Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • BC strategy and plans


    Answer: There is indeed similarity between BC strategy and BC plan because the BC plan is a detailing of BC strategy when specific situations are considered (you can see this difference in the section one of both documents - Purpose, scope and users). For example, in BC strategy you may identify the type of database to be available for all BC plans, and in each BC plan you will detail where this database is located (e.g., server, physical address, etc.) for each business unit or site that specific BC plan covers.

    So, you will find this type of duplication in every situation where you need to define high level guidelines and these must be implemented in different ways for each interested party. For example, in the BC strategy you define the general RTO (Recovery Time Objective) and RPO (Recovery Point Objective) to be achieved by the organization, and each business plan define its own RTO and RPO considering its own scenario (e.g., IT systems, financial processes, etc.) and the strategic RTO and RPO to be achieved.

    Regarding if you need to fill both documents, the main criteria to consider this is the number of different conditions and BC plans you have. If you have many plans and each one of them has different conditions, it is better you have a BC strategy document to define high level conditions.

    This article will provide you further explanation about business continuity strategy and plans:
    - Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

    By the way, in the video tutorials that came with your toolkit, you will find information about BC strategy and how to fill out BC plans.

  • Audit demanded by client


    We own and license a web service that stores information and displays it to users, through a front end website. One of our existing clients has just licensed it and they have provided an extensive network and security questionnaire and one of the requirements is to provide a copy of the security audit. Since we never factored this in to our license, I need to understand what the best approach to this may be, what do I need, and who I can hire to perform the task.

    Answer: The first thing you should identify is which level of independence is required by the client for this security audit, since there is three possible levels: first-party audit (when your organization audits itself), second-party audit (when the client, or another organization accepted by it, audits your organization), and third-party audit (when an organization independent from your organization and from the client audits your organization).

    If a first-party audit is sufficient for the client, and you al ready have an internal audit process running, you should include in your internal audit program an audit covering this web service considering the network and security questionnaire sent by the client. If you do not have an internal audit process, please consider the answer for third-party audit, presented at the end of this answer. This is the cheapest audit process, but the low degree of independence may not be sufficient for some organizations.

    If a second-party audit is required, you should contact the client to identify who will be responsible for the audit (the client itself or another accepted organization), and define with this responsible the arrangements for the audit. Depending upon who will pay for the audit, this kind of audit may become onerous for you or your client, specially for you if you have many clients demanding this type of audit and each one requires different organization to perform it. In such cases, aiming for a third-party audit may prove a better option.

    If a third-party audit is required, the best course of action is to consider the certification of a management system, in this case certification on ISO 27001, related to information security, since certification bodies, those who issue a certification, are accepted as highly trusted independent parties to ensure security is being properly managed by an organization.

    As complement for the first part of this answer, implementing internal audit process is mandatory for certification, so if you get certified, besides being capable to provide results of a third-party audit, you also ensure you are capable to perform a first-party audit if demanded by a client.

    In cases where a second-party audit is required, you can offer your certification's, or maintenance's, audit report as an option for your client.

    This article will provide you further explanation about certification (third-party audit):

    - Should your company go for the ISO 27001 / ISO 22301 certification? https://advisera.com/27001academy/iso-27001-certification/

    This material will also help you regarding types of audit:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Risk acceptance criteria and acceptance level

    Thank you very much for your help, really appreciate it.

  • Filling asset inventory


    But in the Inventory of Assets table we mention each Asset just once (as I understand). So, what level of Consequence to specify in such cases?

    Answer: When an asset has different levels of consequence identified in the Risk Assessment table, you should consider for the entry in the Inventory of Assets the highest value identified as a consequence in the Risk Assessment table. Considering the "Laptop" asset example (with consequence values of 1, 1, and 2), you should en try the consequence value of 2 in the Inventory of assets. This way your Inventory of Assets will always present the highest consequence an asset have to your organization.

  • Using Conformio for ISO 27002


    You can use Conformio for any ISO standard, because the following Conformio features are designed to be compliant with any ISO system: document management, project management (through Tasks feature), corrective actions, and nonconformities. In addition to that, Conformio has module for incident management, which can be used specifically for ISO 27001/ISO 27002.

    In other words, you'll find Conformio very useful for ISO 27002 implementation and maintenance.

    By the way, here you'll find several help articles on how to use Conformio: https://advisera.com/support/knowledgebase_category/conformio/

  • ISO/ITIL for startup

    Assuming you have defined the scope (since you are startup, most probably - whole organization, but read the article "How to define the scope of the SMS in ISO 20000" https://advisera.com/20000academy/blog/2015/06/02/how-to-define-the-scope-of-the-sms-in-iso-20000/ to help yourself) and certification body, you can use this free implementation diagram to guide you through implementation:
    "ISO 20000 implementation diagram" https://info.advisera.com/20000academy/free-download/iso-20000-implementation-diagram

    This article will help you with documentation structure "How to structure ISO 20000 documentation" https://advisera.com/20000academy/blog/2016/09/27/how-to-structure-iso20000-documentation/
    This free material will provide you with different implementation options:
    Comparison matrices for ITIL / ISO 20000 implementation solutions https://advisera.com/20000academy/comparison/
    and, if you decide to do it by yourself, you can use "ISO 20000 Documentation Toolkit" https://advisera.com/20000academy/iso-20000-documentation-toolkit/ to speed up the implementation.

  • Context of the organization and risks in ISO 14001


    Answer:

    Internal and external issues represents any kind of impact on your environmental management system. For example, internal issues are company's organizational structure, culture, processes, type of the technology or raw materials used in the production or service delivery process, etc. External issues are the ones coming from outside the company, e.g. environmental conditions in the region where your company is, environmental legislation, requirements of the local community, environmentalists, etc. For more information about context of the organization, see: Determining the context of the organization in ISO 14001 https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/

    Regarding clause 6.1.1, ISO 14001 requires organization to determine risks and opportunities related to environmental aspects, compliance obligations and internal and external issues. Such risks and opportunities need to be identified on global level of the organization which means that the top management must be included in the process. The standard does not require organizations to use some methodology so the most simple way to address this clause is to arrange a brainstorming session involving all relevant people in the company and discuss risks and opportunities and the risks and opportunities identified need to be documented and some actions to address them should be proposed. For more information, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/

  • Assets to consider in an inventory

    Great, this helps a lot!

  • Change Management and Configuration Management


    Answer:
    Configuration Items (CIs) that are within the scope of the plan are used by the Change Management process to evaluate and authorize changes. The Change Management process authorizes all changes on CIs which are within the scope of the SACM Plan.

    So, while planning how to populate CMBD (which is in jurisdiction of Configuration management, or Service Asset and Configuration Management) you need to think about scope ("width" and "depth" of the implementation i.e. affected CI's), location, naming nomenclature, tools..etc. Once you define that i.e. have your plan ready, you can start the implementation. In scope of the planning you need to consider how (i.e. who, in which tool and with what authority) people involved in change Management will use information stored in CMDB.

    Here are the article that may help:
    "What is the role of the Service Asset and Conf iguration Manager according to ITIL/ISO 20000?" https://advisera.com/20000academy/blog/2016/11/01/what-is-the-role-of-the-service-asset-and-configuration-manager-according-to-itil-iso20000/
    "How to use ITIL to prepare the Service Asset & Configuration Management Plan" https://advisera.com/20000academy/blog/2015/12/01/how-to-use-itil-to-prepare-the-service-asset-configuration-management-plan/
    "Three main activities to set up ITIL Service Asset and Configuration Management" https://advisera.com/20000academy/blog/2015/07/14/three-main-activities-to-set-up-itil-service-asset-and-configuration-management/

    as well as free webinar
    "The basic elements of ITIL Service Asset and Configuration Management (SACM)" https://advisera.com/20000academy/webinar/the-basic-elements-of-itil-service-asset-and-configuration-management-sacm-free-webinar-on-demand/
Page 952-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +