Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment and BIA
Answer: In fact BIA and Risk assessment are two different processes with different purposes that can't be merged, although they exchange information between them. They main question between practitioners is in which sequence they should be performed. I particularly follow the thought that risk assessment should be performed before the BIA and the BIA questionnaire, because this way both BIA and questionnaire can make use of the results of risk assessment to help improve the reliability of their results (by identifying the risks you’re most exposed you can focus on consequences of those incidents and the main assets that are under risk).
These articles will provide you further explanation about risk assessment and BIA:
- Risk assessment vs. business impact analys is https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
These materials will also help you regarding risk assessment and BIA:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Product safety - clause 4.4.1.1
Does it have to be in the contract, or in the customer salable drawing, or somewhere? Or is just "common sense"?
In my company we design and manufacture several automotive components, for example, harnesses and stereos. I would assume that the stereo is not "product safety", but the harness?
I looked for the definition of the term and couldn't not find anything.
regards.
Answer:
There is no universal rules for safety of all products. Safety requirements for some products are defined by legislation or CE mark, or by customer requirements. It is not common to define requirement for product safety in contracts, simply because such requirements are implied. Or, it can be part of customer requirements as requirement for raw materials to be used or features of the product to be demonstrated.
In you case the product safety can be demonstrated by providing attestation of safety of raw materials or by testing durability of t he product (harness) on strain or other product features. Basically, you need to demonstrate that your product is safe for use and fit for its purpose and, maybe, you can consult your customer on how to demonstrate this. -
Implementing OHSAS 18001 and ISO 14001
Looking forward your response.
Answer:
Six months is a reasonable period for the implementation, but you can also save time by identifying common requirements of both standards and implement them at the same time. For more information bout common requirements see: ISO 14001 vs. OHSAS 18001: What is different and what is the same? https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-vs-ohsas-18001-what-is-different-and-what-is-the-same/
I would start with gap analysis to determine what needs to be done to achieve full compliance with the standards and then develop project plan for implementation. When developing a pr oject plan, you should assign roles and responsibilities within the project to as many people as possible to decrease the time and also to ensure that the most relevant people are involved in implementing requirements of the standard. -
Implementing a Business Impact Analysis according ISO 22301
Escribo porque des afortunadamente en mi computadora no me fue posible escuchar el webinar de hoy (30/03/2017) y quisiera saber cuando sera el próximo webinar sobre el mismo tema?
(Surely a webinar full of professionalism and wisdom.
I write because fortunately on my computer I was not able to hear the webinar today (03/30/2017) and I would like to know when the next webinar will be on the same subject?)
Answer: The next webinar about implementing BIA according ISO 22301will be on November 23, but at this link you can access the recorded webinar: https://advisera.com/27001academy/es/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
Tengo varias preguntas relacionadas con el tema de hoy:
1. Mencionar estándares internacionales que puedan ser utilizados para implementación de un sistema de gestión de continuidad de negocio?
(I have several questions related to today's topic:
1. Mention international standards that c an be used to implement a business continuity management system?)
Answer: Besides ISO 22301, ISO 22313 and NFPA1600, I suggest you to take a look at these article: Information security & business continuity standards https://advisera.com/27001academy/knowledgebase/information-security-business-continuity-standards/
These articles will provide you further explanation about other standards:
- NFPA 1600 vs. ISO 22301 – Similarities and differences https://advisera.com/27001academy/blog/2013/11/05/nfpa-1600-vs-iso-22301-similarities-and-differences/
- ISO 22301 vs. ISO 22313 https://advisera.com/27001academy/blog/2013/05/21/iso-22301-vs-iso-22313/
2. 5 elementos que deban considerarse para la implementación de un sistema de gestión de continuidad de negocio.
(5 elements that must be considered for the implementation of a business continuity management system.)
Answer: For a successful Business Continuity Management System implementation you should consider Business continuity policy, BIA, BC Strategy, BC Plans, and Exercising & testing.
3. 3 eventos que puedan afectar la continuidad de negocio de una institución bancaria?
(3 events that may affect the business continuity of a banking institution?)
