Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
BCP Test
Please guide me what to do in this situation. Pleas note that scope of this project was the entire organization .
Answer: Fortunately, you have many approaches you can consider for performing BCP tests, which varies considering effort, resource allocation, and required confidence on tests results:
Desk check – checking the plans by means of auditing, validation, and verification techniques
Plan walk-through – checking the plans by means of team interaction
Functional testing – testing all interrelated plans for selected activities (including supplier procedures) with real resources in a controlled (announced) exercise.
Full testing – all activities are relocated from the original site to the alternative site (announced or unannounced)
Since you are doing this for the first time, I suggest you to start with Desk check and prepare a plan defining when other tests can be performed. This way you can ensure a gradual increase in tests effort, while all people involved will gain confidence in the plan and in their skills to perform it, and at the same time you can provide the required corrective and preventive actions.
This article will provide you further explanation about BCP tests:
- How to perform business continuity exercising and testing according to ISO 22301: https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/ -
Communication procedure for ISO 22301
Answer: Communication is activity that is performed by many processes in business continuity according ISO 22301, with different purposes, so you should consider not to have a centralized communication procedure to not to overhead people responsible for communication with activities that may not be a part of their attributions.
Instead of that, I suggest you to consider specific communication procedures for the following: Incident Response Plan, Incident Log, and Key Contacts. For each one of these you can find a template in the following links:
- Appendix – Incident Response Plan https://advisera.com/27001academy/documentation/incident-response-plan/
- Appendix – Incident Log https://advisera.com/27001academy/documentation/incident-log/
- Appendix – Key Contacts https://advisera.com/27001academy/documentation/key-contacts/
This article will provide you further explanation about communication in ISO 22301:
- Enabling communication during disruptive incidents according to ISO 22301 https://advisera.com/27001academy/blog/2016/12/19/enabling-communication-during-disruptive-incidents-according-to-iso-22301/
This material will also help you regarding communication in ISO 22301:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Equipment Maintenance in ISO 27001
Answer: According ISO 27001 control A.11.2.4, Equipment should be properly maintained to ensure its continued availability and integrity. ISO 27002, the standard that provides guidelines for implementation of ISO 27001 Annex A controls, presents some recommendations like:
- Observation of suppliers recommendations regarding maintenance intervals and usage specifications
- Maintenance activities performed only by authorized and competent personnel
- Assurance that equipment that went through maintenance is fit for resuming operation.
This article will provide you further explanation about Equipment Maintenance:
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
These materials will also help you regarding Equipment Maintenance:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ rols-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Implementation steps
Answer: For ISO 27001 implementation, after the risk treatment plan you should consider:
- Definition on how to measure the effectiveness of controls
- Implement the controls & mandatory procedures (not only documentation, but also technical and physical controls)
- Implement training and awareness programs
- Operate and monitor the system
- Perform internal audit and management review
- Implement corrective and preventive actions as needed
This article will provide you further explanation about implementation steps:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
These materials will also help you regarding implementation steps:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Training Effectiveness
Hi Juanito,
The training evaluation is when the organization evaluates quality of the training and whether the training covered all that the company expected from it. Criteria for evaluation of the training can be knowledge of the trainer, his ability to transfer the knowledge, etc.
The training effectiveness is when the organization is evaluating whether the trainees got the sufficient knowledge during the training. For example, if the training was on how to operate some machine, have the trainees learned to operate the machine. This can be done through test and questionnaires that trainees take after the training.
For more information, see: How to measure training effectiveness according to ISO 9001 https://advisera.com/9001academy/blog/2016/03/29/how-to-measure-training-effectiveness-according-to-iso-9001/ -
Critical incident responsibility
as an incident manager what should we do?
Answer:
It''s always hard when many different parties are included in such incident resolution.
First of all, don't include (in any incident/problem resolution) people that are not necessary. Otherwise, it's very likely to get in such situation.
Secondly, incident categorization can help to point out to the right supporting group. (to learn more, read the article "All about Incident Classification" https://advisera.com/20000academy/knowledgebase/incident-classification/)
RACI matrix for also good to have (A stand for accountable - apply it to the service, technology, activity, topic...) (read the article "ITIL / ISO 20000 RACI matrix – How to use it to clarify responsibilities" https://advisera.com/20000academy/blog/2016/01/12/itil-iso-20000-raci-matrix-how-to-use-it-to-clarify-responsibilities/
And, last but not least, this is also a kind of test for managerial capabilities (to get along between several teams. -
Will AS9102 change with AS9100 Rev D?
Answer:
Although we do not have details into what will happen with AS9102, the changes to AS9100 in Rev D do not affect the requirements for First Article Inspection and the process for FAI in AS9102 would still be applicable to the updated AS9100 standard.
Additionally, AS9102 is only a recommended way to perform FAI, and the standard is not even referenced in clause 8.5.1.3.Unless it is a requirement by customers that this standard is followed it is a decision of the company how they will perform FAI. -
Cláusula 8.5.4
Mi respuesta:
Se trata de un requerimiento para asegurar que el suministro de servicios está protegido, es decir, que lo que se supone que tiene que hacerse, se haga. Además la norma menciona que la preservación puede incluir la identificación, manipulación. control de la contaminación, embalaje, almacenamiento, transmisión/transporte, y protección.
Si la disposición de datos o información por medios electrónicos es parte del resultado de un proceso de la organización (por ejemplo, la transmisión de un producto), se debería de llevar a cabo un enfoque basado en riesgos para asegurarse frente tanto a la pérdida de datos como cuestiones de información durante su transmisión. Esto podría incluir por ejemplo, consideraciones de información de portales y datos/información de una página web, así como documentos adjuntos incluidos en un email de comunicación .
P ara organizaciones de producción o procesamiento, también se recomienda un enfoque basado en riesgos y una mediación proporcional en forma de procesos, procedimientos y controles apropiados, a la hora de considerar cuestiones de preservación potenciales en todos las fases de procesamiento. Por ejemplo, desde la recepción, procesado, almacenamiento y entrega.
Para más información, vea: https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/ -
Cláusula 4
Mi respuesta:
Para cumplir con esta cláusula, es necesario centrarse sólo en aquellas cuestiones que puedan afectar a la satisfacción del cliente y a entrega de un producto y/o servicio de calidad.
La mejor manera de obtener información para cuestiones internas y externas es organizando una sesión de tormenta de ideas con el personal relevante de la compañía, incluyendo los responsables de cada uno de los procesos y la alta dirección. Además la empresa puede llevar a cabo un análisis de las cuestiones externas utilizando PEST (político, económico, social y tecnológico) y un análisis de las cuestiones internas mediante DOFA (debilidades, oportunidades, fortalezas y amenazas).
Para más información, vea el artículo de "Cómo identificar el contexto de la organización en ISO 9001:2015": https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/