Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
AIA o BIA
Respuesta:
Sí, estás en lo cierto, el AIA (Application Impact Analysis) es un término que no utiliza la ISO 22301, por tanto simplemente tienes que realizar un BIA, que sí es usado en la ISO 22301, y es más genérico que el AIA, y además en el BIA también puedes identificar las aplicaciones críticas del negocio (por procesos o por departamentos).
Para más información sobre el BIA, puedes leer este artículo “How to implement business impact analysis (BIA) according to ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
Y en relación a las actividades que se tienen que desarrollar para el BIA, también te puede interesar este artículo "How to define activities when implementing business continuity according to ISO 22301" : https://adviser a.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/ -
Los métodos de medición deben producir resultados comparables y reproducibles
Respuesta:
Simplemente significa que el método usado para la medición / monitoreo debe ser verificable. Puedes seleccionar un método manual, o mecánico o un software, y en todos estos casos siempre tienes que establecer la misma sistemática para la medición / monitoreo. Por ejemplo: Para la medición / monitorización de las copias de seguridad, usaremos la siguiente fórmula:
Copias de seguridad = Número de copias fallidas / Número total de copias
Esta fórmula siempre te dará unos resultados comparables y reproducibles.
Para más información sobre los requerimientos relacionados con la monitorización y medición de la ISO 27001, por favor lee este artículo “How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
Y nuestro curso online también puede ser interesante para ti, porque también hablamos sobre la monitorización, medición, análisis y evaluación “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Customer satisfaction, employee satisfaction and ROI
Answer:
Customer satisfaction can be measured in following ways:
- customer satisfaction survey – ask them i.e. send them a questionnaire and find out
- use customer complaint/compliment form – this will be direct feedback. Important is to have process behind the form i.e. once complaint/compliment is submitted, someone takes care about it
- use mail which informs user that incident is resolved (and he should confirm the resolution) to ask him few questions in order to get his feedback.
Read the article “ITIL Customer satisfaction – Design driven by outcomes” (advisera.com/…/) to learn more.
Employee satisfaction is usually measured via internal satisfaction survey. The other option is to use organizational structure and get employees feedback (usually, and particularly in bigger organization, there is, e.g. once a year, official meeting between employee and their sup erior). Or, listen to your people and you will hear what they think.
ROI – we have it on this link, so please feel free to use it: https://advisera.com/20000academy/itil-iso-20000-tools/roi-calculator/ -
Proactive vs. reactive Problem Management process
Answer:
Regarding TAT - more inputs are needed.
Reactive Problem Management is usually reaction to an existing incident and finding a root cause of it. Proactive Problem Management involves activities where Problem Management analyse incidents and problems and looks for some common pattern. By eliminating root cause - future incidents are omitted. Read the article "ITIL Reactive and Proactive Problem Management: Two sides of the same coin" (https://advisera.com/20000academy/knowledgebase/itil-reactive-proactive-problem-management-two-sides-coin/) to learn more. -
GLPI tool
We didn't list all available tools but rather made selection of it, as you could see in the article https://advisera.com/20000academy/knowledgebase/free-tools-for-itsm/
GLPI is quite usable one and I can recommend it for usage (functionality, usage, scope, add-ons...etc.). -
Scope for a data center
thank you so much dear ajsegovia :) -
Data centre externalized
There will be a change however – our primary data centre will be hosted by a third party in the near future.
Currently it’s in our data centre in our office – so we manage everything…now, we’ll be renting rack stage from that data centre.
I would like to know what ISO controls I should consider ( cloud services , hosting services… )
Answer:
If you have a data centre outsourced, you can manage risks from those assets that you can manage: data, applications (if you have web servers, application servers, virtual servers, etc managed by you), so in this case your risk management must be done for these assets.
For those assets that are not managed by you (facilities, devices of physical access, personnel of the data centre, etc), you can see them as an asset of type service, and you can identify all risks related to it.
There are no specific controls in the Annex A of ISO 27001:2013 for cloud services and hosting ser vices, but for this you can use ISO 27017, which is a standard specifically developed for the information security control for cloud services. For more information about this standard, please read this article “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
By the way, this article about how to handle an asset register, can be also interesting for you “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Gestionar riesgos en la nube
Si existen activos específicos fuera del alcance de tu SGSI, no tienes que incluirlos en la gestión de riesgos, esto significa que no tienes que hacer un tratamiento de los mismos (transferir, aceptar, evitar, aplicar controles).
Pero si existe una entidad externa que te ofrece un servicio (relacionado con el alcance de tu SGSI), puedes identificar los riegos relacionados con este servicio durante el proceso de tratamiento de riesgos, y transferirlos a la entidad externa.
Por cierto, recuerda que no es lo mismo el Plan de Tratamiento de Riesgos, que el Proceso de Tratamiento de Riesgos, aquí puedes ver las diferencias “Risk Treatment Plan and risk treatment process – What’s the difference?” : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Y este artículo también puede ser interesante para ti “6-step process for handling supplier security according to ISO 27001” : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Information Classification for Client SOP
Answer:
Since your classification is about confidentiality, you can label this document as unclassified; plagiarism protection is another issue - you have to mark the document with copyright so that you make it clear that the document is protected with intellectual property rights.