information assets to be classified, inventories, and have in place procedures to ensure the use of data use is defined.

        Asset Management

        The Annex A of ISO/IEC 27001 Standard which focuses on Asset Classification and Management will also include Personal Information as Information Security Assets. This will lead organizations to classify the type of Personal Data involved, where for long is it stored, its origin, and who can access it, which are all the requirements of the GDPR. This would be in the context of handling, controlling, and/or processing Personal Information.

        Can ISO 27001 Certification alone be enough for achieving GDPR Compliance?

        ISO/IEC 27001 Standard is an up-and-coming industry best practice for Information Security and an excellent framework for GDPR Compliance. Organizations that implemented the standard will most likely find it easy to achieve GDPR Compliance due to the many overlapping frameworks and best practices.

        Implementing the standard will help ensure the protection of Personal data and help ensure the minimization of the risk. 

        With many standard requirements overlapping, implementing the internationally recognized ISO/IEC 27001 standard will ease the process of compliance. Although achieving compliance to GDPR Regulation will also require the implementation of other additional security and privacy measures as stated in the GDPR Regulatory framework.

        Conclusion

        Organizations that have implemented or in the process of implementing the ISO/IEC 27001 standard are definitely in a much better position to achieve compliance with the GDPR requirements. 

        The proper implementation of the ISO/IEC 27001 Standard will help organizations meet quite a few overlapping requirements. 

        If you are considering taking this step, as experts at VISTA InfoSec we recommend organizations to perform a gap analysis to assess their current position and accordingly implement relevant controls for risk containment associated with confidentiality, integrity, and availability of personal data.  

        Though ISO Standards may not guarantee GDPR Compliance, it comes in handy as it provides a practical framework for developing strategies, and building comprehensive policies to minimize security risks that lead to breaches. 

        Organizations, in general, should consider pursuing ISO/IEC 27001 certification and GDPR for building security strong and effective measures to protect sensitive data.

        Author Bio

        Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

        Find VISTA InfoSec on Youtube

        123...7Next Page 1 of 7
        ©