Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
COBIT and ISO 27001
Answer: Unfortunately, Advisera does not have products related to COBIT; however you can use our ISO 27001 Documentation Toolkit to cover many COBIT requirements.
In this link you can take a look at a free demo of our ISO 27001 toolkit and see if it can fulfill your needs: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
You just have to scroll down the screen a little to access the free demo tab.
This article will provide you further explanation about ISO 27001 and COBIT:
- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/ -
Risk assessment process
Our team has decided to move forward with a new approach for Risk Management, wherein they will not be doing the analysis of the risk identified instead, all the risks for a particular process will be identified, identify the key controls and evaluate them based on the impacts - Financial, Reputational, effectiveness of the existing Controls
Could you please advise, whether there will be any impacts to the organization as well as to our existing ISO certification, if we are deviating from the standard by not performing the Risk analysis
Also, does the standard gives us any flexibility to avoid performing the analysis of risks
Your advise please...
Answer: ISO 27001, in its clause 6.1.2, requires the definition of criteria to assess consequences and likelihood of risks, as well as of how the risk will be calculated, what is basically the definition of risk analysis. So, by not performing risk analysis you are not complying with a standard's requirement.
But the standard gives you flexibility to keep the risk analysis, as well as other steps of risk assessment, as simple as possible, so you can avoid unnecessary effort.
This article will provide you further explanation about risk assessment process:
- How to access consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
These materials will also help you regarding risk assessment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Emergency Change
Answer:
There are no specified (at least not in ITIL/ISO 20000) types of Emergency Changes. Quite contrary, emergency changes should be kept at minimum. They are different from organization to organization, so it's hard to tell what could be, exactly, emergency change.
Usually, emergency change are result of emergency incidents or some security issues.
Read the article to find out more:
How to manage Emergency Changes as part of ITIL Change Management https://advisera.com/20000academy/blog/2016/01/19/how-to-manage-emergency-changes-as-part-of-itil-change-management/ -
GAP Analysis
Answer:
Customer facing services are explained in the following article:
ITIL Customer-facing vs. supporting services https://advisera.com/20000academy/blog/2014/05/27/itil-customer-facing-vs-supporting-services/
Additionally, I think that this article can help you with your concerns related to the customer facing services:
How ITIL can help reduce the gap between customers and the IT department https://advisera.com/20000academy/blog/2016/06/28/how-itil-can-help-reduce-the-gap-between-customers-and-the-it-department/
By supporting technology I assume you mean tool that is used for IT Service Management (ITSM). Please check the articles to get further information
5 things to beware of when selecting an ITSM tool :https://advisera.com/20000academy/blog/2016/03/08/5-things-to-beware-of-when-selecting-an-itsm-tool/
Free tools for ITSM – supporting IT Service Management for zero tool cost https://advisera.com/20000academy/knowledgebase/free-tools-for-itsm/
Regarding processes and their assessment - there are two issues. Firstly, you can measure GAP between existing processes and ITIL recommendations. ITIL GAP Analysis tool (https://advisera.com/20000academy/itil-iso-20000-tools/itil-gap-analysis-tool/) is suited for that purpose.
