Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Material for information protection
1. Assess and provide guidance on how to handle classification of data or information
2. Review and provide guidance in terms of the approach that should be followed to determine the various levels of classification.
3. Review the impact analysis process for when data is lost or when confidentiality of the information is compromised and provide recommendations to improve the process.
Answer: For information classification and handling I suggest you this material:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
For reviewing the impact of information compromising I suggest you these articles:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- How to handle inci dents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
These materials will also help you regarding information classification and handling and controls improvement process:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Difference between sites and Certificates in ISO SURVEY
Answer: ISO 27001 certificates may be defined in terms of processes/services, organizational units or locations (the ISMS scope), and a single certification may cover multiple locations, also called sites. For example, you can have an organization's HQ and its filial covered by a single ISO 27001 certificate, resulting in one certification and two sites.
This article will provide you further explanation about differences regarding certification and other related ISO terms:
- Accreditation vs. certification vs. registration in the ISO world https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/ -
Implementing ISO 22301 with support of ISO 27001
I have to admit that your templates/documentations were so handy and helped me well, however I would like to know if what I have already, is up to date and would help me implement the BCMS, or do you have any updated version?
Answer: The toolkit available in May 2015 at Advisera was already compliant with version 2013 of ISO 27001 and it is perfectly integrable with ISO 22301, which will make it easier for you to implement a BCMS ISO 22301 compliant.
This article will provide you further explanation about implementing ISO 22301:
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
- How to implement integrated manage ment systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
These materials will also help you regarding implementing ISO 22301:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
Risk assessment and BIA
Answer: In fact BIA and Risk assessment are two different processes with different purposes that can't be merged, although they exchange information between them. They main question between practitioners is in which sequence they should be performed. I particularly follow the thought that risk assessment should be performed before the BIA and the BIA questionnaire, because this way both BIA and questionnaire can make use of the results of risk assessment to help improve the reliability of their results (by identifying the risks you’re most exposed you can focus on consequences of those incidents and the main assets that are under risk).
These articles will provide you further explanation about risk assessment and BIA:
- Risk assessment vs. business impact analys is https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
These materials will also help you regarding risk assessment and BIA:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Product safety - clause 4.4.1.1
Does it have to be in the contract, or in the customer salable drawing, or somewhere? Or is just "common sense"?
In my company we design and manufacture several automotive components, for example, harnesses and stereos. I would assume that the stereo is not "product safety", but the harness?
I looked for the definition of the term and couldn't not find anything.
regards.
Answer:
There is no universal rules for safety of all products. Safety requirements for some products are defined by legislation or CE mark, or by customer requirements. It is not common to define requirement for product safety in contracts, simply because such requirements are implied. Or, it can be part of customer requirements as requirement for raw materials to be used or features of the product to be demonstrated.
In you case the product safety can be demonstrated by providing attestation of safety of raw materials or by testing durability of t he product (harness) on strain or other product features. Basically, you need to demonstrate that your product is safe for use and fit for its purpose and, maybe, you can consult your customer on how to demonstrate this. -
Implementing OHSAS 18001 and ISO 14001
Looking forward your response.
Answer:
Six months is a reasonable period for the implementation, but you can also save time by identifying common requirements of both standards and implement them at the same time. For more information bout common requirements see: ISO 14001 vs. OHSAS 18001: What is different and what is the same? https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-vs-ohsas-18001-what-is-different-and-what-is-the-same/
I would start with gap analysis to determine what needs to be done to achieve full compliance with the standards and then develop project plan for implementation. When developing a pr oject plan, you should assign roles and responsibilities within the project to as many people as possible to decrease the time and also to ensure that the most relevant people are involved in implementing requirements of the standard. -
Implementing a Business Impact Analysis according ISO 22301
Escribo porque des afortunadamente en mi computadora no me fue posible escuchar el webinar de hoy (30/03/2017) y quisiera saber cuando sera el próximo webinar sobre el mismo tema?
(Surely a webinar full of professionalism and wisdom.
I write because fortunately on my computer I was not able to hear the webinar today (03/30/2017) and I would like to know when the next webinar will be on the same subject?)
Answer: The next webinar about implementing BIA according ISO 22301will be on November 23, but at this link you can access the recorded webinar: https://advisera.com/27001academy/es/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
Tengo varias preguntas relacionadas con el tema de hoy:
1. Mencionar estándares internacionales que puedan ser utilizados para implementación de un sistema de gestión de continuidad de negocio?
(I have several questions related to today's topic:
1. Mention international standards that c an be used to implement a business continuity management system?)
Answer: Besides ISO 22301, ISO 22313 and NFPA1600, I suggest you to take a look at these article: Information security & business continuity standards https://advisera.com/27001academy/knowledgebase/information-security-business-continuity-standards/
These articles will provide you further explanation about other standards:
- NFPA 1600 vs. ISO 22301 – Similarities and differences https://advisera.com/27001academy/blog/2013/11/05/nfpa-1600-vs-iso-22301-similarities-and-differences/
- ISO 22301 vs. ISO 22313 https://advisera.com/27001academy/blog/2013/05/21/iso-22301-vs-iso-22313/
2. 5 elementos que deban considerarse para la implementación de un sistema de gestión de continuidad de negocio.
(5 elements that must be considered for the implementation of a business continuity management system.)
Answer: For a successful Business Continuity Management System implementation you should consider Business continuity policy, BIA, BC Strategy, BC Plans, and Exercising & testing.
3. 3 eventos que puedan afectar la continuidad de negocio de una institución bancaria?
(3 events that may affect the business continuity of a banking institution?)
Answer: Considering the interconnected banking industry today unplanned IT and telecom outages, cyberattacks and data breaches could be on many top 10 lists of disruptive events.
4. Que actividades y aspectos consideras que son necesarios considerar para la elaboración de un BIA?
(What activities and aspects do you consider necessary to consider for the development of an BIA?)
Answer: The establishment of a BIA methodology, engagement of top management, participation of processes key users, and the use of a facilitator with experience on performing business impact analysis. This is all covered in the webinar.
5. Por ejemplo si un incendio afectó las oficinas centrales de un banco un domingo por la madrugada. La situación es tan critica que ningún empleado puede ingresar al edificio. Considerando que el banco cuenta con un plan para este tipo de incidente, según tu experiencia que recursos, estrategias y actividades pueden estar detalladas en dicho plan?
(For example, if a fire affected the central offices of a bank on a Sunday in the morning. The situation is so critical that no employee can enter the building. Considering that the bank has a plan for this type of incident, according to your experience what resources, strategies and activities can be detailed in this plan?)
Answer: Considering this scenario, a strategy that should be considered is the definition of an alternative site from where people can initiate their work on Monday. Generally bank institutions have extremely short recovery times, so this alternative should be a warm or hot site. In terms of resources and activities, without further details it is not possible to define them, but generally speaking, you should consider transportation for employees, recovering of IT systems and databases, and communication with the media.
This article will provide you further explanation about Business Impact Analysis according ISO 22301:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
This material will also help you regarding Business Impact Analysis according ISO 22301:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Auditor's opinion
How do you think that would be viewed by the auditor? Answer: Hypothetically speaking, all will depend on the justification for accepting the risk - if such justification does not exist, or it is not plausible, this situation is a nonconformity. This article will provide you further explanation about how an auditor thinks: - Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/ - Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/