Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Performing risk assessment
So I guess my question is, if in the risk assessment the risk level is a 1 or a 2 can i still put in a control? and would it be a risk acceptance or selection of control under selection of options? Another example would be if the level of risk is a 1 or a 2 and it is an accepted risk but i want to make the treatment method stronger... would i still put risk acceptance and then select a control or just selection of control?
Answer: If during the risk assessment you identify that risks are acceptable because there are already implemented controls, you should mention the related controls in the Risk Assessment Table, column J (Existing Controls), and there is no need to transfer those risks to the Risk Treatment Table, unless you decide to include additional controls to treat these risks, or make improvements on the controls already implemented.
If you decide to include an already acceptable risk in the risk treatment table (because you want to improve a control or add a new one), there is no much sense to choose the option "risk acceptance", because this option means you intend to make changes now.
Included in the toolkit you bought you have access to a video tutorial that can help you perform the risk assessment and treatment.
This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
This material will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Root cause for identified non-conformities
Answer: Root cause is the main reason why a non-conformity has happened - for example, if you have an employee who didn't perform backup according to Backup policy, a root cause could be that there was no training that explained to employees how this needs to be done.
Such root causes should be documented in the Corrective action form.
These materials will also help you regarding root cause analysis:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Standard in selection of partnership
Answer: Mortage information is sensitive, and its compromise may have great impacts to the interested parties, so you should consider also ISO 27001 standard, so you can evaluate properly how potential providers handle and protect this kind of information.
This article will provide you further explanation about ISO 27001:
- WHAT IS ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
This material will also help you regarding ISO 27001:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Vendor Management Policy
Answer: Regarding suppliers, ISO 27001 has a control that requires the definition of requirements for mitigating the risks associated with a supplier’s access to the organization’s assets, which does not require to describe detailed practices. This control is covered by template "Supplier Security Policy" that can be found at folder 08 Annex A A.15 Supplier relationships.
If you need detailed rules about how a supplier should behave, you can use the "Security Clauses for Suppliers and Partners" template, located at folder 08 Annex A A.15 Supplier relationships to define the rules you want your vendors to follow.
This article will provide you further explanation about suppliers management:
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/ -
BCP
Respuesta: Sí, algunos ejemplos son: BCI (Business Continuity Institute) y DRII (Disaster Recovery Institute International). Por cierto, si quieres desarrollar un BCP este artículo puede ser interesante para ti “Business continuity plan: How to structure it according to ISO 22301” : https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
Y también te puede interesar este webinar "Escribir un plan de continuidad de negocio de acuerdo a la ISO 22301" : https://advisera.com/27001academy/es/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar/ -
¿Quien revisa y aprueba documentos?
Sí, estoy de acuerdo contigo Marcelo. Tú podrías ser el propietario, desarrollando/adaptando los documentos, el miembro del consejo de administración los puede revisar, y gerencia puede aprobarlos.
Finalmente, recuerda que aquí puedes descargar recursos gratuitos, incluyendo documentos: https://advisera.com/27001academy/es/descargas-gratuitas/ -
Parental consent
Answer:
Referring to the situation you described, if the parents are the ones filling in the details for their own children then they are actually acting on the children's behalf so no additional consent would be required. -
Understanding ISO 27001
Is my fear true?
Answer: ISO 27001 is a management standard, so most of its requirements are about roles and responsibilities, and how process should be planned, implemented, controlled and improved, with only minimal requirements regarding technical issues like networking and penetration testing (basically what someone in management position should require from his technical staff). So a non technical education wouldn't be a problem to learn ISO 27001.
This material will also help you regarding ISO 27001:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Incident vs. Service Request
Answer:
If Incident was submitted as Service Request (or vice versa) it should be re-routed right at the beginning i.e. before further activities take place. This means that, usually Service Desk staff or technician who took over the ticket, should change Incident into Service Request (or vice versa) and "send" it to the right process.
Here are few articles that can help you:
"Managing Service Requests in ITIL/ISO 20000 using the Service Request record" https://advisera.com/20000academy/blog/2017/02/28/managing-service-requests-in-itiliso-20000-using-the-service-request-record/
"Incident Management in ITIL – solid foundations of operational processes" https://advisera.com/20000academy/blog/2013/05/21/incident-management-itil-solid-foundations-operational-processes/
"Incident Record – you can’t live without it" https://advisera.com/20000academy/blog/2014/07/01/incident-record-cant-live-without/
"All about Incident Classification" https://advisera.com/20000academy/knowledgebase/incident-classification/ -
Capacity Plan, Availability Plan
Answer:
Yes, both plans are stand-alone documents in our toolkit:
- Capacity Plan https://advisera.com//wp-content/uploads//sites/6/2015/06/App_1_Capacity_Plan_Premium_EN.pdf
- Availability Plan https://advisera.com//wp-content/uploads//sites/6/2015/06/App_1_Availability_Plan_Premium_EN.pdf
Also, these articles can help you further:
- "ITIL Capacity Plan – A document you need, but probably don’t have" https://advisera.com/20000academy/knowledgebase/itil-capacity-plan-a-document-you-need-but-probably-dont-have/
- "ITIL Availability Plan – A document you need, but probably don’t have" https://advisera.com/20000academy/blog/2015/05/19/itil-availability-plan-a-document-you-need-but-probably-dont-have/