Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk assessment in ISO 22301

    Yes, because the general approach is the same, and you even can use asset-based risk assessment for ISO 22301 too, since process relies on assets, but instead of information security risks, you will assess business risk, which covers a wider range of risks (e.g., RH, financial, environmental, etc.). For more detailed information on ISO 27001 risk assessment you should consult ISO 27005.
    This article will provide you further explanation about Risk assessment in ISO 22301:
    - Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
    These materials will also help you regarding Risk assessment in ISO 22301:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Incidents and Non conformities

    2 - Email exchange is down for sometime and there is no email service : major incident ? or security incident ? or problem ?

    I would like to know when to raise them ? Even though it is mentioned : NC is non-fulfillment of a requirement and security incident an unwanted event which Happened and lead to a compromise of business

    Answer: The main criteria you can use to identify what you can rise is the type of impact on business caused by the situation. And you also should note that these options do not exclude each other, so for a same situation you can rise a security incident, a non conformance, a major incident and a problem. Let's take a look at your examples:

    In example 1 we have a policy not being followed, so you can raise a non conformity. To know if the situation is also a security incident, we have to know if this caused any impact on the business, e.g., sharing of passwords caused an important file to lose its integrity when users attempted to update it at the same time from different locations. If no impact was perceived, you raise only the non conformity.

    In example 2, you definitely have a security incident, but you have to identify which is the impact to classify it as a major incident. How many people were affected by the service downtime? Which business processes were affected? For example, the downtime happening during a Saturday night may have less impact than other happening at 3 pm on a Thursday. Regarding the identification as a problem, you only can use this classification when you do not know the cause of the downtime, because this situation will lead you to an additional effort to also discover the root cause of the situation, so you can try to eliminate it.

    This article will provide you further explanation about Incidents:
    - Incidents in ISO 22301 vs. ISO 27001 vs. ISO 20000 vs. ISO 28003 https://advisera.com/27001academy/blog/2016/09/05/incidents-in-iso22301-vs-iso27001-vs-iso-20000-vs-iso28003/
    - How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/

    These materials will also help you regarding Incidents and Non conformities:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • When and where did ISO 27001 start?


    Answer: The origins of this standard were in the British standard BS 7799-2 which was published in 1995; in 2005 the first version of ISO 27001 was published and it replaced the BS 7799-2.

  • Interested party and supplier


    Answer:

    The same organization can be both supplier and interested party, suppliers in general are interested in success of the company and expanding the existing contracts. Licencor is special kind of suppliers because it provides the company with licences and has requirements towards the company so it can maintain the licences, so it is definitely an interested parties with needs and expectations.

    For more information about external provides and interested parties, please see these two articles:
    - How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
    - How to determine interested parties and their requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/

  • Standards for preparedness against disasters


    Answer: ISO 22301 is a standard that focuses on continuing business operations after any kind of disruptive incident, including also natural disasters. So, it can perfectly cover natural disasters as well. For specific details regarding preparedness of and personnel and of business continuity and disaster recovery plans, I suggest you take a look at the following standards that also make part of ISO 223001 series:

    - ISO 22313:2012 Societal security — Business continuity management systems — Guidance https://www.iso.org/obp/ui/#iso:std:iso:22313:ed-1:v1:en. It presents recommendations on how to implement the requirements of ISO 22301, including preparedness.
    - ISO/PAS 22399:2007, Societal security – Guideline for incident preparedness and operational continuity management https://www.iso.org/standard/50295.html
    - ISO 22398:2013 Societal security — Guidelines for exercises https://www.iso.org/obp/ui/#iso:std:iso:22398:ed-1:v1:en

    These materials will also help you regarding preparedness for natural disaster:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • ISO 27001 main deliverables


    Answer: In terms of certification process, the main deliverables for ISO 27001 implementation can be seen in 4 groups: 1) mandatory documents and records; 2) non-mandatory documents; 3) physical and technical implemented controls; and 4) certification body documents.

    This article will provide you further explanation about ISO 27001 main deliverables related to certification process:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    - ISO 27001 Certification: What’s next after receiving the audit report? https://advisera.com/27001academy/blog/2015/05/18/iso-27001-certification-whats-next-after-receiving-the-audit-report/

    In terms of benefits, a well implemented ISO 27001 ISMS can deliver enhanced competitiveness, reduction of operational costs, improved internal organization, and easiness to maintain conf ormity with legal requirements.

    This article will provide you further explanation about ISO 27001 benefits:
    - Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

    These materials will also help you regarding ISO 27001 main deliverables:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Customer complaints in insurance company


    Answer:

    The best way to approach this problem is to start recording the complaints and try to resolve them by corrective actions. In this way you will be able to determine the cause of the complaint and what deficiencies in the processes lead to the complaint. You can also try to link the complaints with relevant process that caused the complaint and record it in the list of complaints. In this way you will have a general overview of the complaints and causal processes, so you will know where to look for improvements.

    Repeated complaints are possible but the company needs to determine whether they are reasonable or not. If they are, it is a symptom of the problem within one or more processes in the company. The best way to prove that the complaints are repeating is to record the complaints in list of complaints, this record should provide you with sufficient level of information to enable you to proceed with resolving the complaints. For more information, see: Effective complaints management in a QMS https://advisera.com/9001academy/blog/2014/09/16/effective-complaints-management-qms/

  • Interested parties and leadersip


    Answer:

    In order to identify relevant interested parties you need to consider all institutions, organizations and people that affect your EMS (Environmental Management System) or can be affected by it. There are internal and external interested parties. Interested parties include employees, top and mid management while external interested parties include customers, suppliers, regulatory bodies and local community. The organization must, not only identify interested parties but also to decide what interested parties are relevant to the organization and determine their needs and expectations towards company's EMS. For more information, see: How to determine interested parties according to ISO 14001:2015 https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-determine-interested-parties-according-to-iso-140012015/

    The standard requires from top management to define Environmental Policy and environmental objectives, to assign roles and responsibilities within EMS and to provide r esources for functioning of the EMS. Most of those requirements are meet by actions rather than by documents and procedures and they are also audited accordingly. All these requirements are placed in clause 5 Leadership and basically, the top management must only define the policy and that is the only requirement beside the objectives that must be documented. For more information about the leadership, see: How to demonstrate leadership according to ISO 14001:2015 https://advisera.com/14001academy/blog/2015/10/05/how-to-demonstrate-leadership-according-to-iso-140012015/

  • Managing records kept

    Hi Jack,

    Yes, several procedures can reference to the same record. You don't have to list the record in every procedure, but in the body of the procedure you need to make reference to the record.

  • Compliance with ISO 27001


    Answer: For the identification of the mandatory documentation needed for compliance with ISO 27001 I suggest you to take a look at this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    Regarding the identification of documentation importance, I suggest you to take a look at this article:8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

    Regarding the actions to be taken to ensure an ISMS compliance is ready for certification, I suggest you to see this article: ISO 27001 implementatio n checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    2 - Also, during the assessment, there might be chances that some of the solutions i.e. Access Control, Incident management, completely does not exist. In that case what would be action item, because due to the budget constraint, some of the solution deployment may not be feasible this year? Is there any alternative available to make us complaint without putting actual solution in place.

    Answer: In some cases, it is possible to implement a control at some later time - however you need to fulfill the following: (1) there is no major risk with pending treatment, (2) the Risk Treatment Plan clearly defined that the control will be implemented at a later date, and (3) risk owners have accepted the risks related to control that will be implemented later.

    These materials will also help you regarding compliance with ISO 27001:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 938-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +