Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
¿Quien revisa y aprueba documentos?
Sí, estoy de acuerdo contigo Marcelo. Tú podrías ser el propietario, desarrollando/adaptando los documentos, el miembro del consejo de administración los puede revisar, y gerencia puede aprobarlos.
Finalmente, recuerda que aquí puedes descargar recursos gratuitos, incluyendo documentos: https://advisera.com/27001academy/es/descargas-gratuitas/ -
Parental consent
Answer:
Referring to the situation you described, if the parents are the ones filling in the details for their own children then they are actually acting on the children's behalf so no additional consent would be required. -
Understanding ISO 27001
Is my fear true?
Answer: ISO 27001 is a management standard, so most of its requirements are about roles and responsibilities, and how process should be planned, implemented, controlled and improved, with only minimal requirements regarding technical issues like networking and penetration testing (basically what someone in management position should require from his technical staff). So a non technical education wouldn't be a problem to learn ISO 27001.
This material will also help you regarding ISO 27001:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Incident vs. Service Request
Answer:
If Incident was submitted as Service Request (or vice versa) it should be re-routed right at the beginning i.e. before further activities take place. This means that, usually Service Desk staff or technician who took over the ticket, should change Incident into Service Request (or vice versa) and "send" it to the right process.
Here are few articles that can help you:
"Managing Service Requests in ITIL/ISO 20000 using the Service Request record" https://advisera.com/20000academy/blog/2017/02/28/managing-service-requests-in-itiliso-20000-using-the-service-request-record/
"Incident Management in ITIL – solid foundations of operational processes" https://advisera.com/20000academy/blog/2013/05/21/incident-management-itil-solid-foundations-operational-processes/
"Incident Record – you can’t live without it" https://advisera.com/20000academy/blog/2014/07/01/incident-record-cant-live-without/
"All about Incident Classification" https://advisera.com/20000academy/knowledgebase/incident-classification/ -
Capacity Plan, Availability Plan
Answer:
Yes, both plans are stand-alone documents in our toolkit:
- Capacity Plan https://advisera.com//wp-content/uploads//sites/6/2015/06/App_1_Capacity_Plan_Premium_EN.pdf
- Availability Plan https://advisera.com//wp-content/uploads//sites/6/2015/06/App_1_Availability_Plan_Premium_EN.pdf
Also, these articles can help you further:
- "ITIL Capacity Plan – A document you need, but probably don’t have" https://advisera.com/20000academy/knowledgebase/itil-capacity-plan-a-document-you-need-but-probably-dont-have/
- "ITIL Availability Plan – A document you need, but probably don’t have" https://advisera.com/20000academy/blog/2015/05/19/itil-availability-plan-a-document-you-need-but-probably-dont-have/ -
Protecting a network
What I understood, having a separate switch/network is not an option right now. Do you have any suggestions on what we can do to minimize or eliminate this risk?
Answer: If you do not have access to the switch and having a separate switch/network is not an option at the moment, your options are very limited.
If you want to treat the risk you could try to:
- Implement cryptography to protect communication between the computers in your network and to protect you files.
- Implement access control into the shared folders in your network.
- Make an agreement with company that controls the switch and specifying the security controls they need to implement.
Other alternatives in terms of risk management are accept the risk (and do nothing), and avoid the risk (e.g., by stopping using the switch).
This article will provid e you further explanation about handling suppliers:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Management representative in ISMS
Answer: The Management Representative is not a required role in the ISMS by ISO 27001, but an organization can assign one if it understands it can make its ISMS work better (for some scenarios, a person dedicated to the specific activities of the management system can better ensure and improve its results).
A CISO can assume the role of MR in an ISMS in case of need (if you have only ISO 27001 our recommendation would be to have only CISO.), but in organizations with multiple ISO management systems, maybe it is better to have CISO and MR as separated roles, because as MR must be competent on the requirements of the multiple management systems the organization has, the CISO is specialized in Information Security, and maybe overwhelmed by activities regarding other managements systems.
Thiese articl es will provide you further explanation about Management Representative and CISO:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- What will be the destiny of the management representative in the new ISO 9001:2015? https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/ -
Maximum Allowable Outage
Answer: When dealing with business continuity planning, you always must consider the worst case scenario to make a decision, taking in account not only technical and financial issues, but any other issue considered relevant to the organization. So in your scenario, the Maximum Allowable Outage (MAO) should be based on the time that an financial impact would take to be so great that it would compromise business survival.
This article will provide you further explanation about Maximum Allowable Outage:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
This material will also help you regarding Maximum Allowable Outage:
- Book Becoming Resilient: T he Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Context, risks and preventive actions
Answer:
1. ISO 9001:2015 requires that an organization determines the internal and external issues that can affect its intended results. The other word for the external issue is: context. ISO 9001:2015 does not prescribe any method to determine context. You can use, for example: Opportunities and threats taken from the SWOT analysis and/or you can brainstorm external issues using the PESTEL framework.
2. If you check the ISO definition for risk, “effect of uncertainty on an expected result”, you can start by determining what are the expected results from your management system, from your products and services and from your processes. Then, for each determined expected result, you can start listing positive (opportunities) and negative (risks) deviations that can occur because of the uncertainty that exists in the world
3. Here, I can just give you my guess. According to my experience organizations had some difficulties in developing preventive actions. I believe that the risk-based approach makes it easier:
to look forward and think about what can happen and if we should do anything about it;
to apply preventive actions at a more strategic level of an organization
The following material will provide you information about the risk-based approach and the context of an organization:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
La Política de Seguridad de la Información
Gracias por tu respuesta Antonio, efectivamente la duda fue aclarada, es mejor definir una Sola política de alto nivel y varias políticas específicas o detalladas, en realción al documento me parece muy completo, pero no aborda la parte de Sanciones en caso de incumplimiento de la Política, como aseguramos que se cumpla si no establecemos Multas y sanciones para que los empleados tomen conciencia de las buenas practicas.