Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Example of quantitative and qualitative risk assessment


    Answer:
    Basically quantitative is when you determine the risk with numeral values (for example based on economical values), and qualitative is when you determine the risk with nominal values.

    For example, in a quantitative risk assessment, you can have this formula for the risk:

    Risk = Impact x Likelihood

    Being the Impact in terms of money and the likelihood in terms of %. So, if the impact in economical terms is $10.000 and the likelihood is 90%, the risk is: $10.000 x 0,9 = 9000. Here you also need to define different levels of risks (for example, 0-5000 is low, 5000-10.000 is medium, 10.000 and 50.000 is high).

    Regarding the qualitative risk assessment, you can you also the same formula:

    Risk = Impact x Likelihood

    But in this case the values will be only nominal: Low, Medium, High (or you can also use 1, 2, 3), so in this case you will need a table with all po ssible values. For example, if the impact is low and the likelihood is low, the risk will be low. If the impact is low and the likelihood is medium, the risk will be low, etc.

    Examples of quantitative risk assessment are MAGERIT, or SOMAP, and examples of qualitative risk assessment are CRAMM, or OCTAVE.

    Generally, the qualitative risk assessment is more easy, and the quantitative is more precise, and you can develop the methodology that you want. So this article can be interesting for you “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

    And our online course can be also interesting for you because we give more information about the risk assessment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Alcance del SGSI


    Respuesta:
    De acuerdo a los requerimientos de la ISO 27001, para la definición del alcance del SGSI, necesitas:

    - Tener en cuenta las cuestiones internas y externas (definido en la cláusula 4.1)
    - Tener en cuenta las partes interesadas (definido en la cláusula 4.2)
    - Considerar las interfaces y dependencias entre lo que está pasando dentro del alcance del SGSI y el mundo externo

    Este artículo te puede resultar útil “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    Nuestra plantilla también te puede resultar interesante, puedes visualizar una versión gratuita pulsando en la pestaña "Demo gratis" aquí “Documento sobre el alcance del SGSI” : https://advisera.com/27001academy/es/documentation/documento-sobre-el-alcance-del-sgsi/

    Finalmente, nuestro curso online también te puede resultar interesante dado que ofrecemos más información sobre la definición del alcance del SGSI (aunque actualmente únicamente está disponible en inglés) “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • ISO 27001 certification for one division


    Answer:
    Sure, you can limit the scope of the implementation of ISO 27001, so you can limit the certification to one division of your business, there is no problem with this, but in the future could be recommendable to expand this scope to other divisions, and finally for the whole organization.

    This article can be useful for you “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    Our online course can be also interesting for you because we give more information about the scope in the ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Policies and procedures


    Answer:
    I am sorry but the standard ISO 27001:2013 does not require to map policies with procedures, but you need to develop various mandatory documents, which you can see them here “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    This article can be also interesting for you “How to structure documents for ISO 27001 Annex A controls” : https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

    And our online course can be also interesting for you becaus e we give more information about the documents of ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Risk assessment of outsourced hosting service


    Answer:

    This is basically the question of the ISMS scope - you should include in your scope (and therefore in your risk assessment) only the assets you can control. So you should include in your scope/risk assessment the applications and your data on those virtual servers you control, however you should exclude the physical servers because you do not control them.

    However, control A.15.1.1 requires you also to perform risk assessment of your suppliers, so this means that you should assess how this hosting service can affect confidentiality, integrity and availability of your data - for that purpose you can use the same Risk Assessment Table, and write as an asset "hosting service". So you won't be assessing the physical servers, but figure out what incidents can happen in general - e.g. unauthorized access to your data, loss of data, unavailability of the service, etc.

    These articles can also help you:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  • Determining scope of internal audit


    Answer:

    There is no specific requirement to audit entire scope of the standard and even entire organization in a one year period. However, it is recommendable to audit the system against all requirements of the standard during one year period since it is a natural time frame for every company. It is hard to find justification for auditing only part of the organization against part of the standard per year.

    Quality policy should be reviewed during management review, but if the top management chooses not to make changes to the policy, it can be left as it is without changing dates or any other information.

  • Identifying requirements for mandatory documents


    Answer:

    Each clause defines whether it requires documented information or not and in what form. The standard uses two phrases to specify whether it requires record or a document. THe phrase "maintain documented information" means that a document is required, the term "documented information as an evidence" means that a record is required.

    For more information, see: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

  • Assess the risk for each asset


    Answer:
    I am not sure if I have understood 100% your question, but you need to assess the risk for each asset, and obviously the risk is related to the business. To calculate the risk in a simple way, you can use basically 2 parameters: Consequences and likelihood. This article can be interesting for you “How to assess consequences and likelihood in ISO 27001 risk analysis” : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

    And also this one “ISO 27001 risk assessment & treatment - 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    Finally, our online course can be also interesting for you because we give more information about the risk assessment process “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Access directly to a database?


    Answer:
    If this information is not confidential, I do not see problems, although to give direct access to the Oracle database for me is not a best practice, so would be better to give this information in another way, for example through a web page (in an architectural pattern Model-View-Controller).

    Another recommendation is that you define a classification for the information, so this article can be interesting for you “Information classification according to ISO 27001” : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

    And remember that before the implementation of controls, you need to perform the risk assessment in order to determine what kind of security controls are needed. This article can be interesting for you "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work /

    Finally, this online course can be also interesting for you, because we give more information about the classification of the information “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Setting up ISO 14001 in construction company


    Answer:

    First step is to conduct GAP analysis to determine to what level your company is already compliant with the standard. The GAP analysis will provide you with answers on what needs to be done to achieve full compliance with the standard. Here you can find free GAP Analysis tool https://advisera.com/14001academy/iso-14001-gap-analysis-tool/

    Once you determine what documents need to be created and what activities need to be performed, you should create a Project Plan where you will define all above mentioned as well as deadlines, responsibilities and resources. You can find a free sample of the Project Plan here https://advisera.com/14001academy/free-downloads/ . This step is not mandatory, however it will help you avoid missing something out.

    Next step is to create all necessary documents, this includes the documents required by the standard itself and the documents that you find necessary to run your environmental management system and achieve intende d results. Here yo can use our documentation template which includes all mandatory documents together with most common documents used to set up the EMS (environmental management system) according to ISO 14001:2015. You can find free preview of the toolkit here https://advisera.com/14001academy/iso-14001-premium-documentation-toolkit/

    Then you need to implement all the activities prescribed by the documentation into your daily business activities. Finally, you need to conduct internal audit and management review to ensure your system is compliant with ISO 14001 requirements. And then you can hire certification body to conduct certification audit and issue your company the certificate.

    For more information about steps in ISO 14001 implementation, see: ISO 14001 Implementation diagram https://advisera.com/14001academy/free-downloads/
Page 994-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +