16th November, 2016 | by Andrew Barham
There is increasing focus and interest in information security. Just think of recent events here in Australia… the census crashing because of overseas hackers; the almost continual reporting of people’s private information being compromised; phone hacking by unscrupulous news reporters desperate for the latest big story; and of course, people posting information they shouldn’t on social media.
Whilst all these major stories are centred around the failure of some aspect of information technology, ISO 27001 (the International Standard for information security management systems) does include many requirements for non-IT security of information… and that is what we are going to talk about here.
What can you do to keep your information secure that does not involve the IT department? We’ve picked nine specific ISO 27001- Information Security controls which are listed specifically in Annex A and have been directly derived from, and align with, ISO 27002. We also briefly explain what each means.
7th November, 2016 | by Andrew Barham
Recently I had a lovely email from a past student saying that she missed our blogs. We have been a little slack and I must admit that we haven’t published one for about three months! Sorry.
Well I rang her and asked if she had any topics in particular that she would like us to write about. A little later I received an email offering two topics which had come about from findings by her employer’s external certification auditor. These were:
- Being proactive in preventative action
- Emergency Preparedness & Response (going beyond a fire drill).
I’m going to address the first topic in this post and I’ll talk about the other in ‘Emergency testing- It’s more than just a fire drill’
25th October, 2016 | by Andrew Barham
It’s almost a year since ISO 14001 was updated to the 2015 version, so most systems should now be well on the way to addressing the changed requirements.
Just to make sure that you haven’t missed any of the key points, we have put together 6 of the big ticket items we believe auditors will be focusing on – all from the first half of 14001!
27th July, 2016 | by The Auditor
16th May, 2016 | by Tom Barham
Here at PwC’s Auditor Training & Certification, we train a lot of people who want to become auditors.
Because we like a bit of data analysis, we thought we’d crunch some numbers to see who it is that wants to become an auditor.
The results aren’t too surprising, but they do help to confirm a few things that most of us were probably thinking.
4th May, 2016 | by Andrew Barham
In Australia and New Zealand, we have had AS/NZS 4801 since 2001, and in the world of management system standards that is quite a long time. Whilst the British did come up with OHSMS 18001 in 1999, last reviewed in 2007, this has been treated as a more international standard than 4801 however, it is still not an ISO standard. But the wait is nearly over – ISO 45001 is on its way. But it asks the question – what is different in ISO 45001?
6th April, 2016 | by Andrew Barham
Verification and validation are two terms that we often see within management system standards, such as in the design and development section of ISO 9001, however the two are often confused. Both are used as part of the process of checking, verification ensures that the subject meets its requirements or specifications, while validation checks that it is fit for purpose. In the simplest terms, verification could be expressed as ‘are we building it right?’, whereas validation is ‘did we build the right thing?’
14th March, 2016 | by Andrew Barham
Do you want to be an auditor?
After reading our previous article about Why you would want to be an auditor, you have realised you:
- like meeting people,
- seeing new things,
- being challenged, and
- doing something different each day,
then you have probably realised that you REALLY want to be an auditor right?
That’s great – but not sure how to go about it? Here it is all laid out for you.
4th March, 2016 | by Andrew Barham
Whilst auditing in a very hot and very dusty gas field many years ago, I was interested in the business’s corrective action process and how effective it was. Going through their corrective action register, I picked out an entry about a mobile compressor that had leaked some fuel onto the ground. When asked what happened, they explained the compressor was a relatively new one they’d bought from overseas and the fuel tank had split causing the leak. They cleaned up the spill, the leak was repaired, and the corrective action report closed. I checked the corrective action report and sure enough, that was what was recorded.
12th February, 2016 | by Andrew Barham
When writing non-conformances, you are meant to identify and record the evidence that you saw to justify the non-conformity. While this is correct, it does have a tendency to drive the wrong behavior in that the evidence that you record is all that gets fixed.