Secondly, you can go deeper and see how efficient processes are. For example:
How to measure Change Management efficiency according to ITIL https://advisera.com/20000academy/blog/2016/10/11/how-to-measure-change-management-efficiency-according-to-itil/
How to measure Incident Management efficiency according to ITIL https://advisera.com/20000academy/blog/2015/09/08/how-to-measure-incident-management-efficiency-according-to-itil/ -
Availability / Capacity / Incident / Problem ManagI received folement - relation
Answer:
Let's clarify Availability Management (AM). You will perform activities in scope of AM during the design of the service as well as in scope of operational activities once service is in live environment (like you mentioned - Incident/Problem Management). This article will help you understand AM:
Availability Management – calculating for improvement https://advisera.com/20000academy/blog/2013/08/21/availability-management-calculating-improvement/
Availability Plan is one of the products of the AM, and you can find more info here
ITIL Availability Plan – A document you need, but probably don’t have https://advisera.com/20000academy/blog/2015/05/19/itil-availability-plan-a-document-you-need-but-probably-dont-have/
Capacity Management is rela ted to the performance of the service (and it's constitutional components i.e. service assets). This articles will help you with CM:
ITIL and ISO 20000 – How to setup the Capacity Management process https://advisera.com/20000academy/blog/2016/02/16/itil-and-iso-20000-how-to-setup-the-capacity-management-process/
Three faces of Capacity Management https://advisera.com/20000academy/knowledgebase/three-faces-capacity-management/
ITIL Reactive and Proactive Capacity Management https://advisera.com/20000academy/blog/2015/04/07/itil-reactive-and-proactive-capacity-management/
Further on, once service is in live environment, there could be issues which are related to capacity or availability. Therefore, AM and CM are involved (usually as 2nd or 3rd level support) in resolving incidents i.e. problems. -
Bases documentales del SGC
desde cero procedimiento
Respuesta:
Inicialmente la organización debe estudiar su situación actual para comprobar qué es los que está haciendo realmente y qué documentación es requerida. Luego para empezar a diseñar la documentación del SGC, lo primero que es necesario hacer es centrarse en la eficiencia y crear procesos y documentos que sean aplicables a su organización. La documentación del SGC está compuesta por varios documentos, a menudo son: política de calidad, manual de calidad, procedimientos, instrucciones de trabajo, planes de calidad y registros
Para más información, vea "cómo estructurar la documentación del sistema de gestión de calidad": https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-estructurar-la-documentacion-del-sistema-de-gestion-de-calidad/ -
Clause 6
Thank you
Answer:
FEMA alone is often not sufficient in terms that it only covers risks and not opportunities and it focuses on the risks within the processes and not on other element of the context. The standard requires organization to address risks and opportunities emerging from the entire context of the organization and not only processes.
On the other hand, the standard does not require any methodology to be used or document to be created, so the auditor cannot raise non conformity, he can only raise observation and that is not obligatory for the company. The organization alone can decide what level of risks assessment is appropriate for its QMS.
For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Example of risks in EMS
Answer:
Risks and opportunities in ISO 14001:2015 can be related to environmental aspects, compliance obligations and other issues related to context of the organization. For example, if the environmental aspect is waste oil, the risk related to the aspect can be leakage of the oil or failure to meet legal requirements for waste oil disposal.
For more information about risks and opportunities, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/ -
Project budget
I can’t find a template for that? Or I am I supposed to write it without any template?
Answer: Each organization's context for budgeting its activities or projects, or plan human resources, is unique, so it is unpractical to develop templates to cover every possible situation. But I suggest you to use our Project plan template for both of these things - it already includes a section (3.4) where you have to list all the members of the project team but you could add other necessary people as well. Additionally, you can also add a section about the financial resources needed for the project. The link for the Project plan template is https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation
Futher more, in this white paper you will find common aspects that you can use to prepare a project budget:
- How to Budget an ISO 27001 Implementation Project https://info.advisera. com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
Although the white paper covers ISO 27001, the same concepts are applicable to ISO 22301.
These materials will also help you regarding project budget:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Facilities protection
Answer: Considering ISO 27001, the security measures focus first on protection of information deemed important for the business (in your case the private data of hotel''s guests are a good example), and after that on the protection of assets that support the information (e.g., the hotel facilities).
Said that, the first measure you must consider is the implementation of a risk management process, so you can create a trustful information basis for determining which controls to apply.
For protection of information, common preventive measures are the establishment of an access control policy, criteria for information classification, and training of staff about how to handle sensitive information.
For protection of facilities the main controls recommended are perimeter definition (e.g., lobby, parking lot, guest''s rooms, etc.) , implementation of access controls (card keys for rooms), use of identification (e.g., badges and uniforms), and segregation of working and public areas (e.g., looby and management office).
These articles will provide you further explanation about Facilities protection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to protect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/
These materials will also help you regarding Facilities protection:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/