Answer: Considering the interconnected banking industry today unplanned IT and telecom outages, cyberattacks and data breaches could be on many top 10 lists of disruptive events.
4. Que actividades y aspectos consideras que son necesarios considerar para la elaboración de un BIA?
(What activities and aspects do you consider necessary to consider for the development of an BIA?)
Answer: The establishment of a BIA methodology, engagement of top management, participation of processes key users, and the use of a facilitator with experience on performing business impact analysis. This is all covered in the webinar.
5. Por ejemplo si un incendio afectó las oficinas centrales de un banco un domingo por la madrugada. La situación es tan critica que ningún empleado puede ingresar al edificio. Considerando que el banco cuenta con un plan para este tipo de incidente, según tu experiencia que recursos, estrategias y actividades pueden estar detalladas en dicho plan?
(For example, if a fire affected the central offices of a bank on a Sunday in the morning. The situation is so critical that no employee can enter the building. Considering that the bank has a plan for this type of incident, according to your experience what resources, strategies and activities can be detailed in this plan?)
Answer: Considering this scenario, a strategy that should be considered is the definition of an alternative site from where people can initiate their work on Monday. Generally bank institutions have extremely short recovery times, so this alternative should be a warm or hot site. In terms of resources and activities, without further details it is not possible to define them, but generally speaking, you should consider transportation for employees, recovering of IT systems and databases, and communication with the media.
This article will provide you further explanation about Business Impact Analysis according ISO 22301:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
This material will also help you regarding Business Impact Analysis according ISO 22301:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Auditor's opinion
How do you think that would be viewed by the auditor? Answer: Hypothetically speaking, all will depend on the justification for accepting the risk - if such justification does not exist, or it is not plausible, this situation is a nonconformity. This article will provide you further explanation about how an auditor thinks: - Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/ - Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/ -
Convergence of ISO 27001 and ISO 22301
Answer: First of all, you need to understand that you cannot achieve convergence with a single document. Both management systems are composed by many different subprocesses that would make unpractical and very confusing to centralize them in a single document.
That said, ISO 27001 and ISO 22301 have many similar requirements, which makes easier to integrate them. Considering the possibility of integration, I suggest you to take a look in the free demo of our ISO 27001 & ISO 22301 Premium Documentation Toolkit, which can help you implement both standards. You can access the free demo at this link: https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/ .
This article w ill provide you further explanation about integrating management systems:
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
These materials will also help you regarding ISO 27001 and ISO 22301 integration:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
HIPAA and ISO 27001
Answer: Basically, HIPPA is not so strong on information security management requirements as ISO 27001, and ISO 27001 is not so strong on privacy controls required by HIPAA. So, you can speed up your ISO 27001 compliance in the implementation phase where you perform the risk assessment and implement risk treatments, since besides privacy and incident management controls, other controls implemented to fulfil HIPAA's requirements can be mapped to ISO 27001 Annex A and help build ISO 27001 Statement of Applicability. Besides that, you can make use of ISO 27799 (ISO standard related to personal health information) to cover privacy controls. Unfortunately at this moment we do not have a mapping between ISO 27001 and HIPAA)
This article will provide you further explanation about ISO 27799:
- How ISO 27001 and ISO 27799 complement each other in health organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/ -
BIA and risk assessment
1 - The BIA includes a risk assessment?
Answer: The risk assessment process is independent of the BIA process, but BIA can make use of the results of risk assessment to help improve the reliability of its results (by identifying the risks you’re most exposed you can focus on consequences of those incidents). You should note that ISO 22301 documentation toolkit does not include the risk assessment documents, but they can be purchased separately
2 - Should The BIA questionnaire be different for every business unit into the company?
Answer: The general framework of the questionnaire is the same (what are the critical processes, how long you can support an disruption of the process, in how much time you have to resume minimal and normal operations, etc.), but some questions may be adjusted accordingly each business unit (for example, a production unit may have specific questions about equipment, while research and development should add more questions related to information protection). You also should note that answers will be different from one department to another.
This article will provide you further explanation about BIA and risk assessment:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
These materials will also help you regarding BIA and risk assessment:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/