Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Documenting actions to address risks and opportunities
Answer:
ISO 9001:2015 does not require action plans for addressing risks and opportunities and it is not required for the actions or their planning to be documented.
All the standard requires is to identify risks and opportunities and plan actions to address them, it doesn't require any document to be created. However, it is usual to make some records about risks and opportunities and actions for addressing them simply because it is easier to monitor accomplishment of the actions and their effectiveness.
On the grounds of documenting risks and opportunities or actions for addressing them, certification auditor can only issue you recommendations but he or she cannot issue you n onconformity.
For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Problem analysis techniques
Answer:
These techniques are related to problem analysis. There are many techniques und usual ones (beside mentioned pain value analysis, pereto and Kepner and Tregoe) are:
- chronological analysis
- brainstorming
- 5-whys
- fault isolation
- affinity mapping
- hypothesis testing
- technical observation post
- Ishikawa diagrams
Also, the article "ITIL and ISO 20000 Problem Management – Organizing for problem resolution" https://advisera.com/20000academy/blog/2014/07/29/itil-iso-20000-problem-management-organizing-problem-resolution/ can help you. -
Asset management tool
Answer:
Implementing a tool always require multidimensional approach.(see the article to find out more "5 things to beware of when selecting an ITSM tool" https://advisera.com/20000academy/blog/2016/03/08/5-things-to-beware-of-when-selecting-an-itsm-tool/).
However, major IT equipment vendors have tools supporting asset management functionality.
Analytic companies (like e.g. Gartner) also do analysis.
Asset management is usual part of most of the IT Service Management tools, so that provides you with more choice. -
IT Risk Management Material
Answer: IT Risk Management goes well beyond information security risks, so besides the material you already mentioned, I'd recommend you to take a look at our 20000Academy, which focus on ISO 20000 and ITIL content. Some material you will find there, are:
- ITIL Risk response measures and recovery options from catastrophic events https://advisera.com/20000academy/blog/2015/09/22/itil-risk-response-measures-and-recovery-options-from-catastrophic-events/
- Risk Assessment and Treatment (template) https://advisera.com/20000academy/documentation/risk-assessment-and-treatment/
- IT Service Continuity Management (ITSCM) Process https://advisera.com/20000academy/documentation/it-service-continuity-management-process-iso-20000/ process/
Regarding ISO standards, I'd recommend ISO 31000 (Risk management) and ISO 31010 ( Risk management — Risk assessment techniques). These will provide you a wider view of risk management that can help you with IT risks not necessarily related to information security.
These articles will provide you further explanation about ISO 31000 and ISO 31010:
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/ -
Documenting clause 8.1
Thank you in advance for your guidance.
Answer:
Clause 8.1 have general requirements for process control and document information required are applicable to all process in the QMS (Quality Management System).
First, the standard requires organization to determine and keep documented information to extent necessary to have confidence that the process is carried out as planned. This means that you need to determine what processes and activities need to have documented procedures or wok instruction or any other document that will describe how the process or activity is conducted. The key phrase here is "to extent necessary", this means that you don't have to document all processes or all activities but rather those that are complicated, or rarely performed so there is a greater chance of nonconformity occur rence. Example of such document are production procedures, quality plans, etc.
The second requirements is to demonstrate conformance of products and services to their requirements, this is usually record of quality control or quality inspection performed on the end of production process. This can also be approval for shipment or delivery.
For more information, see: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ -
What is Quality Assurance
Answer:
One definition of quality assurance is: all the planned and systematic activities implemented within the quality system that can be demonstrated to provide confidence that a product or service will fulfill requirements for quality.
Quality assurance (QA) is a way of preventing mistakes or defects in manufactured products and avoiding problems when delivering solutions or services to customers; which ISO 9000 defines as "part of quality management focused on providing confidence that quality requirements will be fulfilled". This defect prevention in quality assurance differs subtly from defect detection and rejection in quality control, and has been referred to as a shift left as it focuses on quality earlier in the process.
The terms "quality assurance" and "quality control" are often used interchangeably to refer to ways of ensuring the quality of a service or product.
For more information, see: Does a QMS ensure 100% quality? https://advisera.com/9001academy/blog/2015/01/27/qms-ensure-100-quality/ -
Statement of Applicability Content
I thought the process for identifying applicable controls are done during the evaluation of risks & risk treatment processes. Could you give me an example?
Answer: According ISO 27001, clause 6.1.3 d), the Statement of Applicability is required to fulfil these purposes:
- list the necessary controls and their justification for inclusions; whether they are implemented or not, and
- the justification for exclusions of controls from Annex A
So, presenting the applicable controls is only part of the content you will find in a SoA compliant with ISO 27001. That's why the table presented has the "Not applicable controls" & the "Reason why N/A" options.
R egarding the identification of applicable controls, this is done during the risk treatment processes (the risk evaluation process will help you identify which risks require treatment).
As an example of a not applicable control, if your organization does not access, process or store information at teleworking sites, there is no reason to apply control A.6.2.2 (Teleworking), thus this controls is stated as Not Applicable in your SoA.
On the other hand, if your risk assessment identifies the loss of digital information as unacceptable, or if there is a contractual clause or top management decision demanding this risk to be treated, these reasons would be sufficient to justify the applicability of, let's say, control A.12.3.1 (Information backup).
This article will provide you further explanation about Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding Statement of Applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27799 and ISO 27001
Answer: ISO 27799 (Health informatics -- Information security management in health using ISO/IEC 27002) defines guidelines to support the interpretation and implementation of ISO/IEC 27002 in health informatics, being also a complement for ISO 27001.
While ISO 27001 provides requirements for an Information Security Management System, and ISO 27002 provides guidelines for the controls stated on ISO 27001 Annex A, ISO 27799 provides details, where necessary, to enhance security considering a healthcare environment.
Some examples of areas covered by ISO 27799 are:
- anonymization and pseudonymization of personal health information;
- network quality of service; and
- data quality
This article will provide you further explanation about ISO 27799 and ISO 27001:
- How ISO 27001 and ISO 27799 complement each other in healt h organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/ -
Can you figure out interfaces and dependencies??
Can you figure out interfaces and dependencies Sir, Can you please put some light on these two scenarios: 1. I've created a webpage, which is hosted on servers of organisation A. Webpage is just a GUI, at the backend, we're utilising the services of SAINT... basically, our organisation provides customers a GUI and paying SAINT for the services going on the back of our webpage. Can you please point out any interfaces and dependencies involved here? 2. We're using a product called Alienvault, for the SOC analysis. In our organisation we have terminals for analysis ( traffic, vulnerabilities in system etc) . At our customers end we have installed Alienvault software at some nodes. All the logs resides on the servers of Alienvault. Can you please help me figure out the interfaces and dependencies in both the scenarios above????