Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk acceptance criteria and acceptance level
Thank you very much for your help, really appreciate it. -
Filling asset inventory
But in the Inventory of Assets table we mention each Asset just once (as I understand). So, what level of Consequence to specify in such cases?
Answer: When an asset has different levels of consequence identified in the Risk Assessment table, you should consider for the entry in the Inventory of Assets the highest value identified as a consequence in the Risk Assessment table. Considering the "Laptop" asset example (with consequence values of 1, 1, and 2), you should en try the consequence value of 2 in the Inventory of assets. This way your Inventory of Assets will always present the highest consequence an asset have to your organization. -
Using Conformio for ISO 27002
You can use Conformio for any ISO standard, because the following Conformio features are designed to be compliant with any ISO system: document management, project management (through Tasks feature), corrective actions, and nonconformities. In addition to that, Conformio has module for incident management, which can be used specifically for ISO 27001/ISO 27002.
In other words, you'll find Conformio very useful for ISO 27002 implementation and maintenance.
By the way, here you'll find several help articles on how to use Conformio: https://advisera.com/support/knowledgebase_category/conformio/ -
ISO/ITIL for startup
Assuming you have defined the scope (since you are startup, most probably - whole organization, but read the article "How to define the scope of the SMS in ISO 20000" https://advisera.com/20000academy/blog/2015/06/02/how-to-define-the-scope-of-the-sms-in-iso-20000/ to help yourself) and certification body, you can use this free implementation diagram to guide you through implementation:
"ISO 20000 implementation diagram" https://info.advisera.com/20000academy/free-download/iso-20000-implementation-diagram
This article will help you with documentation structure "How to structure ISO 20000 documentation" https://advisera.com/20000academy/blog/2016/09/27/how-to-structure-iso20000-documentation/
This free material will provide you with different implementation options:
Comparison matrices for ITIL / ISO 20000 implementation solutions https://advisera.com/20000academy/comparison/
and, if you decide to do it by yourself, you can use "ISO 20000 Documentation Toolkit" https://advisera.com/20000academy/iso-20000-documentation-toolkit/ to speed up the implementation. -
Context of the organization and risks in ISO 14001
Answer:
Internal and external issues represents any kind of impact on your environmental management system. For example, internal issues are company's organizational structure, culture, processes, type of the technology or raw materials used in the production or service delivery process, etc. External issues are the ones coming from outside the company, e.g. environmental conditions in the region where your company is, environmental legislation, requirements of the local community, environmentalists, etc. For more information about context of the organization, see: Determining the context of the organization in ISO 14001 https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/
Regarding clause 6.1.1, ISO 14001 requires organization to determine risks and opportunities related to environmental aspects, compliance obligations and internal and external issues. Such risks and opportunities need to be identified on global level of the organization which means that the top management must be included in the process. The standard does not require organizations to use some methodology so the most simple way to address this clause is to arrange a brainstorming session involving all relevant people in the company and discuss risks and opportunities and the risks and opportunities identified need to be documented and some actions to address them should be proposed. For more information, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/ -
Assets to consider in an inventory
Great, this helps a lot! -
Change Management and Configuration Management
Answer:
Configuration Items (CIs) that are within the scope of the plan are used by the Change Management process to evaluate and authorize changes. The Change Management process authorizes all changes on CIs which are within the scope of the SACM Plan.
So, while planning how to populate CMBD (which is in jurisdiction of Configuration management, or Service Asset and Configuration Management) you need to think about scope ("width" and "depth" of the implementation i.e. affected CI's), location, naming nomenclature, tools..etc. Once you define that i.e. have your plan ready, you can start the implementation. In scope of the planning you need to consider how (i.e. who, in which tool and with what authority) people involved in change Management will use information stored in CMDB.
Here are the article that may help:
"What is the role of the Service Asset and Conf iguration Manager according to ITIL/ISO 20000?" https://advisera.com/20000academy/blog/2016/11/01/what-is-the-role-of-the-service-asset-and-configuration-manager-according-to-itil-iso20000/
"How to use ITIL to prepare the Service Asset & Configuration Management Plan" https://advisera.com/20000academy/blog/2015/12/01/how-to-use-itil-to-prepare-the-service-asset-configuration-management-plan/
"Three main activities to set up ITIL Service Asset and Configuration Management" https://advisera.com/20000academy/blog/2015/07/14/three-main-activities-to-set-up-itil-service-asset-and-configuration-management/
as well as free webinar
"The basic elements of ITIL Service Asset and Configuration Management (SACM)" https://advisera.com/20000academy/webinar/the-basic-elements-of-itil-service-asset-and-configuration-management-sacm-free-webinar-on-demand/ -
Is the risk assessment done before the BIA?
Answer: ISO 22301 (and most of other business continuity methodologies) allow you to do it either way, and the truth is - I don't think there is a huge difference. My personal preference is to do the risk assessment first, because then you'll have a better impression of which incidents can happen while doing your business impact analysis.
You'll learn more here: Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/ -
How to describe treatment options
Answer: In the Risk treatment table, when you select the option "Transfer of a risk to a third party", then you shouldn't select the control in the next column; instead, you should simply write what is your intended action - in your case you should write "Purchase an insurance policy."
By the way, in the video tutorial about Risk treatment plan (that you received with your toolkit), you'll see more examples on how to fill out these treatment options. -
Inventory of assets
Answer: In the Impact column you should copy the information from the Consequence column from the Risk assessment table. In the column Notes you should input any additional information you consider relevant regarding the asset that is not fit in any other column, e.g., Asset maintenance contract is valid only until xx/xx/xxxx.
This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding inventory of assets:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/