Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Beneficios de gestión de riesgos e ISO 27001
Respuesta:
Supongo que tu pregunta está relacionada solamente con la gestión de riesgos, si es así, el principal beneficio es que puedes identificar riesgos de seguridad de la información, y reducirlos. Y esto es muy importante, porque puede permitir evitar pérdidas económicas importantes a la organización. Por ejemplo, puedes identificar un riesgo alto relacionado con la operación continua del servicio principal de la compañía, y para reducir este riesgo (y evitar la interrupción del servicio), probablemente tengas que implementar un Plan de Continuidad de Negocio.
En cuanto a los costes, dependen de cada organización, porque cada organización tiene sus propios riesgos y sus propios controles para reducirlos, por tanto creo que no existen datos estadísticos al respecto.
En cualquier caso, con respecto a la implementación de la ISO 2700 1 (cuyo punto más importante es la gestión de riesgos, aunque no es lo único, es decir, también hay que realizar revisiones por dirección, auditorías internas, etc.), existen 4 beneficios importantes: cumplimiento, ventaja competitiva, reducción de costes y optimización de los procesos de su organización. Para más información sobre esto, puedes leer este artículo “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/#
Y este artículo también te puede resultar interesante "How to write ISO 27001 risk assessment methodology" : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/ -
Everything about ISO 27001
Answer:
27001Academy is the best site to learn everything about ISO 27001, so, the first step for you can be our articles, webinars, etc. For example, this article can be very useful for you “What is ISO 27001?” : https://advisera.com/27001academy/what-is-iso-27001/
This free webinar can be also interesting for you “ISO 27001: An overview of the ISMS implementation process” : https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
Furthermore, our online course can give you detailed information about the implementation of the ISO 27001:2013 in your organization (is developed for any type of business, including banks), furthermore you will have a course certificate, so I think that can be also very interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
And for the implementation, you can also use our toolkit, which has all necessary documents required by ISO 27001. You can download a free version of our toolkit clicking on “DOWNLOAD FREE TOOLKIT DEMO” here “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/
Important: If you buy the toolkit, you can also have our support during the implementation -
Document owner and other questions on document management
Answer: The document owner should be the person who knows particular subject the best - e.g. document owner of the Backup Policy should be either Head of IT department, or the administrator who is in charge of the backup.
2. All ISMS documents will be created in English and then translated to our local language. We have no internal translators and that's why this activity will be outsourced. What is the ISO requirements or recommendations about this?
Answer: There are no requirements nor recommendations in ISO 27001 regarding the translations. You only have to make sure that the documents are translated properly and that the confidentiality is maintained.
3. What is the ISO requirements or recommendations about document update frequency?
Answer: There are no requirements nor recommendations in ISO 27001 regarding the update frequency. My recommendation would be to update most of the documents once a year, but some of them would need to be updated more often - e.g. recovery plans. By the way, each of our templates suggest the optimal frequency of updates. -
Perform the internal audit
Answer:
From my point of view, in your case, the best recommendation is to hire an external professional (or a company). If you have participated in the implementation of the ISO 27001, you cannot perform the internal audit, because it is a conflict of interest for the requirement 9.2 e) of ISO 27001:2013 : “select auditors and conduct audits that ensure objectivity and the impartiality of the audit process”.
Another easy option is that you select an employee in your organization, but this employee cannot be involved in the implementation of the ISO 27001, and this employee need to be also trained in ISO 27001, but the good news is that our online course can help you train your employees to perform the internal audit, and furthermore they will have a certificate, so, maybe can be interesting f or you “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Where to start to implement ITIL
Answer:
Our free downloads area contains materials related to ITIL implementation. Check the Project plan, Implementation diagram...etc. on following link:https://advisera.com/20000academy/free-downloads/
Before you start implementation, do the following:
- use our free ITIL Gap Analysis Tool https://advisera.com/20000academy/itil-iso-20000-tools/itil-gap-analysis-tool/
- check some of our webinars (because they cover sat-up of some of the processes, e.g. Incident Management, Change Management) - https://advisera.com/20000academy/webinars/
- read the articles
"Who is your ideal project manager for ITIL/ISO 20000 implementation?" https://advisera.com/20000academy/blog/2016/02/02/who-is-your-ideal-project-manager-for-itiliso-20000-implementation/
"How to implement ITIL" https://advisera.com/20000academy/knowledgebase/how-to-implement-itil/
"Considerations before ITIL implementation" https://advisera.com/20000academy/blog/2014/05/21/considerations-itil-implementation/
"Ready, steady… go – Starting ITIL implementation" https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/ -
NOC
NOC. Especially first and second level. What are the tasked performed and
what level of expertise is required.
