Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk management from a remote location


    Answer: Interesting question... in my opinion, it would be possible to coordinate the risk assessment and risk treatment process from a remote location, however I think that the following things would need to be done locally in the office for which the risk management is done:
    - Listing all the assets, determining threats and vulnerabilities - this is because someone who is remote cannot be aware of all these elements
    - Determining the impact and likelihood - again, the same explanation as above
    - Implementing the controls - if we speak about physical controls that, of course, needs to be done locally; also all the technical controls (e.g. alarm systems and other hardware, locally installed software, etc.)

    Somewhere halfway are organizational controls (e.g. policies, procedures, etc.) - of course, you can write all the documentation from a remote location, however the question is whether you can convince all the on-site employees to start using them? If your company culture allows this, then you would be able to do this, however there are not many companies who could succeed in such approach.

    By the way, here's an article that describes the whole risk management process: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  • ITIL and COBIT


    Answer:
    There is no cookbook how to do it. COBIT is IT governance framework and ITIL is IT service management framework. You can see COBIT as interface between company (and its strategy, goals, risks...) and IT services. ITIL should enable excellence in management of your IT services (throughout their lifecycle) and COBIT should enable alignment of the IT organization with the goals of the business.
    COBIT is much broader than ITIL and ITIL goes much more in details. Ideally, they are implemented together to integrate business and IT services.

  • Hazard analysis in iron steel making lan


    Answer:

    The process is the same regardless of the industry. First step in occupational hazard analysis is to determine the procedure for it that includes criteria for analysis that will tell you whether the hazard is significant or not. Then you need to conduct the analysis for each of the work places and see which are subjected to unacceptable hazards and what needs to be done to decrease the hazard and implement operational control.

    For more information, see: How to identify and classify OH&S hazards https://advisera.com/18001academy/blog/2015/05/14/how-to-identify-and-classify-ohs-hazards/

  • How to calculate residual risk


    Answer: Residual risk is the level of risk once you apply the controls - for example, if you had a risk that had a value of 9, and you applied controls so that impact and likelihood have decreased, then the level of residual risk could be e.g. 5.

    By the way, usually the risks do not cause other risks - it is the threats and vulnerabilities that cause risks - see also this article: ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    This article is also helpful: Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/

  • Process-based vs control-based audit


    Answer: The audit process is not prescribed by any standard, so you can do it any way you feel is appropriate. In most cases, ISMS is audited per controls, not per processes, although you can do it per processes as well.

    Did you see our free online training ISO 27001 Internal Auditor Course? It will explain you all the auditing techniques specific for ISO 27001: https://advisera.com/training/iso-27001-internal-auditor-course/

  • Performing risk analysis, SoA and RTP


    Answer: These materials will help you with the detailed answers:
    - Free ISO 27001 Gap Analysis Tool https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
    - articles on risk assessment and treatment: https://advisera.com/27001academy/knowledgebase-category/risk-management/

  • Threats vs vulnerabilities


    Answer: Threat is something that can damage the confidentiality, integrity or availability of your information; vulnerability is a state of your assets, your systems, your organization, etc. that allows this threat to materialize. E.g. threat is malware, while lack of anti-virus software is a vulnerability.

    You'll find more help here: ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    This Catalogue of threats and vulnerabilities will also help you: https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

  • Roles and responsibilities according to ISO 9001


    Answer:

    The situation is more or less the same as it was in previous version of the standard, the only change is that the MR is no longer a mandatory role in the QMS. But according to my experience so far, most of the companies kept the MR as a role since he or she has the most profound knowledge of the standard and the QMS in the company. The fact that MR is no longer mandatory it doesn't mean it is forbidden and for most of the companies it is a most convenient way to address these requirements.

    For more information, see: What will be the destiny of the management representative in the new ISO 9001:2015? https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/

  • Frequency of internal audits

    The entire QMS process need only be reviewed once over the course of your 3 year cycle. You need to have an audit plan though that shows that. A management review also needs to be held at some frequency, I would suggest minimum 1/year but better 1/qtr to review objectives

  • Defining KPIs for OH&SMS


    Answer:

    A key performance indicator (KPI) is a measurement of a certain type of activity that a company or organization partakes in. When that measurement is a direct reflection on your workforce’s health and well-being that KPI can be used for measuring effectiveness of your OH&SMS (Occupational Health & Safety Management System).

    Example of OHSAS 18001 KPI can be a number of injuries or near misses per day/week or per unit of product, etc. For more information, see: How to establish and evaluate key performance indicators for OHSAS 18001 https://advisera.com/18001academy/blog/2015/07/22/how-to-establish-and-evaluate-key-performance-indicators-for-ohsas-18001/
Page 970-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +