Warning: A non-numeric value encountered in /www/expertadvicecommunity_719/public/wp-content/plugins/advisera-press/includes/App/Repositories/Topic/TopicRepository.php on line 602
Search results for:

Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk assessment

    1. Identify risk (Threat and vulnerability) is responsible by asset owner? If true, how do they identify?

    Answer:

    The asset owner is responsible for protecting and managing an asset in a company, so he has to ensure risks are identified, either by performing risk identification by himself or by working with other people (e.g., experts on the asset or people who use them on a daily basis). Since ISO 27001 does not prescribe who must perform risk identification, both approaches are valid, and you have to consider your organization context (e.g., asset owner experience and knowledge) to chose the proper approach.

    Regarding how to perform risk identification, I recommend you to use catalogues such as this one: Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

    These articles will provide you further explanation about asset owner and risk identification:
    - Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    2. Assessing consequence and likelihood of risk is responsible by risk owner?

    Answer:

    Risk owner is a person designated to solve a risk, and to do so he must be responsible for performing consequence and likelihood assessment, either by himself or with support of other personnel.

    This article will provide you further explanation about assessing likelihood and consequence:
    - How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

    3. So for the one who is responsible for Risk assessment just pick up from them and then do the risk assessment?

    Answer:

    Risk assessment is the combination of risk identification, risk analysis and risk evaluation, so it is not a simple question of picking up risks, but identify them, define values for them, so they can be prioritized, and evaluate them against your criteria, so you can decide which ones have to be treated.

    These materials will also help you regarding risk assessment:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Toolkit content

    The following appears to be missing from our folder:
    A.5– Information Security
    A.18– Compliance

    Answer:

    First of all, sorry for this confusion.

    The documents from sections A.5 and A.18 are not missing from the toolkit – you can find them here:
    - A.5 – all the documents from folder “08AnnexA” cover the requirements about information security policies (A.5.1.1) and review of the policies (A.5.1.2)

    - A.18 – these documents are covered in the toolkit in folder "02 Procedure for identification of requirements”

  • ISO 20000 and ISO 9001


    Answer:
    I assume - you will implement ISO 9001 and then ISO 20000. Yes, implemented QMS can help you. There are some common elements and there are some that are extended in ISO 20000 (after you implement ISO 9001).

    This material can help you further:
    "ISO/IEC 20000-1:2011 vs. ISO 9001:2015 matrix" https://info.advisera.com/20000academy/free-download/iso-iec-20000-1-2011-vs-iso-9001-2015-matrix

  • 1st and 2nd level support


    Answer:
    That depends on many parameters, but generally, here are more details (without knowing your organization, services, etc.).
    First of all, see how many people you need on your 1st line. Then try to avoid to put your best people (usually most expensive and most usable on other, more complex places) if your 1st line is doing simple activities (opposite view if your support is complex in nature). Check also if you can afford to have a lot of resources dedicated to the services (e.g. few maintenance contracts). If you have a lot of issues with unknown root cause (Problem Management) - most probably you'll need more resources on 2nd level.

    Here are few articles with more details:
    "Service Desk: Single point of contact" https://advisera.com/20000academy/knowledgebase/service-desk-single-point-contact/
    "
    Service Desk staff – a window to the IT organization" https://advisera.com/20000academy/blog/2014/02/18/service-desk-staff-window-organization/

  • Cross-border data transfers


    Answer:

    If you create the accounts an not the employees themselves, then this may be a transfer of personal data provided that the employees are in the EU. However, most of the cloud providers already have transfer mechanisms in place. For example, DropBox has a Privacy Shield Certification (https://www.dropbox.com/help/security/data-transfers-europe-us ).

  • Filling out the Treatment Table

    First of all thanks for the clarification about your doubt.

    In fact for the purpose you described, the Risk Treatment Plan is not the proper document. As you said, it describes the general solution for risk. For recording more detailed information you can use the Statement of Applicability template. In this template you have a column called "Implementation method ", where you can describe the solution for a control (covering all risks and legal requirements related to that control), or make reference to documents (e.g., policy, procedure, or work instruction) describing the adopted solution.

    This article will provide you further explanation about the Statement of Applicability:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  • Controls measurement


    The concept of measurement is also best explained through this PDCA cycle:
    In the Plan phase you need to set the objectives (ISO 27001 4.2.1 b 1) and 4.2.1 g),
    In the Do phase you must figure out how to measure up to which point your objectives are achieved (ISO 27001 4.2.2 d),
    In the Check phase you need to start actual measurement (ISO 27001 4.2.3 c), and finally
    In the Act phase, once you realized you haven’t achieved your objectives (which is very often the case), you need to make certain improvements (ISO 27001 4.2.4 d)

    However, I was unable to get the section in actual ISO 27001 standard which you mentioned as
    4.2.1 b 1) and 4.2.1 g)
    ISO 27001 4.2.2 d
    (ISO 27001 4.2.3 c),
    (ISO 27001 4.2.4 d)

    Answer:

    First of all, sorry for this inconvenience. This article was written considering version 2005 of ISO 27001. For version 2013 you must consider these clauses:
    ISO 27001:2005 4.2.1 b 1) is now ISO 27001: 2013 5.2 Policy
    ISO 27001:2005 4.2.1 g) is now ISO 27001: 2013 6.1.3 Information security risk treatment
    ISO 27001:2005 4.2.2 d is now ISO 27001: 2013 9.1 Monitoring, measurement, analysis and evaluation
    ISO 27001:2005 4.2.3 c is now ISO 27001: 2013 9.1 Monitoring, measurement, analysis and evaluation
    ISO 27001:2005 4.2.4 d is now ISO 27001: 2013 10.1 Nonconformity and corrective action and 10.2 Continual improvement

  • List of assets

    So, the question is how deep should we go into assets that contain other similar assets, and if we should take a building as an asset when we can detail it into smaller parts that could somehow be put together as a whole… I´m probably not explaining myself so well, I hope you will understand as probably this one is a recurring question.
    To what extent is up to us to choose the level of detail? How much this will depend on external audit?

    Answer:

    The quantity of assets and their level of details is totally up to the organization. The external auditor will only verify if your arrangement can provide enough confidence that all relevant risks are being properly assessed and treated.

    As tips for handling the asset inventory, you only have to increase the level of details if you identify that by this way you can improve security, or have more efficient operation with acceptable risks. For example, you can have a building as a single asset, but if you identify that a room need extra security in that building, you can have two different assets (i.e., the building and the specific room). On the other hand, if you have similar assets that can share the same control, you can group them in a single asset. For example, laptops, tablets and smartphones can be grouped as an asset name "Mobile devices".

    Other examples are network (that can be divided on cabling, switches, firewalls, etc.), and roles in the organization (the different roles can be grouped like users, technical staff, and managers).

    This article will provide you further explanation about inventory of assets:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • OHS Objectives in ISO 45001


    Answer:
    For OHS objectives this is just the sort of measurable, targeted improvement that is expected for the ISO 45001 standard. The idea is to set a target for improvement, and then make plans to achieve this target and flow these plans down so that everyone knows what they need to do to achieve the target in the planned timeline. You seem to have a good objective for improvement.
    For more information on OHS objectives see this article, “How to define ISO 45001 objectives and plans”; https://advisera.com/45001academy/blog/2018/12/04/how-to-define-iso-45001-objectives-and-plans/

  • Waste audit


    Answer:

    You don´t need any qualification in ISO 14001 to conduct a waste audit, although it can help you to better understand how to handle waste in an organization. The objective of a waste audit is to determine the types of waste and the locations that will be audited while the aim of ISO 14001 is to manage all the environmental aspects related to an organization, so it covers a broader scope.

    These materials can help you to understand waste management in ISO 14001:
    - Article - 7 steps in handling waste according to ISO 14001: https://advisera.com/14001academy/blog/2016/11/07/7-steps-in-handling-waste-according-to-iso-14001/
    - Book - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
    - ISO 14001:2015 Foundations Course: https://advisera.com/training/iso-14001-internal-auditor-course/

Warning: A non-numeric value encountered in /www/expertadvicecommunity_719/public/wp-content/plugins/advisera-press/vendor/jasongrimes/paginator/src/JasonGrimes/Paginator.php on line 154

Warning: A non-numeric value encountered in /www/expertadvicecommunity_719/public/wp-content/plugins/advisera-press/vendor/jasongrimes/paginator/src/JasonGrimes/Paginator.php on line 214

Warning: A non-numeric value encountered in /www/expertadvicecommunity_719/public/wp-content/plugins/advisera-press/vendor/jasongrimes/paginator/src/JasonGrimes/Paginator.php on line 217
Page 640-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +