Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Implementing ITIL in a Start-up - Major milestones

    Generally, you should focus the ITIL implementation based on the following elements (your milestones):

    1.      Strategy – Define: where do you want to be? Who are your customers? Which market do you serve? How do you intend to achieve those goals?

    2.      Customer journey – define your activities (and related resources) throughout the customer lifecycle

    3.      Products and services – define activities related to your products and/or services. Define related methodologies.

    4.      Operation – once you have your products/services – define needed activities to support and maintain them. This also includes related resources (and their capabilities) as well as respective value streams

    Measurement and metrics – define (and implement) appropriate measurements and metrics in order to ensure efficiency in service delivery

  • Can the Health and Safety policy be combined with the Environmental policy?

    First, yes you can have integrated health, safety, and environmental policy. Second, whether or not that is the best approach for your organization, will depend on the effective integration of the two systems. Third, in theory, I always try to integrate management systems because people in an organization do not work according to each management system, in particular, they simply do their work.  The following material will provide you with information about implementing integrated systems:

    • How to implement integrated management systems - https://advisera.com/articles/how-to-implement-integrated-management-systems/
    • Free webinar – How to integrate ISO 9001:2015 and ISO 14001:2015 - https://advisera.com/9001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar-on-demand/
    • ISO 9001, ISO 14001 and ISO 45001 Integrated Documentation Toolkit - https://advisera.com/9001academy/iso-9001-iso-14001-iso-45001-integrated-documentation-toolkit/
    • book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

    • ISO 27001 - Microsoft Office

      The standard by itself does not have limitations regarding technologies that can be used.

      Any restriction related to the use of Microsoft Office regarding the certification process will depend on the results of risk assessment of applicable legal requirements, i.e., relevant risks that can be treated only by not using the software, or laws, regulations, or contracts that need to be fulfilled by the organization that prevents the use of the software.

      In case there are no relevant risks or applicable legal requirements preventing the use of the software, its use will be accepted regarding the ISO 27001 certification.

    • Impartiality risk assessment

      You can use 05. Appendix 1 Registry of Key Risks and Opportunities. 

      As per the definition of impartiality, and referring to clause 4.1.4, consider any risks to the presence of objectivity, i.e risks that could result in conflicts of interest, bias, prejudice, unfair practices 

      Consider risks that could arise from the activities, organisational relationships, or from the relationships of personnel. Examples are provided in ISO 17025 that such relationships that threaten the impartiality of  the  laboratory  can  be  based  on  ownership,  governance, management, personnel, shared resources, finances, contracts, marketing (including branding), and payment of a sales commission or other inducement for the referral of new customers. List these and all possible risks, even of they do not exist, and indicate how they are controlled. If a risk does exist, list the control to remove the risk, or reduce to a low level that is not significant. Examples of controls are clear independent organisational structure with clear roles and authorities, through contract review, supplier evaluations and personnel contracts to look at for and protect impartiality.

      For more information, see my response to a question Assuring impartiality and confidentiality at https://community.advisera.com/topic/assuring-impartiality-and-confidentiality/

    • Becoming ISO 27001 lead auditor

      Hello,

      You can also consider doing the ISO27001 Lead Implementer and ISO27001 Internal Auditor course, and provide consulting services for implementing ISO27001 in organizations and conducting internal ISO27001 audits.

    • Conformio and Annex A controls

      Thank you very much for your help Rhand, this is exactly what I wanted to know.I will be able to go ahead with the project with peace of mind.

      Have a nice day😀Carlos

    • Mapping of requirements on controls

      Please note that to map an external requirement such as a requirement for an Insurance company, you should use the Register of Requirements module.

      In the field “To what area is this requirement related?” you can use the option “Specifying mandatory safeguards”, and in the field “Description of the requirement,” you can inform clause A.7.2.2.

      As for the security awareness training, you can record this need in the Training module.

    • Performing Information security and POPIA compliance gap analysis

      For deliverables 1, 2, and 3 a good approach would be developing checklists based on ISO 27001 and POPIA requirements to perform the gap analysis and plans on how to apply them and specific timelines. Besides the reports themselves, additional deliverables would be these checklists and plans.  

      Regarding deliverable 4, sorry but this deliverable requires technical expertise that is out of our scope of work.  

      These tools can help you to have a general idea about the gap analysis:

      Since gap analysis has similarities with internal audit, you may benefit from this material:

      For further information, see:

    • Question about GRC committee

      First is important to note that 27001 does not regulate, not even mention a GRC committee. It only requires that relevant functions to information security are defined.

      Considering that, the first steps would be for the committee to agree on what are the top-level objectives of information security, and what kind of role & authority the committee has so that it does not conflict with those of the security officer.

      After that, as an information security officer, in case of objectives, are changed, and also considering the committee’s roles and authorities, you should evaluate if any changes are required in the ISMS. In case changes are required these need to be evaluated by management representatives to decide if they will be implemented or not. The following steps are similar to those related to ISMS implementation:

      • update ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational and requirements of interested parties

      • update risk assessment and treatment methodology

      • perform a risk assessment and define a risk treatment plan

      • controls implementation (e.g., policies and procedures documentation, acquisitions, etc.)

      • people training and awareness

      • controls operation

      • performance monitoring and measurement

      • perform internal audit

      • perform management critical review

      • address nonconformities, corrective actions, and opportunities for improvement

      For further information, see:
Page 73-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +