Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Implementing SMS
Answer:
I assume by SMS you meant Safety Management System. Implementing SMS can be done in numerous ways but for this answer I will explain how to do it with OHSAS 18001.
The first step is to conduct the GAP analysis to determine to what level your company is already compliant with OHSAS 18001 and what needs to be done to achieve full compliance and establish effective SMS. Here you can find free OHSAS 18001 Gap Analysis Tool https://advisera.com/18001academy/ohsas-18001-gap-analysis-tool/
Once you determine what needs to be done you should develop project plan for the implementation with defined activities, resources responsibilities and deadlines. In this way you will distribute the burden of the implementation to several people and this can make your implementation faster and more effective. Here you can download our free Project Plan for OHSAS 18001 implementation https://info.advisera.com/18001academy/free-download/project-plan-for-ohsas-18001-implementation
After you impl ement all activities and develop all necessary documents, you need to conduct internal audit and management review to ensure that the system is in place and compliant with OHSAS 18001. For more details on implementation, see: 12 Steps for implementation and certification against OHSAS 18001 https://advisera.com/18001academy/blog/2015/11/04/12-steps-for-implementation-and-certification-against-ohsas-18001/ -
Risk Assesment
Qualitative risk assessment is based on perceptions and judgements to assess probabilities and impacts, does not make use of complex mathematical analysis, and its results makes sense only in the context of the analysis, generally represented by scales like “low, medium and high” or “80 in a scale from 0 to 99” (e.g., high risk of data loss, or a risk of data loss of 80 in a scale from 0 to 99 ). 99% of the companies use qualitative assessment to perform quick assessments in simple situations or to help identify risks that requires further analysis when they have many risks to work on.
On the other hand, quantitative risk assessment is based on heavy use of mathematics (e.g., statistical distribution) and simulation tools to assess probabilities and impacts, and its results makes sense outside the context of the analysis, generally in terms of money and time impacts if a risk occurs in a specific period (e.g., 30% of chance of data loss results in a loss of 550k if the risk occurs in the next five years). Terms related to quantitative risk assessment are ROSI, SLE, ARO and ALE, which you can know more by watching this free webinar:
- ISO 27001 benefits: How to obtain management support https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
These materials will also help you regarding qualitative risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
ISO 27001 roles
Answer: Yes. You only have to take care to not define Senior Management as the responsible role in too much activities.
2 - If so, do I have to specify who is meant by Senior Management?
Answer: Yes. Instead of concepts like manager or process owner, Senior Management may mean one or more persons, like when you define the responsibility to project team. In these cases people, and auditors usually look for the one in the highest position, so you should make well clear what Senior Management means to your organization.
3 - If so, where do I have to do this? In which document?
Answer: You have many options where to define the Senior management. You can define them in job descriptions, in the organizational chart, or in the Information Security Policy.
These articles will provide you further explanation about roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-r oles-and-responsibilities-according-to-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
These materials will also help you regarding roles and responsibilities:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk assessment
Answer: Yes, you have to include a risk for which you already implemented controls in your risk assessment, as well as information about the controls. This way it is recorded as part of your risk environment and can be properly monitored in case of changes in assets or other conditions that affects information security. Since you consider the current controls are enough to handle the risk you do not need to include it in the risk treatment plan, unless you decide to implement an improvement on the controls. This article will provide you further explanation about Risk assessment: - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ These materials will also help you regarding Risk assessment: - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
IT Operations Management
Answer:
IT Operations Management function consist of two sub-functions: IT Operations Control and Facility Management:
- IT Operations Control - responsible for Execution and Monitoring of operative activities and Events
- Facility Management - Management of physical IT Environment
Read the article "IT Operations Management Function in ITIL" https://advisera.com/20000academy/knowledgebase/operations-management-function-itil/ to learn more. -
ISO 27001 certification and training
Answer: To get information about ISO 27001 certification process I suggest you these material:
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
2 - Información sobre comó convertirme en Auditor Interno ISO 27001 (Information on becoming an Internal Auditor ISO 27001)
Answer: To get information about how to become an ISO 27001 internal auditor I suggest you these material:
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
- Qualifications for an ISO 27001 Internal Auditor https://advisera .com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
These materials will also help you regarding ISO 27001 certification and training:
- Seguro & Simple: Una guía para la pequeña empresa para la implementación de la ISO 27001 con medios propios https://advisera.com/books/seguro-simple-una-guia-para-la-pequena-empresa-para-la-implementacion-de-la-iso-27001-con-medios-propios/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Interview about ISO 27001
Answer: In a MS interview generally they don't question technical things (e.g., what is ISO 27001, how it is implemented, etc.). At this point the interviewer is more interested in knowing your professional background, personal interests and why you are interested in the particular field of study you are pursuing. When this point arises, you can explain what would be your approach regarding the use of ISO 27001 in supporting organizations to be compliant with Cyber Law and protect information security. -
What to do about assets and risks that change after risk assessment
Thank you so much. I thought that was the right thing to do. -
Controls implementation, SoA and audit
Answer: The auditor can accept certain controls stated in the SoA to be implemented after the certification if: (1) all the major risks are resolved before the certification, (2) in the Risk Treatment Plan it is clearly defined that those controls will be implemented at a later date, and (3) the risk owners have accepted the risks related to controls that will be implemented later.
These materials will also help you regarding Risk Assessment and Treatment:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
How master ISO 27001
Answer: I can suggest you the following path:
- Our free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ where you can get the basics of the standard.
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- The standard itself https://www.iso.org/iso/catalogue_detail?csnumber=54534
I suggested this course of action because you start your learning at no cost with the free training , expend less than the cost of the standard with the book, which is written having beginners in mind, and finishes with the standard itself when you already have learned enough to make a better use of its requirements and recommendations.