Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk management approach


    My first idea was that it would be very interesting for us to have a well-defined method, which wouldn't depend on people. The asset-vulnerability-threat approach is very intuitive and really easy, but not at all methodological, meaning that it is the opposite to a checklist or a detailed approach and depends much more on a somehow deep knowledge of the business. We need a person-independent method.

    So, after having a look around and considering our small size and so on, I´m thinking on both CCM (CSA Star) and specially BSI methods. IT-Grundschutz looks like a good approach as it claims itself to be a complement to ISO standard. The idea is not to get certified on 27001 on the basis of IT-Grundschutz, (at least not for now) but to use it for the practical implementation (the “how”) of the ISMS. But I still need to know which one of the three levels of protection we should aim for at this point, and how to optimize the method to our case. C5 looks out of reach at the moment, and probably unnecessary.

    So, I would like to have a clue on what method we could best use in order to have a systematic approach to RA for a small private cloud provider. My main concern is where to focus considering our case. Can you guide me on this please?

    Answer:

    Since you stated that you are a small private cloud provider, it seems to me you are spending too much effort on defining your RA and RT approach. If you do not have any legal requirement (e.g., contract, law or regulation), demanding the use of an specific or otherwise more elaborated methodology, you should kept it as simple as possible.

    Considering your scenario, you could use a mix of qualitative and quantitative approaches. The qualitative approach (based on people perception) will help you quickly identify risks relevant to your organization (elaborating checklists will consume time and effort, and may not cover all possible situations). After that you can perform a quantitative approach (based on probabilities and potential costs) to justify your risks based on how much they may cost you if they occur.

    These materials will provide you further explanation about risk management:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - Qualitative vs. quantitative risk assessments in information security: Differences and similarities https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Toolkit content


    Answer:

    The clause A.13.1.2 is covered by template "Operating Procedures for Information and Communication Technology", which can be found on folder 08 Annex A A.12 Operations security of your toolkit.

    By the way, included in your toolkit there is a List of Documents file you can use to find out which clause is covered by which document.

  • Metrics for Incident management


    Answer:

    The SLA is one way to ensure incident resolution in a timely manner, but if an organization has other ways to ensure performance (e.g., number of incidents reported in a period), it is achieving the expected results and the customers are satisfied, there is no need to implement SLAs (neither ISO 9001 or ISO 27001 require the establishment of SLAs).

    These articles will provide you further explanation about performance measurement:
    - How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
    - How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/

  • Certification costs


    Answer:

    The costs with the certification process will depend on the size and complexity of the scope, so without more detailed information it is not possible to provide you a precise estimation.

    Regarding on how to find a certification body, you can use this link to enter your profile, we will find the registrar that best fits your needs: https://advisera.com/

    This article will provide you further explanation about selecting a certification body:
    - How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

  • Calibration


    Answer:

    Yes, in IATF 16494 clause 7.1.5.2.1 Calibration/verification records refer to the subject of the question and you should follow those requirements.
    First, the organization must have a documented process for managing calibration records and those records must be retained. So, if there is no documented process first step is to create one.

    The calibration activities must include the following additions:
    Assessment of the risks of the intended use of the product caused by the out-of-specification condition. Here you can use the FMEA method;
    Documented information on the validity of previous measurement results, if there were in place before you take the process.
    For all future measurements please have this in mind; If the software is in place for the product or process control (example SCADA) there must be verification and confirmation that the software version specified for the product and process control is being used.
    Also, you have to align with Japanese law on the calibration of equipment and please look at instruction on calibration that every equipment have.

    Please also take a look at 7.1.5.3 Laboratory requirements, if your company has an internal laboratory.

    Also, it may help the following article „How to establish Measurement System Analysis according to IATF 16949“: https://advisera.com/16949academy/blog/2017/11/08/how-to-establish-measurement-system-analysis-according-to-iatf-16949/

  • Linearity and Stability


    Answer:
    First, based on customer requirements, you should set specification limits (Lower specification limit and Upper specification limit) for measurement mistakes. Based on that you have to show that bias is in specification limits by doing MSA (Measurement system analysis).
    Based on Six Sigma methodology for an instrument, we have Machine bias, that is the case when different instrument gets detectably different averages for the same measurements on the same parts.
    For the stability, you should compare the measurements at one point of time to measurements taken at another point in time. If there is consistency across time than it is stable.
    Linearity exists when accuracy is consistent across the entire range of possible values. So you can draw a diagram with at least 30 measures to see is linearity achieved.

  • Building Business Continuity strategy


    Answer:

    For the whole organization you should consider first performing a Business Impact Analysis (BIA), so you can identify and prioritize the most critical business process for your organization.

    With the results of the BIA you can start defining your business continuity strategy. To see how a business continuity strategy looks like, please access this free demo: https://advisera.com/27001academy/documentation/business-continuity-strategy/

    These material will provide you further explanation about Business Continuity Strategy:
    - Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/
    - Developing the business continuity strategy according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/developing-the-business-continuity-strategy-according-to-iso-22301-free-webinar/
    - B ook Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Career on information security


    Answer:

    As ways to enhance your chances in a information security career, besides our site, I suggest you to look for contacts and training opportunities in the websites of organizations such as ISACA (www.isaca.org), ISC2 (www.isc2.org/), SANS (www.sans.org/) and NIST (www.nist.gov/).

    Specifically for ISO 27001, you can consider two certifiable courses:
    - ISO 27001 Lead Implementer – this certification recognizes people who have competency on the ISO 27001 implementation process.
    - ISO 27001 Lead Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and want to become certification auditor (and with this provides more confidence to an organization for being certified).

    These articles will provide you further explanation about ISO 27001 personnel certifications:
    - What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
    - Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

    This material will also help you regarding ISO 27001 personnel certifications:
    - ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/

  • Control de los procedimientos


    Respuesta:

    Es la propia organización la que decide cómo llevar a cabo el control de la información documentada, que incluiría entre otros, los procedimientos. Efectivamente hay que realizar un control de cambios según la norma ISO 9001:2015 como establece la cláusula 7.5, y esto se puede hacer de muchas maneras para las cuales no sería necesario firmar todos los documentos en caso de que estén en papel, ya que si se encuentran en formato digital ni siquiera la firma sería imprescindible. Mi recomendación es hacer un seguimiento de cada documento, por ejemplo teniendo un historial de cambios en el mismo documento que refleje las versiones y los cambios realizados en cada versión así como el responsable de esos cambios. También es muy importante establecer una codificación en los documentos que nos ayudará a poder hacer el debido seguimiento de los cambios realizados. Una alternativa comúnmente empleada es redactar un procedimiento para la información documentada que establezca todos estos parámetros. En este enlace puede descargar una vista previa de nuestro Procedimiento para el Control de Documentos y Registros: https://advisera.com/9001academy/es/documentation/procedimiento-para-control-de-documentos-y-registros/

    Estos materiales pueden ayudarle en cuanto al control de la información documentada:
    - Artículo - New approach to document and record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
    - Artículo - Some tips to make document control more useful in your QMS: usefulhttps://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
    - Libro - Gestión de documentación ISO: una guía en un lenguaje sencillo: https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/
    - Curso gratuito en línea - Curso de fundamentos e la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • Change priority


    Answer:
    Priority 2 seems pretty high. But I don't know your SLY with the client. Change, as well as incident/problem, priorities should be described in the SLA in order to avoid such situation. If it is not done yet (from your question I assume - it's not) then I would suggest you do it. One of the purposes of the SLA is to clarify "rules of the game".

    These articles can help you:
    "Three key elements of assessment and evaluation of changes according to ITIL" https://advisera.com/20000academy/blog/2015/06/30/three-key-elements-of-assessment-and-evaluation-of-changes-according-to-itil/
    "What’s the content of an ITIL/ISO 20000 SLA?" https://advisera.com/20000academy/blog/2016/06/14/whats-the-content-of-an-itiliso-20000-sla/
Page 617-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +