Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Event Management


    Answer:
    While implementing Event Management you have to be aware of the following:
    1. Event Management process efficiency depends on the tools you have. Some devices have
    monitoring tools built in, and for some, you'll need to implement additional tool(s)
    2. Event Management process does not involve many people (unless you are a huge organization).
    But, you need to clearly define the role(s) (most probably one person responsible for the process) and related responsibilities. Maybe, in large organizations – you'll have several people, but mainly you need to make an interface to the Incident Management process and most of the activities will take place in the scope of that process.

    Here are the articles that can help:
    -ITIL Event Management – Entry point of Service Operation https://advisera.com/20000academy/blog/2015/03/10/itil-event-management-entry-point-of-service-operation/
    -Eve nts – a flood or mountain creek https://advisera.com/20000academy/blog/2013/07/02/events-flood-mountain-creek/

  • ISO 9001 and the retail business


    Answer:
    Yes ISO 9001 is applicable to all kinds of organizations, private, public, governmental, profitable or non-profitable.

    2. “I read How ISO 9001:2015 can improve your supply chain performance in the retail sector - https://advisera.com/9001academy/blog/2016/03/08/how-iso-90012015-can-improve-your-supply-chain-performance-in-the-retail-sector/, can it go beyond supply chain?”

    Answer:
    Yes. Consider a retail business. Consider how the process approach can help a sector with so much turnover, with a lack of internal standards, with lack of lead indicators, with a lack of trained professionals in contact with customers. For the retail business implementing an ISO 9001 QMS is more important or useful than certification.

    The following material will provide you information about improvement:
    - ISO 9001 – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
    - Benefits of ISO 9001 implementation for small businesses - https://advisera.com/9001academy/blog/2018/09/17/benefits-of-iso-9001-implementation-for-small-businesses/
    - Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Where to start


    Answer:
    When you start reading about the topic quality, in general, you will most likely find the PDCA cycle, something that stands for https://www.screencast.com/t/z2D8iAvLumfq

    According to this cycle, we start by planning our objective and then work towards attaining it.

    After years of using this approach, I found a better one, less known, developed by a Japanese, something like this: https://www.screencast.com/t/JJQxfx7S6

    We start in the Control Cycle. We have a standard (written or not), we work according to the standard, we check the results and we act, we decide what to do. If performance is OK we continue within the Control Cycle. If performance is not OK, or if we wa nt to improve current performance, our decision is to leave the Control Cycle and join the Improvement Cycle. We start with the problem, or challenge at hand, we plan a way to solve it or meet the target, we try an experiment (DO), we check the results, if the results are not OK our action, our decision is to plan another experiment. If the results are OK, our action is to set the experimental conditions as our new standard and we are back to the control cycle.

    So, I would recommend to first define clearly your problem, why it is a problem, and what will be the success criteria for that problem.

    The following material will provide you information about improvement:
    - ISO 9001 – How to use quality control tools to improve your QMS - https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/
    - Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Normative reference


    Answer:
    According to ISO Technical Committee 207, a normative reference is a reference to another document that is indispensable for the application of the standard. If a document is normatively referenced, an organization must conform to it in order to conform with the standard. In the case of ISO 14001:2015 it is a standalone document that can be applied without reference to any other documents.

    The following material will provide you information about the assessment of environmental interactions:

    - ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
    - List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
    - Free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - Book - THE I SO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Templates content


    Answer: ISO 2701 clause 9.1 Monitoring, measurement, analysis and evaluation requires documented information as evidence of the monitoring and measurement results, and one way to ensure that is by using the Measurement Report. Of, course, if your organization already has another records you can use to fulfill this clause, this report is not needed.

    For further information, please read:
    - How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

    2. Unauthorized use of printers, photocopiers, scanners and other shared equipment for copying Dell S2825CDN in the office at the headquarters is prevented by [specify how – e.g. by locking the facility, use of PIN numbers, access cards, etc.]. All the employees are authorized to use the printer/photocopier/scanner. Is it okay to wri te it like that?

    Answer: First it is important to note that any ISO 27001 control must be implemented only if you have unacceptable risks, legal requirements, or top management decisions demanding a control to be implemented.

    Considering that, if at least one of the previous circumstances applies to employees, you have to evaluate if this implementation will decrease risks to acceptable levels, or fulfill legal requirements. On the other hand, if you do not have any of the previous circumstances, you do not need to implement access control.

    Second, unauthorized use refers not only to employees, but to all people that can have access to the equipment (e.g., visitors, contractors, etc.). So, you also have to consider these personnel regarding risks, legal requirements, and top management decisions, to define if any control is needed regarding them.

    This article will provide you further explanation about selecting controls:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    3. The IT Security Policy and Security Procedures for IT Department document have a section at the end which is called "Managing records kept on the basis of this document". I could not find any templates for these records, but I do have an idea what I could write at some of these documents but it wouldn't be that much, ex. I hereby state that ______________ may take organizational assets off-site. The employee is fully responsible to take the necessary care while the assets are off-site. (at the bottom of the document a place where employer and employee both could sign). However for records such as "Security features and level of expected service for network services" I wouldn't know what to write. Do you possibly have examples for the records or something else so I can get a better picture of what I exactly have to write?

