Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Availability / Capacity / Incident / Problem ManagI received folement - relation
Answer:
Let's clarify Availability Management (AM). You will perform activities in scope of AM during the design of the service as well as in scope of operational activities once service is in live environment (like you mentioned - Incident/Problem Management). This article will help you understand AM:
Availability Management – calculating for improvement https://advisera.com/20000academy/blog/2013/08/21/availability-management-calculating-improvement/
Availability Plan is one of the products of the AM, and you can find more info here
ITIL Availability Plan – A document you need, but probably don’t have https://advisera.com/20000academy/blog/2015/05/19/itil-availability-plan-a-document-you-need-but-probably-dont-have/
Capacity Management is rela ted to the performance of the service (and it's constitutional components i.e. service assets). This articles will help you with CM:
ITIL and ISO 20000 – How to setup the Capacity Management process https://advisera.com/20000academy/blog/2016/02/16/itil-and-iso-20000-how-to-setup-the-capacity-management-process/
Three faces of Capacity Management https://advisera.com/20000academy/knowledgebase/three-faces-capacity-management/
ITIL Reactive and Proactive Capacity Management https://advisera.com/20000academy/blog/2015/04/07/itil-reactive-and-proactive-capacity-management/
Further on, once service is in live environment, there could be issues which are related to capacity or availability. Therefore, AM and CM are involved (usually as 2nd or 3rd level support) in resolving incidents i.e. problems. -
Bases documentales del SGC
desde cero procedimiento
Respuesta:
Inicialmente la organización debe estudiar su situación actual para comprobar qué es los que está haciendo realmente y qué documentación es requerida. Luego para empezar a diseñar la documentación del SGC, lo primero que es necesario hacer es centrarse en la eficiencia y crear procesos y documentos que sean aplicables a su organización. La documentación del SGC está compuesta por varios documentos, a menudo son: política de calidad, manual de calidad, procedimientos, instrucciones de trabajo, planes de calidad y registros
Para más información, vea "cómo estructurar la documentación del sistema de gestión de calidad": https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-estructurar-la-documentacion-del-sistema-de-gestion-de-calidad/ -
Clause 6
Thank you
Answer:
FEMA alone is often not sufficient in terms that it only covers risks and not opportunities and it focuses on the risks within the processes and not on other element of the context. The standard requires organization to address risks and opportunities emerging from the entire context of the organization and not only processes.
On the other hand, the standard does not require any methodology to be used or document to be created, so the auditor cannot raise non conformity, he can only raise observation and that is not obligatory for the company. The organization alone can decide what level of risks assessment is appropriate for its QMS.
For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Example of risks in EMS
Answer:
Risks and opportunities in ISO 14001:2015 can be related to environmental aspects, compliance obligations and other issues related to context of the organization. For example, if the environmental aspect is waste oil, the risk related to the aspect can be leakage of the oil or failure to meet legal requirements for waste oil disposal.
For more information about risks and opportunities, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/ -
Project budget
I can’t find a template for that? Or I am I supposed to write it without any template?
Answer: Each organization's context for budgeting its activities or projects, or plan human resources, is unique, so it is unpractical to develop templates to cover every possible situation. But I suggest you to use our Project plan template for both of these things - it already includes a section (3.4) where you have to list all the members of the project team but you could add other necessary people as well. Additionally, you can also add a section about the financial resources needed for the project. The link for the Project plan template is https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation
Futher more, in this white paper you will find common aspects that you can use to prepare a project budget:
- How to Budget an ISO 27001 Implementation Project https://info.advisera. com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
Although the white paper covers ISO 27001, the same concepts are applicable to ISO 22301.
These materials will also help you regarding project budget:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Facilities protection
Answer: Considering ISO 27001, the security measures focus first on protection of information deemed important for the business (in your case the private data of hotel''s guests are a good example), and after that on the protection of assets that support the information (e.g., the hotel facilities).
Said that, the first measure you must consider is the implementation of a risk management process, so you can create a trustful information basis for determining which controls to apply.
For protection of information, common preventive measures are the establishment of an access control policy, criteria for information classification, and training of staff about how to handle sensitive information.
For protection of facilities the main controls recommended are perimeter definition (e.g., lobby, parking lot, guest''s rooms, etc.) , implementation of access controls (card keys for rooms), use of identification (e.g., badges and uniforms), and segregation of working and public areas (e.g., looby and management office).
These articles will provide you further explanation about Facilities protection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to protect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/
These materials will also help you regarding Facilities protection:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Toolkit documentation
I have noticed that there appears to be a number of clauses where there are example templates missing – I assumed when I purchased the ‘premium’ collection this would cover ALL clauses of the standards.
Answer: ISO 27001 does not require each control in Annex A to be implemented, only those deemed necessary as result of risk assessments, legal requirements or organizational decision. To see the required documents by the standard, and the most common documents implemented to support an ISMS, please see this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
For ISO 22301 the situation is the same, the diference being that this standard also considers the busi ness impact analysis information, and you can see the required documents, and the most common documents implemented to support an BCMS in this article: Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
Our toolkits focus on small and mid-size companies, and that's the reason we do not write documents to cover each control – for thos e companies this large number of documents would result in an overkill for many of them. Instead of that a single template may cover multiple controls.
In the root folder of the toolkit you'll find a document called “List of Documents” which will explain which control is covered by which document.
These articles will provide you further explanation about how our templates can handle some controls from section A.6 of ISO 27001 Annex A:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
- How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/ -
Security requirements checking and testing
Question: you mean to say after applying all the security controls, the system in question, should go through all the software test. is that, what you mean by?
Answer: What I mean is that the implemented security requirements (e.g., two factor authentication to support an access control requirement, secure communication protocol to support a protected communication requirement, etc.) should go through the same testing process you apply in your software development. You should consider them the same way you consider the tests for your software's functional and non functional requirements.
The tests' coverage and detail levels should be proportional to the degree of confidence you want that the security functions are properly implemented.
For more orientation on security assurance on software development, I suggest you to see the ISO standard 15408-1 at this link:
https://www.iso.org/standard/50341.html -
Prepairing API Sepc Q1 internal audit
Answer:
Regardless of the requirements to be audited, the internal audit process looks more or less the same. First, you need to define your internal audit plan, meaning that you need to define what processes will be audited against what requirements, who you will be speaking to and the detailed timing of visiting departments and interviews. In this way you can notify the people in advance so they can dedicate their tie for your audit.
A very useful tool for conducting the audit is internal audit checklist where you will write the items, or requirement you are planning to check during the audit. Entries in the checklist can be in form of statements or "yes or no" questions and can help you a void missing something out. For more information on how to prepare the checklist, see: How to create a check list for an ISO 9001 internal audit for your QMS https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/
Once you have an internal audit plan and the checklist, you are ready for conducting the audit. -
Implementing ISO 14001 without any cost
Answer:
The best way to implement the standard is to start with GAP analysis to determine to what level your organization is already complaint with the standard and what needs to be done to achieve full compliance. Once you determine the gaps, you can develop project plan for the implementation where you will define activities, responsibilities and deadlines. Than you can start developing documentation and performing all activities required by the standard.
When all documents are created and all activities performed, you should conduct internal audit and management review to ensure your system is compliant with the standard. Finally, you need to hire certification body to conduct the audit and issue your company the certificate. For more information, see: List of ISO 14001 implementation steps https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
As far as budgeting of the project is concerned, if you decide to implement the standard comple tely by yourself, you can implement the standard for free, but even in this case you will have to calculate the price of your working hours. This is definitely the cheapest option for the implementation but it will take you a lot of time and at the end you wont be 100% sure you've implemented all requirements of the standard. For more information about costs involved in ISO 14001 implementation and certification, download this free whitepaper: How to budget an ISO 14001 implementation project https://info.advisera.com/14001academy/free-download/how-to-budget-an-iso-14001-implementation-project