Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Implementing BCM
Answer: The implementation of BCM requires some level of cultural and knowledge change, so according to ISO 22301, once you have defined your BCM scope you have to identify which competences are required to implement all stages of BCM, identify the gaps you have among your personnel and plan measures to eliminate them, by means of training, education and/or hiring experienced people on fields you lack proper competencies.
This article will provide you further explanation about ISO 22301 training and awareness:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
This material will also help you regarding ISO 22301 training and awareness:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ mplementation/
For a view of a complte way to learn about a BCMS, I suggest you to take a look at the free demo of our ISO 22301 Documentation Toolkit at this link: https://advisera.com/27001academy/iso22301-documentation-toolkit/
This toolkit has 33 document templates, including all documents required for ISO 22301 certification plus commonly used non-mandatory documents, so you can learn what is needed to implement a BCM. -
BIA and business strategy
Answer: The purpose of BIA is to give you an idea about the maximum time an organization can be out of operation and the maximum data that can be lost and it still can resume operations. Considering that, you should consider the information provided by a BIA as inputs for your company's digital transformation strategy, so you can devise the strategy considering these limitations and include proper actions to maximize the chances of success.
This article will provide you further explanation about BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
These materials will also help you regarding BIA:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Free webinar – Implementing Business Impact Analysis acc ording to ISO 22301 https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Weak signal detection and ISO 31000
Answer: I'm assuming that by "weak signal detection" you are referring to an ongoing process of scanning an environment for changes, although they are still too incomplete to allow an accurate estimate of their impact and/or to determine a full adapted response.
Considering that, this approach can relate to risk identification, risk analysis and risk monitoring steps from ISO 31000 risk management process. These steps require the identification of risk sources, impacts and events, the understanding of how they can affect the organization, and the periodic review of those risks.
In case the information gathered by the weak signal detection is not sufficient to estimate impact and/or to determine proper response, you can decide to only monitor the related risks waiting for additional information to arise.
This article will provide you further explanation about ISO 31000:
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
Activity Recovery Strategy and Plan
Answer: The templates are designed this way so they can cover situations where an organization, for whatever reason, decides not to adopt such "flicking a switch" solutions, and thus it has to develop detailed p rocedures, but the templates are fully editable, and you can alter or delete sections you deem as unnecessary.
Considering the scenario you described, you may simplify or delete:
- sections 2, 3 and 4 from Activity Recovery Strategy Template.
- sections 3, 5 and 6 from Activity Recovery Plan Template
For these sections you may change the content for a single paragraph providing a general overview of the necessary steps.
Additionally, by your description you are considering ICT core infrastructure only, but you also have to consider situations where ICT recovery is needed when the work site is made unavailable (and you need to relocate personnel to other sites), or the ICT in that site is affected and the site is unable to communicate with the central ICT infrastructure (even warm sites require some activities to be performed to become fully operational).
This article will provide you further explanation about ICT recovery:
- Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/
This material will also help you regarding business recovery:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Risk value calculation
And if the risk value is calculated before considering existing controls, which risks should be moved to the risk treatment table? Is it only risks that are above the threshold value and do not have an existing control? Or any risk above the threshold value?
Answer: When defining the likelihood and impact values to calculate the risk you must consider any controls that are already implemented (and mention them in the column Existing controls at the end of the Risk Assessment Table).
Regarding which risks you should move to the Risk Treatment Table, you should move risks that are above the threshold value and any other risk you decide to treat (e.g., because you want to implement an improvement or you have to treat them because of a legal requirement).
By the way, included in the toolkit you bought you have access to a video tutorial that can help you fill the risk assessment and risk treatment tables. -
BCM documentation
We our self are in process of developing a frame work document. I just want to know how we can structure that document. What can be its contents? I have just bought dejan book “becoming resilient” so more questions after going through that book.
Answer: For structuring a BCM documentation I suggest you to analyse the mandatory documentation required by ISO 22301, the leading ISO standard for business continuity. These mandatory documentation cover the basics you need to ensure a solid and relevant implementation, considering your business needs. You can sees the list of mandatory documentation, and some common adopted documentation at this link:
- Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
For the content of specific documents you can also see these materials:
- BS 25999-2 implementation checklist https://advisera.com/27001academy/blog/2010/11/16/bs-25999-2-implementation-checklist/
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
- Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/ -
Manual de calidad
He recibido esta pregunta: Buenas tardes, le comento que en mi empresa, dedicada al rubro de la minería, nos encontramos actualizado nuestro SGI (calidad, medio ambiente, seguridad y salud ocupacional) bajo las nuevas normas ISO 9001:2015 e ISO 14001:2015, por lo tanto mi pregunta es: ¿Es obligatorio que mantengamos un Manual del SGI?, ya que tengo entendido que la nueva norma ISO 9001:2015 ya no lo exige, ¿pero que pasa con las otras? Mi respuesta: El manual de calidad no es ya obligatorio en la nueva versión de la norma ISO 9001:2015. Sin embargo, todos los requisitos del manual de calidad, excepto 4.2.2 b) se mantienen en la nueva versión del estándar. El alcance del SGC y las interacciones entre los procesos aún tienen que ser definidas. Estos requisitos se detallan aún más en la nueva versión, y aún deben de presentarse en la forma de información documentada. Esto mismo puede ser aplicado a las demás normas también. La nuevas versiones tienen algunos requerimientos que necesitan cumplirse en forma de información documentada, lo cual puede incluirse en el nuevo manual, como por el ejemplo, el contexto de la organización. Para más información, vea "El futuro del manual de calidad en la ISO 9001:2015": https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/el-futuro-del-manual-de-calidad-en-la-iso-90012015/ Estos materiales pueden también ser de ayuda en la implementación de ISO 9001: - Libro "Preparación para el proyecto de implementación ISO: una guia en un lenguaje sencillo": https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/ - Curso gratuito en línea: Curso de fundamentos ISO 9001: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ - Conformio (herramienta en línea ISO 9001): https://advisera.com/conformio/ -
ISMS Controls
Regardless of the control measures applied (open source, proprietary, etc.), the SoA should be always considered a sensitive document, because it contains information about the organization's security strategies and measures, and this information in wrong hands can help find or explore vulnerabilities.
This article will provide you further explanation about the Statement of Applicability:
-The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding the Statement of Applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
EU GDPR requirements for data controller and data processor
Answer:
Under the provisions of the EU GDPR there are no requirements for companies acting either as a data controller or a data processor to obtain and maintain any specific certifications.
Under art. 42 of the EU GDPR is stated that Member States, Supervisory Authorities and the European Data Protection Board are encouraged to establish data protection certification mechanisms to be used by both controllers and processors.
These certifications will voluntary and will not reduce the responsibility of the controllers and processors to comply with the EU GDPR provisions. However these mechanisms are yet to be established and most likely will become available after the 25th of May 2018. The same stands for individual certifications as well.
There are various courses and trainings on the market, some accompanie d by exams and certification, but these are not in any way mandatory, so you are free to choose based on your needs and budget. -
Security control context
(I'm learning about your system, I'm looking for information to make the context of a control, is there any document on that?)
Answer: The main approach to built the context to decide to apply or not a security control is to perform a risk assessment, and for this approach I suggest you to take a look at these articles
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
These materials will also help you regarding risk assessment and security controls:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ ontrols-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/