    Answer: A good example for "Security features and level of expected service for network services" would be a Specification of Information System Requirements, and you can find this template on folder 08 Annex A Security Controls = =A.14 System Acquisition Development and Maintenance

    For other records, in many cases organizations already have versions of them on their own operation, in paper form (corrective action record) or in information systems ( e.g. the logs of your backup system. ), that's why we do not provide them (it would be infeasible to create a template to cover all possible possibilities). In these cases we recommend customers to evaluate if their current records already comply with information required by policies and procedures. If yes, you can use them. If not, you can make a list of needed records and schedule a meeting with one of our experts, so he can guide you on how to develop such records.

    You can schedule a meeting at this link: https://advisera.com/27001academy/consultation/

  • 3rd party risk management


    Answer:

    Considering ISO 27001 requirements, 3rd party risk management is not much different from performing risk management on your own environment:
    - Define risk assessment methodology
    - Perform risk assessment
    - Perform risk treatment
    - Elaborate ISMS Risk Assessment Report
    - Elaborate Statement of Applicability
    - Define Risk Treatment Plan

    The main difference is that you have to formally define the risk assessment and treatment methodology with the third-party, e.g., by means of a contract, and define clear roles and responsibilities for each part (e.g., the third party will identify and analyze risks while your organization will evaluate them during the risk assessment implementation).

    These articles will provide you further explanation about risk assessment and treatment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - How to w rite ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    These materials will also help you regarding risk assessment and treatment:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Documentation requirements

    >1 - One of the mandatory documents in the list in the toolkit is “Operating Procedures for IT Management”, is this not the same as an SOP?

    Answer: I'm assuming you are referring to the "Security Procedures for IT Department" template, located on folder 08 Annex A Security Controls ==> A.12 Operations Security

    Considering that, you can call this document a SOP, because it defines activities and responsibilities to ensure correct and secure functioning of information and communication technology.

    >2 - Sorry if I may have missed your point but does this mean that an Operating Procedure is only required for specific controls within our ISMS, such as backup procedures and SIEM tools etc?

    Answer: Your understanding is correct. Documents such as policies and procedures are required only when related controls identified as applicable in your Statement of Applicability demand documentation. Examples are controls A.9.1.1 Access control policy, and A.12.1.1 Documented operating procedures. Regarding backup, control A.12.3.1 Information backup does not require procedures to be documented, only that backup copies are taken and tested regularly (in this case documentation is more a question of good practice).

  • ISO 27001 for datacenters


    Answer:

    ISO 27001 can be used to certify organizations of any industry or size regarding how they protect information (by using a risk management approach to identify and treat relevant risks), so you can use it to certify a data center.

    We are not experts on countries local regulations or practices, so we cannot inform you if other countries or organizations apply the same approach as you described for the Australia Federal Government, but what we can say is that, in the case of Australia Federal Government, ISO 27001 can help you identify the requirements you need to fulfill for the classification level you want to apply to, and select, implement and manage the proper controls to h andle relevant risks.

    For example, if for T4 level cryptographic controls are required, ISO 27001 can provide guidance on this by means of controls A.10.1.1 Policy on the use of cryptographic controls and A.10.1.2 Key management.

    These articles will provide you further explanation about ISO 27001:
    - ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/

    These materials will also help you regarding ISO 27001:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • ISO 27017 certification

    We've received additional question:

    >Thanks for the answer, but I still have not received a response to the question, are there any documents that can only be used for 27017 assuming that I already have prepared documents for 27001?

    Answer:

    First of all, sorry for this confusion.

    Most of the adjustments to include ISO 27017 recommendations can be made on existent ISO 27001 documents. The only documents you should create specifically for ISO 27017 are a Cloud Security Policy and a Policy for Data Privacy in the Cloud.

    To see an example on how ISO 27017 recommendations relate to ISO 27001 documents, please take a look at the List of documents file of our ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit at this link: https://advisera.com/wp-content/uploads//sites/5/2019/03/List_of_documents_ISO_27001_ISO_27017_ISO_27018_Cloud_Documentation_Toolkit_EN.pdf

  • Integrating Quality and Environment in a Management System

    1. How is ISO 9001 to my industry?

    Answer:
    Look into clause 4.2 of ISO 9001:2015. Determine the relevant interested parties, the stakeholders, and determine their requirements and expectations. Quality in most organizations is about satisfying requirements and expectations of interested parties, quality is about having hydropower availability when expected, quality is about minimizing costs. Model the functioning of your organization as a set of processes that want to deliver satisfied interested parties, availability, and efficiency.

    “2. How do I easily integrate both management systems since they are both being manned by one person?”

    Answer:
    You can compare both standards and realize that there is a lot in common. When I implement integrated management systems, I describe the organization as a set of processes that deliver the purpose, the mission of the organization. Then, after an initial environmental assessment, I determine what processes or activities must be improved or standardized in order to eliminate or minimize significant environmental impacts. That translates into making changes in some of the processes. Concerning top management, the policy, objectives, context, interested parties and part of the risks are common.

    The following material may help you with that challenge:
    - How to integrate ISO 14001 and ISO 9001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
    - How to implement integrated management systems - https://advisera.com/articles/how-to-implement-integrated-management-systems/
    - ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
    - Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
    - Free webinar on demand – How to integrate ISO 9001:2015 and ISO 14001:2015 - https://advisera.com/9001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar-on-demand/
    - Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Free online ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-lead-implementer-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 595-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +