Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Maintenance as a main process?
Yes, you can consider maintenance as a main process. -
Organizational knowledge
Answer:
I believe that the question is about organizational knowledge. Organizational knowledge is about maintaining knowledge that the organization considers to be required, for the operation of its processes and delivery of products and services according customers’ expectations, and about acquiring new knowledge based on changing needs and trends.
Maintained knowledge has everything to do with competence. Based on the process approach your organization can determine which functions play a part in each process doing what with what behavior associated. What kind of knowledge is needed to be competent?
The world does not stand still, customers change, technology change, competitors, change, the market change. How can your organization keep a radar to be aware of new knowledge that can become useful to build the future?
Personally, I like to use a matrix, 2x2:
What knowledge we know that we know?
What knowledge we don’t know we know?
What knowledge we know that we don’t know?
What knowledge we don’t know we don’t know?
When a new person is integrated in the organization, or when performance is not good, organizations give them training (a) and/or we put people working side by side with a mentor, a tutor, someone that will pass uncodified knowledge (b).
When an organization wants to learn new things that are not new in the market they go to seminars, conferences, training, asks suppliers help (c).
About d) organizations can receive technical magazines, search the internet regularly, by books and keeping an internal library, work with universities, attend conferences and seminars always on the search mode for something new that can be useful.
The following material will provide you information about the organizational knowledge:
- ISO 9001 – How to manage knowledge of the organization according to ISO 9001 - https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 27001 Internal Audit for Human Resources
ISO 27001 clauses to be considered in an HR department audit are mainly related to sections 7.2 (competence), 7.3 (awareness), and 7.4 (communication).
Broadly speaking,you should verify how the organization has identified and ensured the necessary information security competence is available, how employees are aware of the importance of protecting information and how they can contribute, and how their need for communication are identified and ensured.
These articles will provide you further explanation about competence, communication and internal audit:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-englis h-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 27001 Certified ISMS Foundation (CISF) qualification
For information about the use of CISF credential you need to contact IBITGQ (International Board for IT Governance Qualifications).
-
ISO 14001 on a construction site
Answer:
An environmental management system is used, among other things, to manage environmental aspects. Environmental aspects are mostly related to construction sites and all construction sites are different. Considering that, some typical issues can be:
Landscape change;
Dust generation;
Waste generation;
Water pollution;
Vegetation removal;
Environmental noise;
Waterborne suspended substances;
Destruction of the habitat of endangered species;
Resource deterioration;
Energy consumption on site
Raw materials consumption
Generation of inert waste
Site Hygiene
The following material will provide you information about assessment of environmental interactions:
- ISO 14001 – Using ISO 14001:2015 to identify environmental aspects in the construction industry - https://advisera.com/14001academy/blog/2015/11/10/using-iso-140012015-to-identify-environmental-aspects-in-the-construction-industry/
- ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Becoming a BC consultant
Perhaps if you can point me for some cyber resilience book. BCM, information security or cyber resilience go hand in hand.
I'm not a tecnical professional, so any plain english guide will suit me just fine.
Answer: Cyber resilience goes through ensuring the management and delivery of IT services, so books about ITIL and ISO 20000, the ISO standard for management of IT services, can be useful for your purposes.
These materials will provide you further explanation about becoming a consultant:
- How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
- How to become an ISO 27001 / BS 25999-2 consultant [free webinar on demand] https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/ -
Integrating management systems
ISO 22301 & ISO 27001 are also framed as per the Annex SL Framework. ISO 45001, ISO 27001 and iSO 22301 are "Risked based" standards.
In view of this whether it will be possible to include ISO 22301 & ISO 27001 under "IMS" additionally ?
Answer: Certainly. Since all these standards are structured according Annex SL all their common requirements can be integrated in a single framework. As for the "Risked based" aspect of the standards, you can consider develop them accordingly ISO 31000, ISO standard for risk management.
These articles will provide you further explanation about integrating ISO management systems:
- How to implement integrated management systems https://advisera.com/27001academy/blog/201 5/10/05/how-to-implement-integrated-management-systems/
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
RTO for critical application
Answer: There is no standard or default Recovery Time Objective (RTO) that can be attributed to an application, because the RTO value is based on the results of a Business Impact Analysis (BIA), which is unique for each organization context. The definition of RTO can be made by the person responsible by the application, considering the inputs of interested parties impacted by a disruption on application operation (e.g., customers, regulators, etc.), and it is approved by top management.
These materials will provide you further explanation about RTO and BIA :
- What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
- Implementing Business Impact Analysis according to ISO 22301 [free webi nar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
AS9100: Integrating QMS and business
The key to integrating the business processes and QMS processes, as mentioned in the article, is to first identify what the business needs are (a SWOT analysis is recommended), from which you can then create your quality objectives to support your business needs.
Once these quality objectives are created they can be integrated into your business processes so that the processes you use to run your business link to your overall business objectives. For instance, If you have a quality objective for improving on-time delivery, you can then have objectives and measurables for the important business process to meet to ensure this on-time delivery is improved.
For more information, see this article on writing quality objectives: https://advisera.com/9100academy/knowledgebase/how-to-define-quality-objectives-in-as9100/ -
Risk Assessment, Risk Treatment, and Data Protection Impact Assessment templates
Our priority at the moment is complying with GDPR (for obvious reasons) and ensure data protection, in particular in our cloud based solution. We will of course ensure data protection in other business areas also, but our main focus at the moment is within our solution. In relation to this, I have been looking into the ISO 27018 standard for controls, and I see that controls in this standard are much similar to the requirements from our customers and also GDPR.
As a risk manager I am trying to figure out an effective way to perform risk assessments in accordance with information security (ISO 27001) and personal data protection (ISO 27018). Do you have any advice on how I should structure this? In what end should I start? I have started several times, but I feel as though the structure in my Excel sheet is not good, when I try to combine this. Should I have an own file for personal data protection (privacy risks) and information security risks o r could these be combined in a way?
Could you provide a simple example on how you would structure the different risk assessments? Particularly risk assessing a cloud solution for personal data protection. Is this something I can find advise on in the ISO 27018 standard? Or in ISO 27017? We have not purchased any of these standards yet, but we are considering it.
Hope you can assist me on my doubts around this.
Answer: You should go for separated files for information security risks and privacy risks. In fact, in the EU GDPR & ISO 27001 Integrated Documentation Toolkit you bought you have the following templates that can help you:
- Risk Assessment and Risk Treatment Methodology, located at folder 7 - Risk Assessment and Risk Treatment
- Data Protection Impact Assessment Methodology, located at folder 8 - Data Protection Impact Assessment
Also included in the toolkit you have access to a video tutorial that will guide you how to fill the risk assessment and risk treatment methodology.
Regarding ISO 27017 and ISO 27018, they do not provide guidance on the risk assessment process, only on the implementation of security controls related to cloud environments and privacy, respectively.
These articles will provide you further explanation about Risk Assessment and Risk Treatment and Data Protection Impact Assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- 5 phases of the EU GDPR Data Protection Impact Assessment https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
These materials will also help you regarding Risk Assessment and Risk Treatment and Data Protection Impact Assessment:
- EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/