Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Incident Management
2. Quote 1 or 2 examples where in a user (Senior Management) has violated the ITIL process (E.g.: Incident/Change/Problem management-any scenario) and what are the consequences of it and how did you convince the user not to repeat it? Explain with an example as to what standards or procedures user had violated?
3. Explain a situation/example where in you have breached an SLA for Critical incident and how did you convince the customer regarding the same:
4. Difference between Post Incident Review and Post Implementation Review:
5. What is the role of Incident manager in change management and problem management?
6. What happens in CAB exactly and who all attends the CAB meeting in Change management.
7. Quote few Ideas /improvements you provided to your process as an Incident Manager
8. Please share an example of a time when you had to multi-task and make sound judgments in a fast-paced, high stress environment, while at the same time keep people informed?
9. First, how would you handle communication to the senior level staff waiting for the problem to be solved? Second, if you found out the key person was just not answering the call to join the bridge, how would you handle the communication with the admin’s manager after the incident was resolved?
10. Difference between Incident Co-Ordinator and Incident Manager
Answers are as follows:
1. If we assume that "critical" means incident of high priority the the usual challenges include: shorter resolution times, more focus from customer side, resolution must match what is realy expected..etc.
2. Take, for example, members of the Board of Management (BoM). They are, usually, breaking standard procedures and require separate attention. We can argue whether this is right or wrong, but it's a fact. But, it happen often that their request get lost because they didn't follow the procedure. And that's your chance. Explain them that it would be more efficient that they do it "by-the-book" and that it's not your fault that you follow the established (e.g. Incident Management( process. read the article to get familiar how to talk to the management: https://advisera.com/20000academy/blog/2016/03/01/how-to-translate-itiliso-20000-language-into-business-language-understandable-by-your-management/
3. Well, security issues are always easier to explain (meaning, when you have to do something, e.g. bring the whole system down, because of security risks). When you talk to the customer, use arguments which are their benefit (e.g. avoided financial loss)
4. Post Incident Review will usually take place after major incident. That's your chance to learn something and prevent such future incidents. Post implementation review takes place after e.g. change implementation and you are validating whether new functionality fulfills requirements, whether you fulfilled financial and resource-related requirements...etc.
5. First of all, incidents trigger problems and problems trigger changes. So, people responsible for the processes carry the responsibility for timing, efficiency and costs. Take it vice-versa, changes (as answer on "how to eliminate root-cause?") can cause new incidents. If that happens repeatedly, then the Incident Manager has to escalate with Change Manager regarding efficiency of the Change Management process.
6. Please see the article: https://advisera.com/20000academy/knowledgebase/change-advisory-board-itil-advise-approve/
7. e.g. to allow users to see log of the incidents (lower call volume to your Service Desk while asking for the status), for incidents of priority 1 (telecom industry) - parallel to opening incident user has to make a call. See more about improvement initiatives: https://advisera.com/20000academy/knowledgebase/service-improvement-plan-sake-improvements/
8. Well, I would suggest to insist on tool usage. In such way information-flow reaches destinations and there is a log of all relevant data. Additionally, se defined hierarchy inside the /(ITSM) organization and insist on it.
9. For the first question, see the article: https://advisera.com/20000academy/blog/2016/03/01/how-to-translate-itiliso-20000-language-into-business-language-understandable-by-your-management/ And for the second one try to use as many facts as possible. Particularly if there are tangible consequences (e.g. service outage has financial loss for the company as a consequence). -
The purpose of non-conformance record
Answer:
The information about nonconformities and corrective actions are mandatory input for management review, the records about noconformities can help top management to determine where are the most frequent problems in the processes and to define corrective actions or actions for improvement of the management system. Without records about nonconformities there can't be systematic approach to their resolving and they will keep recurring.
For more information, see:
- How to make Management Review more useful in the QMS https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/
- How to deal with nonconformities in an ISO 9001 certification audit https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/ -
Auditing without documented audit procedure
Answer:
Unlike the previous version of the standard where procedure for internal audit was mandatory, new version does not require procedure to be documented but it requires evidences that the internal audit is conducted, and that is the Internal Audit Program and Internal Audit Report.
The fact that the documented procedure is not mandatory doesn't mean that it is forbidden to have one, if the company finds the documented procedure useful, it may keep it. Even in the previous version of the standard, there were only six mandatory documented procedures and yet every company had more than six.
For more information, see:
- New approach to document and record con trol in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ -
Document control
Answer:
I assume that the Document Controller is the role in your company responsible for document control process. The Document Controller need to have all the documents that will ensure that the document and record control are effective in the organization. There is no explicit list of those documents but if you take a look at the standard you will see what is included in the control of documents or documented information as they are called in the new version of the standard.
The standard requires organization to define process of creating, updating, distribution, retrial and use of documents as well as control of changes and retention and disposition. Having in mind all the requirements, the Document Controller should have the procedure for document control, list of all documents and records with their codes and version numbers and distribution lists for every documented procedure. This is the minimum to have effective document control, in some cases it can be useful to have forms of all the documents used in the company but it can be overwhelming, depending on the organization size and complexity.
For more information, see:
- New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- How to structure quality management system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- Some Tips to make Document Control more useful for your QMS https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/ -
ISO 9001 risk assessment and FMEA
Answer:
The standard requires organization to identify and address risks and opportunities related to the ability of the organization to meet its objectives. This basically means that you need to examine context of your organization and determine what are the risks and opportunities related to your business and plan actions to address them.
There is no requirement to use some methodology or full scale risk management, it is enough to organize brainstorming session with all relevant roles in your company to discuss risks and opportunities both on the level of process and on the level of the entire organization, the SWOT analysis can be a useful tool for conducting this assessment. Also, record from this meting and the SWOT analysis can be an evidence that you apply risk-based thinking.
FMEA is one way to address the requirement but it can't address the entire requirement simply beca use the FMEA is focused on risks only and can't be used for identifying opportunities, the second problem is that the FMEA is good tool only for determining risks in production and design and development process and it is not so useful for other processes. At this moment we don't have FMEA tool available on our website but we are in the process of developing ISO 9001 Documentation Toolkit Premium that will have extensive risk and opportunities procedure that will include FMEA. -
Varias preguntas relacionadas con la implementación de la ISO 22301
Generalmente con el BCM tratas actividades y procesos críticos, y esto es lo correcto con respecto al estándar ISO 22301, aunque también puedes tratar con activos (de la misma manera que en ISO 27001), lo cual te dará más información detallada sobre dónde están las vulnerabilidades. Este artículo te puede interesar “Can ISO 27001 risk assessment be used for ISO 22301?” : https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
Y también nuestra base de conocimiento relativa a gestión de riesgos : https://advisera.com/27001academy/knowledgebase-category/risk-management/ -
Some types of assets
Answer:
Yes, you are right, one type of asset is the information, but there are others: people, services, hardware, software, etc. So, for the identification of assets, is important to establish a classification for all different type of assets. This article can help you for this classification “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
And keep in mind that the classification can also mean the classification of the information, so you can also establish a classification for the information of your organization, because for example you can have confidential information, which access is completely different that public information (others type of information can be restricted, and internal use). For more information about this, please read this article “Information classification according to ISO 27001” : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
And our online course can be also interesting for you, because we give more detailed information about the asset inventory “ISO 27001:”013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Opportunities in the methodology of risk assessment?
Kindly tell me one easy way to do it to fulfill the requirement of the standard. like can i describe that in the manual that opportunities are identified in the objectives and KPIs are set to achieve those objectives; opportunities?
Answer:
No, it is not necessary to put something related to opportunities in the methodology of risk assessment, because risks and opportunities are related to the objectives, and any action that you take, that is related to the achievement of the security objectives, but is not related to the risk management, can be considered to be addressing the opportunities. An example related to an opportunity can be: Your organization buys a cheap firewall which gives to your organization the opportunity to reduce risks, but this firewall can also produce increased risks due to low quality of the device.
One easy way to fulfill this requirement, related to opportunities, of the standard, is that you can document such actions in your Management review minutes, in corrective actions, or any other records or documents that you use in your company (for example actions agreed through email), but from my point of view the methodology of risk assessment is not the best way.
And keep in mind that you should document your general information security objectives in the information security policy, and control specific information security objectives in the SOA (Statement of Applicability).
For more information about the objectives, please read this article “ISO 27001 control objectives – Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
And our online course can be also interesting for you because we give detailed information about addressing risks and opportunities “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Controls for a cloud provider
Answer:
I am sorry but I am not sure if I have understood your question. The maturity is not a requirement of ISO 27001, and the basic logic is perform the risk assessment and apply the appropriate controls.
Anyway, if you have a standard SQL image into a cloud provider infrastructure, and you can manage for example the information and the software, these assets need to be included in your risks assessment, and security controls involved need to be implemented by your organization.
For others assets that you can not manage (for example the IT infrastructure of the cloud provider), if there are risks related to them, you can perform a treatment establishing during the risk assessment that you transfer to external company the risks related to these assets, which means that in this case the external company is responsible of the implementation of the security controls, although you can review if these controls are implemented.
Anyway, keep in mind that ISO 27001 is not specifically developed for the cloud, for this you can use ISO 27017, so this article can be interesting for you “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
And this article related to the basic logic of ISO 27001 can be also interesting for you "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
And also this article about handling supplier security "6-step process for handling supplier security according to ISO 27001" : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
First things in ISO process
Answer:
I suppose that your question is related to the implementation process, if so, in the ISO process, for the implementation of an ISO standard, the first thing that you should look at is always related to obtain the management support. For this, is very important to show the 4 main benefits of the implementation of a ISO standard : compliance, marketing edge, lowering the expenses, and putting your business in order. For more information about this, please read this article “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
Another important thing is to see the implementation like a project, so this article can be also interesting for you “ISO 27001 project – How to make it wo rk” : https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
By the way, in our free download section you can download a "Diagram of ISO 27001:2013 implementation (PDF)", and you can also download a "Project checklist for ISO 27001 implementation (MS Word)” : https://advisera.com/27001academy/free-downloads/
And this article gives you information about the ISO 27001 implementation checklist, establishing a priority order for all necessary steps “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Finally, our online course can give you detailed information about the implementation process of ISO 27001:2013 in your organization “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/