Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Strategy Management


    Answer:
    Developing Service Strategy requires to take various views:
    - from business side
    - service oriented view
    - (internal) organization point of view
    That implies that systematic approach needs to be taken. Strategy plan and process description will help you systematize activities. Take a look at free preview of these documents:
    Strategy Management for IT Services Process https://advisera.com/20000academy/documentation/strategy-management-for-it-services-process/
    Strategy Plan https://advisera.com/20000academy/documentation/strategy-plan/

    Also, these articles can give you some hints
    ITIL Service Strategy: What and Why of ITSM https://advisera.com/20000academy/knowledgebase/itil-service-strategy-itsm/
    ITIL Strategy Plan – Are you sure you have this document? https://advisera.com/20000academy/blog/2015/05/26/itil-strategy-plan-are-you-sure-you-have-this-document/
    ITIL strategy – Framing the value of services (part I) https://advisera.com/20000academy/blog/2014/11/11/itil-strategy-framing-the-value-of-services-part-i/
    Strategy Management for IT Services – holding your steering wheel https://advisera.com/20000academy/blog/2013/10/22/strategy-management-services-holding-steering-wheel/

  • Is updating mandatory?


    Answer:
    I will only consider ISO 9001:2015 and ISO 14001:2015 in my answer.

    ISO 9001:2015
    About being mandatory to update external and internal issues – the last phrase of clause 4.1 and clause 9.3.2 b) consider the principle that changes in the context may occur and that the organization must consider them.

    About being mandatory to update risk analysis – clause 6.1.1 say that organizations should consider external and internal issues when determining risks and opportunities. So, if external and internal issues are updated it is plausible to conclude that at least some risks and opportunities can appear/disappear or become more or less critical. Also, clauses 9.3.2 e) and 10.2.1 e ) can be seen as doors to consider the need to update risk analysis. Effective actions, for example, can change the priority of risks and opportunities, and nonconformities can make updating the risk register and risk classification necessary.

    ISO 14001:2015
    About being mandatory to update external and internal issues – clause 9.3 b) 1) consider the principle that changes in the context may occur and that the organization must consider them.

    About being mandatory to update risk analysis – clause 6.1.1 say that organizations should consider environmental aspects, compliance obligations and external and internal issues when determining risks and opportunities. So, if external and internal issues are updated, and if environmental aspects and compliance obligations are updated it is plausible to conclude that at least some risks and opportunities can appear/disappear or become more or less critical. Also, clause 9.3 b) 4) can be seen as a door to consider the need to update risk analysis. Effective actions, for example, can change the priority of risks and opportunities.

    About being mandatory to update environmental aspects – Clause 9.3 b) 3) considers the possibility of changes among environmental aspects.

    Organizations are not separated from their context they are immersed in it. If the context changes, organizations should update their context analysis and evaluation. Management systems are in part tools to manage risks, opportunities and environmental aspects. An effective management system with their effective actions should, as a consequence, generate the need to update the determination and evaluation of risks, opportunities and aspects.

    The following material will provide you information about clause applicability:
    - ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - ISO 14001 - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Clause 8.3 applicability and outsourcing


    Answer:
    Even if your organization is outsourcing the design it will still be responsible for ensuring that a process is followed and that ISO 9001 requirements are met. Outsourced processes are still applicable. But if your organization buys a particular design off the shelf, as finished specifications, non-applicability makes sense.

    The following material will provide you with information about clause applicability:
    - ISO 9001 – What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISO certifications for cloud computing

    I was checking ISO/IEC 27017:2015, and wondering if I'm missing something.

    Answer:

    There is no specific ISO certifications for cloud computing. What you can consider is the implementation of specific controls of ISO 27017 in an ISMS (ISO 27001 already cover the general controls to also protect cloud services), if you have specific requirements (e.g., laws, regulations or contracts) demanding security controls for cloud environments.

    Additionally, I suggest you to consider ISO 27018, ISO standard related to protection of Personal Identifiable Information (PII), to fulfill potential requirements you have regarding the protection of customers privacy.

    These articles will provide you further explanation about ISO 27017 and ISO 27018:
    - ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
    - ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

  • Risk assessment and the ISO 27001 Lead Implementer course

    Very helpful course

  • CE mark and ISO 13485 for medical device in EU


    Answer: In the EU context, the CE mark is part of the conformity assessment procedure, therefore, is actually a priority over ISO13485. Having ISO 13485 is more of a benefit.

    As a company dealing with medical devices, being ISO13485 certified could provides an added assurance that the company has a quality management system in place that can ensure the quality, safety and performance of the devices as well as open up more opportunity for exporting of the products.

    For more information, please refer to :

    Six key benefits of ISO 13485 implementation
    https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/

  • Template content


    Answer:

    In the "Necessary manual controls" field you must list all controls identified as applicable that for any reason you cannot integrate in the information system you want to protect. For example, if you cannot perform automated output validation and this is a system security requirement, then you should implement it manually.

    It is not mandatory to fill in the "Necessary manual controls" field if all required controls can be automated into the information system.

  • Risk management


    1 - Do we have to identify the controls for all high and medium risks?

    Answer: You have to identify controls only for risks considered unacceptable, according to your risk acceptance criteria, and for which you decided a risk mitigation as treatment option. To set the acceptable level of risk you must consider the organizational context and the business objectives (generally, the more aggressive the business objectives, and the more dynamic the organizational context, lower would be the risk acceptance criteria).

    2 - Can we just identify the controls only for high risks and implement them?

    Answer: It is possible to identify and implement controls only for high risks.

    3 - For medium risks can say we will gradually identify the controls and implement it later?

    Answer: It is possible to gradually implement controls for medium risks. Considering certification processes, you only have to ensure that controls for unacceptable risks are implemented by the certification audit, and that actions for the implementation of other controls are up to date considering the implementation plan.

    These articles will provide you further explanation about risk treatment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

    This material will also help you regarding risk treatment:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Filling the Statement of Applicability template


    Answer:

    Control objectives are important for at least two reasons:
    1 - They help fulfill clause 6.2 (Information security objectives and planning to achieve them)
    2 - They are used during performance evaluation (requirements from clause 9) as reference to decide if the controls are being effective or if adjustments are needed.

    It is important to note that:
    - Control objectives are not mandatory in the Statement of Applicability (although include them in SoA is a god practice to decrease administrative efforts to manage several documents).
    - You do not have to specify objectives for each and every control

    A good tip for establish control objectives is to copy the objectives from Annex A (this is acceptable for certification purp oses).
    To help you define control objectives I suggest you this article:
    - ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

  • Risk management approach


    Answer:

    Requirements for risk management in ISO 27001 do not prescribe which approach to use, only that a process must be defined, so you can use requirements from both ISO 27001 and COBIT 5 to perform risk management without a problem.

    This article will provide you further explanation about ISO 27001 and COBIT:
    - How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/

    This material will provide you further explanation about ISO 27001risk management:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Page 634-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +