Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Environmental controls in virtual company
provides an outsourced customer service function including bespoke, personal and intelligent handling of inbound and outbound calls / emails / Livechats as well as outsourced telemarketing. -
Determining environmental context
The best way to get inputs for environmental conditions is to contact relevant local authority, in most cases they already have some study or some document that describes environmental conditions in your region. As far as events are concerned, the best way to approach it is to examine your processes and see what can influence them and what are the consequences, for example in case of fire or flood. Another important thing is to consider the immediate surroundings of the company and how it can affect your environmental performance, for example if there is a chemical industry nearby, how would their environmental incident affect your company. For more information about the context in ISO 14001, see: Determining the context of the organization in ISO 1400 https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/
2) where can I find a sample that shows how it is implemented- from SWOT analysis to determination of issues and identifica tion of interested parties and their needs and expectations?
Unfortunately, we do not have any examples available, but the SWOT analysis is very simple. It basically represents a table with four cells, each cell for strengths, weaknesses, opportunities and threats. The good thing about the SWOT analysis is that provides direct link to risks and opportunities.
When identifying interested parties, the best is to think about all instances that can affect or be affected by your company's operations in sense of the environment. Then you need to define what interested parties are really relevant and to determine their needs and expectations. For more information, see: How to determine interested parties according to ISO 14001:2015 https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-determine-interested-parties-according-to-iso-140012015/ -
External auditor questions
Answer: I suggest you take a look at the free demo of our Internal Audit Checklist (https://advisera.com/27001academy/documentation/internal-audit-checklist/). Even though it is oriented to internal auditors, it can provide you a good basis on what an external auditor can ask.
These articles will provide you further explanation about audit questions:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
These materials will also help you regarding audit questions:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/ -
How to develop SOPs
- context of the organization
- risk and opportunities management
- organizational knowledge
- awareness
Answer:
Quality procedures or SOPs can have different formats and structures. They can be narrative, i.e., described through text; they can be more structured by using tables; they can be more illustrative, i.e., flow charts; or they can be any combination of the above.
SOPs should include the following elements:
- Title – for identification of the procedure;
- Purpose – describing the rationale behind the procedure;
- Scope – to explain what aspects will be covered in the procedure, and which aspects will not be covered;
- Responsibilities and authorities of all people/functions included in any part the procedure;
- Records that result from the activities described in the procedure should be defined and listed;
- Document control – identification of changes, date of review, approval and version of the document should be included in accordance with the established practice for doc ument control;
- Description of activities – this is the main section of the procedure; it relates all the other elements of the procedure and describes what should be done, by whom and how, when and where. In some cases, “why” should be clarified as well. Additionally, the inputs and the outputs of the activities should be explained, including the needed resources.
Appendices may be included, if needed.
This approach should be used when developing any procedure, including the ones you stated. Here you can find free previews for the procedures you've mentioned:
- Procedure for Determining Context of the Organization and Interested Parties https://advisera.com/9001academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/
- Procedure for Addressing Risks and Opportunities https://advisera.com/9001academy/documentation/procedure-for-addressing-risks-and-opportunities/
- Procedure for Competence, Training and Awareness https://advisera.com/9001academy/documentation/procedure-human-resources/ -
Acceptable use policy and telework
Answer: Yes, because the ‘Acceptable Use Policy’ provided with your ISO 27001 & ISO 22301 Premium Documentation Toolkit defines clear rules for the use of the information system and other information assets, including rules regarding the prevention of unauthorized access to mobile devices both within and outside of the organization’s premises.
Regarding mentioning it in the Risk Treatment Plan, you should do this only if the control is still to be implemented or if you decided to make changes in the current implemented policy.
In the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk treatment.
2 - What does the Standard say about an employee who works from home?
Answer: Regarding employees who work from outside the premises, the standard has the control A.6. 2.2 - Teleworking, which basically means the organization has to ensure that proper security measures are implemented in the site and on communication services to ensure proper access, processing and storage of information. -
Risk acceptance
Answer: For ISO 27001, there are three possible justifications to not implement a control:
1) there is no relevant risk that justifies the control implementation;
2) the organization decides to accept the risks in all situations which would justify the control implementation; and
3) the organization decides to accept the risks in a case by case basis, i.e. implementing the control in some projects and not in others.
For options 2 and 3, the decision could be based on an evaluation of the impacts of implementing the control (e.g., loss of business opportunities, loss of prod uctivity) versus the potential losses caused by an incident that happens because of the control's absence.
This article will provide you further explanation about risk treatment options:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
These materials will also help you regarding risk treatment options:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Risk assessment and treatment
1 - The question is whether any control stated as applicable in the statement of applicability should have been identified already in the risk assessment step, .e.g is it possible to have lets say contact of authority as applicable in SoA but no mention of it in risk assessment step?
Answer: Yes, you can have this situation. Maybe a risk you haven't though about justifies the control, or there might be some regulatory or contractual requirement that demands you to implement a particular control.
2 - Another question is regarding the risk treatment table. Is it ok to use more than one control as mitigation to specified risk or just a map of one risk one control is more suggested?
Answer: In fact, in most cases, you will have to implement more than one control to mitigate a risk to acceptable levels. According our proposed method, in the Risk treatment table, you will have to create one row for each combination of the specified risk and control applied.
In th e video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment. -
Incident vs. Event management
Answer:
Difference can be seen from definitions:
Incident:
" An unplanned interruption to an IT service or reduction in the quality of an IT service."
Event
" A change of state that has significance for the management of an IT service or other configuration item. "
Meaning, in case of event - everything is OK, still didn't happen some kind of error in the service. Something just changed, e.g. mail arrived at destination, batch job completed, door opened. Further on, event can detect malfunctioning, e.g. port on the router is down. Then it triggers incident. So, event can be used for information or to trigger incidents.
Read more about incidents and events in following articles:
"ITIL Incident Management" https://advisera.com/20000academy/knowledgebase/itil/-incident-management/
"ITIL Incident Management benefits – Simple explanation for your top management" https://advisera.com/20000academy/blog/2015/11/24/itil-incident-management-benefits-simple-explanation-for-your-top-management/
"ITIL Event Management – Entry point of Service Operation" https://advisera.com/20000academy/blog/2015/03/10/itil-event-management-entry-point-of-service-operation/
"Events – a flood or mountain creek" https://advisera.com/20000academy/blog/2013/07/02/events-flood-mountain-creek/ -
Incident Manager characteristics
Answer:
Incident Manager should be someone capable to be efficient in highly dynamic environment and have organizational, managerial and (if possible) service-related expert knowledge. The article "How to choose an ITIL/ISO 20000 Incident Manager: 5 main characteristics" https://advisera.com/20000academy/blog/2016/05/17/choose-itiliso-20000-incident-manager-5-main-characteristics/ can provide you with more details.
Additionally, Incident Manager is usually same person as Service Desk Manager. The article "What is the job of the Service Desk Manager?" https://advisera.com/20000academy/blog/2016/09/20/what-is-the-job-of-the-service-desk-manager/ gives you more information. -
Major incidents vs. high priority users
Answer:
Major incidents have separate procedure due to their scope and (usually) emergency situation. You can find more details in following article: "Major Incident Management – when the going gets tough…" https://advisera.com/20000academy/knowledgebase/major-incident-management-going-gets-tough/
However, some companies define high-priority users (as you mentioned - P1 users), like e.g. Board of Management, director or the owner of the company. Their incidents are resolved before other incidents of the same priority. But, if there is an major incident and an incident from P1 user, then major incident should be resolved first (usually, P1 users are affected with major incident anyway).