Also what are the strategy for outsourcing non core technical activities in
an organisation e.g. telecommunication company.
Answer:
#1 NOC - NOC belongs to IT Operations Management function and it takes care about daily activities to maintain the infrastructure and related services. However, NOC gets involved in operational processes, like Incident Management, because incidents often have root cause in network i.e. infrastructure. When setting up a NOC focus your effort on:
- creating proactive organization
- interface with other processes (e.g. Event Management, Incident Management, Change Management...etc.)
- collaborate/integrate activities with other specialist groups or functions like Application Management (studies reveal that NOC staff spends majority of their time on addressing issues related to applications, network (WAN particularly) and server s
- this gets you to the tools that you need - having majority of work with applications means that NOC is not waiting for "green light to switch off" but taking active role in performance monitoring and measurement. That should direct your activities related to tools in place, staffing level and skills
- number of levels - that depends on organizational setup, but it's important to be clear regarding keeping bureaucracy on minimum
There are a lot of other elements which are organization specific, but read the article "Is the NOC (Network Operations Center) still viable according to ITIL?" https://advisera.com/20000academy/blog/2015/04/21/is-the-noc-network-operations-center-still-viable-according-to-itil/ to learn more.
#2 When setting up outsourcing keep in mind following:
- organizational involvement - from both sides, having supplier tightly integrated in your processes as well as to integrate in suppliers processes
- clear roles and responsibilities
- implemented service management framework - ITIL or ISO 20000 are excellent foundation before you outsource to external organization
- efficiency - define and measure. This means set clear measurement points and expected result. Compare achieved against agreed targets. And - do it continuously
- keep in mind that you are still responsible for results (including outsourced activities) towards your customers.
Read the articles
"ISO 20000 Supplier Management – You lead the game" https://advisera.com/20000academy/blog/2015/03/17/iso-20000-supplier-management-you-lead-the-game/
"ITIL Supplier Management and Service Level Management – How to put the two in balance" https://advisera.com/20000academy/blog/2015/11/10/itil-supplier-management-and-service-level-management-how-to-put-the-two-in-balance/
and
"ITIL Supplier management – the third party you depend on" https://advisera.com/20000academy/blog/2013/12/30/itil-supplier-management-third-party-depend/
to learn more. -
Reactive Problem Management
Answer:
Reactive Problem Management is triggered (usually) by Incident management process. Incident Management has task to resolve incident as soon as possible and provide the user with the service. Reactive Problem Management has task to find root cause of one or more incidents. For example: user calls Service Desk while he has his PC stuck and sees only blue screen. Incident Management implements workaround to resolve incident i.e. advises a user to restart a PC. But, it's still not known what has caused this incident. That's the job of Problem Management. They start investigation, diagnosis, analyse...
Read this article to learn more: ITIL Reactive and Proactive Problem Management: Two sides of the same coin https://advisera.com/20000academy/knowledgebase/itil-reactive-proactive-problem-management-two-sides-coin/ -
A.16.1.7 Collection of evidence
Answer:
This control is related to the information that is gathered and managed to treat with information security incidents, which can be used for example as evidence in a forensic analysis. So, basically you need to keep all information related to the information security incidents in a secure way, taking into account: chain of custody, safety of evidence, safety of personnel, roles and responsibilities of personnel involved, competency of personnel, etc.
These points can be established in an incident management procedure, which is a mandatory document in the implementation of ISO 27001:2013, so our template can be useful for you “Incident Management Procedure” (you can see a free version clicking on “Free demo” tab) : https://advisera.com/27001academy/documentation/incident-management-procedure/
This article can help you because has a list of mandatory documents about ISO 27001:2013 “List of mandator y documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
And this article about how to handle incidents can be also interesting for you “How to handle incidents according to ISO 27001 A.16” : https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
Finally, our online course can be also interesting for you because we give more information about the management of information security incidents “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Validation and verification
Answer:
There is no specific ISO 9001 document or requirement that says in what cases you should use validation or verification. However, the definitions of those two terms provide a guideline on what should be used and when.
Verification is testing and measuring the product to determine whether it is compliant with product requirements.
Validation is used when the verification can not be conducted, it is the process of providing evidence that the final product is compliant with the initial product requirements. In your case, maybe it is impossible to measure entire surface covered with resin and verify that the resin coat has the same thickness on the entire surface so you need to establish process controls to ensure that the resin will be applied under same conditions on entire surface. This controls will basically represent the validation of your process.
For more information, see:
- ISO 9001 Design Verification vs Design Validation https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/ -
OHSAS 18001 implementation and auditing
You can find free preview of the internal audits schedule (internal audit program according to the standard's terminology) here https://advisera.com/18001academy/documentation/annual-program-of-internal-audits/