Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Legal requirements

    I was wondering how up to date it is and the sources of the information? We were considering purchasing a legal register, but I am not convinced that we need to.

    Answer:

    Unfortunately, this list is not fully up-to-date because it depends on voluntary contributions from our readers - therefore, it is likely that not all regulations are listed. To make sure you have the latest list of laws and regulations, it would be best to hire a local legal adviser.

  • Risk assessment


    1. Would you please help to guide me how to start to do risk management (from Risk Identified --Risk Treatment Plan)?

    Answer: Since your answer is not clear about which material from our knowledge base you've read, I suggest these materials for you to understand the risk management process:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/es/webinar/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-free-webinar-on-demand/

    2. I would be appreciated if you could help to detail with sample data since the first step to get risk identified.

    Answer: For free sample data I suggest these materials:
    - Diagram of 6 steps in ISO 27001 risk management https://info.advisera.com/27001academy/free-download/diagram-of-6-steps-in-iso-27001-risk-management
    - Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

    For more detailed information I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    This toolkit enables you to implement information security and business continuity risk management compliant with ISO 27001 and ISO 22301, and provides access to video tutorials to help fill in the documents with real data examples.

    3. Is it possible to treat or prevent to be zero risk appetite?

    Answer: It is not possible to treat risks to achieve zero risk appetite, because the cost to treat all possible risks an organization is exposed to would be prohibitive.

    4. If I follow standard COBIT 5 for risk management, I don’t need to do SOA right?

    Answer: Your understanding is correct. The Statement of Applicability is not a requirement for COBIT 5, so you do not need to develop such document if you follow COBIT 5 risk management approach.

  • Template content

    Control 6.1.1 Information security roles and responsibilities is covered by all templates in the toolkit. For each required action on a template always it is required the definition of who must perform it (the field [job title]).

    Please be aware that ISO 27001 does not require you to document each and every control you declare as applicable, you can simply describe the implementation of such undocumented controls in the Statement of Applicability. In order to avoid overhead for small companies, we have decided to include in the toolkit only those documents that are mandatory + those that are most commonly used; in other words, you will not find in the toolkit the documents that are not mandatory and that are not used very often.

    For more information regarding controls A.6.1.4, and A.6.1.5 please read these materials:
    - How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/
    - Special interest groups: A useful resource to sup port your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms/

  • Car license plate number


    Answer:

    The EU GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. As long as the car is registered to an individual, the license plate would make that person indefinable so it would fall under the definition above.

    To learn more about personal data and the EU GDPR check out our EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).

  • Business Impact Analysis


    Is this correct? Is this how they can be completed and meet the requirements for ISO 23001.

    Answer:

    ISO 22301 does not prescribe how Business Impact Analysis must be performed, only that you have to perform this task, so your approach to define recovering activities for a department as a whole rather than by each different activity will also meet the requirements for ISO 23001.

  • I received following question:


    Answer:
    Specific of Virtual Service Desk is that personnel is geographically dispersed and that they can be organized in various ways. That also provides options for measuring e.g. telecommunication costs, dropped calls, number of resolved incidents (or other calls) per group (if they are located e.g. on same location), availability of agents (e.g. if they work from home or office that is not supervised), etc.
    Of course, all usual measurements related to the Service Desk apply also. This articles can give you idea:
    ITIL Service Desk types https://advisera.com/20000academy/blog/2014/05/06/itil-service-desk-types/
    Service Desk: Single point of contact https://advisera.com/20000academy/knowledgebase/service-desk-single-point-contact/

  • Design in AS9100 Rev D


    Answer:
    This is one example that I have used where a company that supplies products also has a service that they provide to customers. Even if you do not design the product, you certainly design the service of creating a drawing. If this is a new service that you are offering it would need to be designed as per the AS9100 Rev D requirements for design and development. As for your question on customer approval, this is a decision that is part of your customer requirements, not the AS9100 standard. If your customer states that they need approval over any documents you create to manufacture their parts then you would certainly need approval over the drawing.
    For more information on how the design and development requirements apply in AS9100 see this article, “Can companies still exclude design and development from their AS9100 Rev D QMS?“; https://advisera.com/9100academy/blog/2017/10/09/can-companies-still-exclude-design-and-development-from-their-as9100-rev-d-qms/

  • ISO 9001 and root cause analysis


    Answer:
    An organization performs quality control on its products (clause 8.6). During quality control, an organization can detect product nonconformity (clause 8.7).
    Also, an organization performs monitoring and measurement (clause 9.1.1) and analysis and evaluation of performance (clause 9.1.3)

    Either because one particular product non-conformity is considered very serious, or because it is a recurring product non-conformity, an organization can decide that performance should be improved. For that reason, a corrective action should be developed (clause 10.2). Developing an effective corrective action must include determining the root cause of the product quality issue.

    Let us suppose that the organization is not satisfied with the level of non-conformities on product X. So, the first step is to focus the effort of improvement, by performing a symptom diagnosis using, for example, a Pareto chart: https://www.screencast. com/t/cw2cpildI

    After this initial screening the organization needs:
    · to determine probable causes;
    · make some tests or investigations to find root-cause(s);
    · develop alternative solutions;
    · select the best one;
    · implement the solution;
    · check the effectiveness of that solution

    The following material will provide you with information about root cause analysis:
    - ISO 9001 – How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
    - Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Enterprise Risk Management


    Answer:

    You can use ISO 31000:2018, Risk management – Guidelines, which provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector and although it cannot be used for certification purposes organizations can use it to compare their risk management practices with an internationally recognised benchmark.

    To learn more about risk management in companies you can see the following materials:

    - Article - Similarities and differences in risk management in ISO 9001 , ISO 31001 and ISO 27001: https://advisera.com/9001academy/blog/2016/10/25/similarities-and-differences-in-risk-management-in-iso-9001-iso-31000-and-iso-27001/
    - Article - How to address risk and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

  • Template content - disruptive scenarios


    Answer:

    The examples are only to provide a better understanding on how to come up with your scenarios, so you do not have to keep them if you understand that they cannot represent a real situation for you organization. Some of them with some adjustments may be fit for your organization, but scenarios built by your own team have more chance to be useful.

    These articles will provide you further explanation about treating disruptive scenarios:
    - How can ISO 27001 and ISO 22301 help with critical infrastructure protection? https://advisera.com/27001academy/blog/2017/09/25/how-can-iso-27001-and-iso-22301-help-with-critical-infrastructure-protection/
    - Using ISO 22301 business continuity practices to support mass public events https://advisera.com/27001academy/blog/2017/06/05/using-iso-22301-business-continuity-practices-to-support-mass-public-events/
    - Enabling communication during disruptive incidents according to ISO 22301 https://advisera.com/27001academy/blog/2016/12/19/enabling-communication-during-disruptive-incidents-according-to-iso-22301/
    - ISO 22301 Case study in the travel industry: Business continuity as a necessity in customer care https://advisera.com/27001academy/blog/2016/11/07/iso-22301-case-study-in-the-travel-industry-business-continuity-as-a-necessity-in-customer-care/
Page 638-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +