Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Release and deployment management

    Analysis shall include assessment of the impact of the release on the
    customer. I am looking for what all the information one need to cover as
    part of this report post release?

    Answer:
    This part of the Release and deployment management process (clause 9.3 in the ISO 20000-1) is actually asking from you to check the efficiency of the implementation. Namely, releases (particularly less successful ones) can be source of new errors i.e. incidents. By analyzing:
    a) impact - this will tell you how big is the "damage", and
    b) incidents itself - this will give you insight information what went wrong, who is responsible, why...etc.
    you can get valuable information about further proceeding. Often such analysis results in improvement initiatives.
    So, what you should do is analyze newly created incident (i.e. incidents which occur as a result of the release) and document your findings. Result can be e.g. do-nothing (e.g. when impact of the new incident is not significant and customer agree with it - less likely but sometimes it could happen) or new improvement initiative (e.g. when you are aware what is wrong and now you have to remove cause of the incident).
    These two articles will give you general view on Release and deployment management:
    ITIL Release and Deployment Management Part I – General principles and service testing - https://advisera.com/20000academy/blog/2014/01/15/itil-release-deployment-management-part-general-principles-service-testing/
    ITIL Release and Deployment Management Part 2 – deployment methods and early life support - https://advisera.com/20000academy/blog/2014/01/28/itil-release-deployment-management-part-2-deployment-methods-early-life-support/

  • Defect vs. error

    Totally understand the ITIL V3 framework is not equal to Application Development Lifecycle. I need to understand if “errors” are equal to “defects” from a nomenclature perspective.

    Answer:
    ITIL is intended for IT services. Usually, services are relying on application so you can drive the parallel between IT service lifecycle and application lifecycle. The article "ITIL Application Management Function – Custodian of application knowledge" https://advisera.com/20000academy/blog/2014/03/18/itil-application-management-lifecycle-within-service-lifecycle/ can help you with this.
    Defects vs. errors - well, defects are qualiyt management description of nonconformity related to the specified use. ITIL doesn't use word defect but error if there is a discrepancy between what an service should do and what it does. Corrective action follows defect and errors are followed by change.

  • Closing meeting, checklist and findings

    2.- Can you tell five check list for hr security audit?
    3.- What is 3 type of audit findings?

    Answers:
    Regarding the first question, I suppose that it is related to the internal audit, if so, basically you can give information about the process, services, etc. reviewed, people interviewed, and findings detected, which are the results of the audit.

    Regarding your second question, I am sorry but I am not sure what you mean, anyway, this article can help you to develop your own checklist for the internal audit of ISO 27001 “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ Keep in mind that basically this checklist will include all the requisites of the standard that you need to review during the audit.

    Regarding the third question, 3 types of findings are: non conformities, observations and opportunities for improvement .

    Finally, our online course can be interesting for you because we give more information about the internal audit "ISO 27001:2013 Internal Auditor Course" : https://advisera.com/training/iso-27001-internal-auditor-course/

  • Difference between ISOs and British Standard


    Answer:
    Basically an ISO is developed by the International Organization for Standardization, and a British Standard is developed by British Standards Institution. The International Organization for Standardization is an international body that develops standards ISOs, which is composed by representatives from various national standards organizations, and one of these national standard organizations is the British Standard Institution (it is one of the most important organizations, because the origin of some ISO standards was a British Standard: ISO 9001-BS 5750, ISO 14001-BS 7750, ISO 27001-BS7799).

    By the way, do you know our online course about ISO 27001? Maybe can be interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Using existing Information security policy


    Answer:

    Sure, you can use your existing security policy, however you have to make sure that existing policy has all the mandatory elements that are prescribed by ISO 27001.

    To learn about the mandatory elements of the policy, see this free ISO 27001 Foundations Course: https://advisera.com/training/iso-27001-foundations-course/

  • Duration of the ISO 20000 audit


    Answer:
    Duration of an ISO 20000 audit is agreed between the organization and the certificating company. It takes from e.g. one day (for small organizations) up to few days (in bigger companies). So, what you should do is pick-up a certifying company and agree with them length of certification audit.
    Find out about certification in the article "Process to obtain ISO/IEC 20000 certification: Companies and individuals" https://advisera.com/20000academy/knowledgebase/iso-20000-certification-the-process-of-obtaining-a-certifica/
    As for yourself, you can check your compliance to ISO 20000 using "ISO 20000 Gap Analysis Tool" https://advisera.com/20000academy/itil-iso-20000-tools/iso-20000-gap-analysis-tool/

  • Who should have an OS administrator password?


    Answer:
    The best practice, or the standard commonly used, is to use an unique user ID for each employee, because with this way employees are clearly linked with users, and is easy to follow their actions (for example reviewing logs). So, if you have an user that needs to have special privileges to configure an information system (or to access to special resources), this user is the unique person that should have the password of the administrator, because only this user should perform the changes.

    By the way, you can define this through a Password Policy, so our template can be interesting for you (you can see a free version clicking on “Free demo” tab) “Password Policy” : https://advisera.com/27001academy/documentation/Password-Policy/

    And our online course can be also interesting for you because we give more best practices about information security “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Arriving on an SOA

    Please fill out this form to get live consultation: https://advisera.com/27001academy/consultation/

    And here's the article which best describes what is the process of getting all the information important for the Statement of Applicability: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  • SOA for two sites?


    Answer:
    From my point of view it is not necessary, I mean, you do not need to have 2 different SOA, but in your unique SOA you can add specific information about each site when a control is implemented in a different way in both sites (although I think that generally the implementation of controls will be equal or similar in both sites). So, you can add a column in your SOA document.

    This article about the SOA can be interesting for you “The importance of Statement of Applicability for ISO 27001” : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    And our online course can be also interesting for you because we give more information about the SOA “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Asset-based risk assessment


    Answer:
    From my point of view, the term “risk based risk assessment” is not correct, because you cannot based the risk assessment on a risk to calculate it (has no sense). On the other hand, the asset based risk assessment means that you use assets of your organization to determine and calculate risks.

    Important, ISO 27001:2013 does not require an asset based risk assessment, or any other specific method, so you can perform the risk assessment for example with a process based, although our recommendation is the asset based methodology.

    If you are interested to write an asset based methodology, this article can be interesting for you “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

    And our on line course can be also interesting for you because we give more information about the asset based methodology “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Page 1002-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +