Expert Advice Community

Guest

ISO 27001 query

  Quote
Guest
Guest user Created:   Mar 01, 2023 Last commented:   Mar 01, 2023

ISO 27001 query

1. Can I seek your advise on the how much is the RTO usually set for a company offering SaaS based solutions? Does the ISO 22301 define any times? I understand that it depends on various org-specific factors, but want to get a idea on industry best practices.

2. We also had the below queries relating to BYOD, in case we want to implement a BYOD policy:

Should the organisation ensure an anti-malware / anti-virus solution has been installed on all personal devices?

3. What are the minimum device management controls that the org should have control over?

I understand that these are not specifically defined in the ISO 27001 standard, and therefore need your advise on what controls are considered bare minimum, and as per industry best practices, to help us pass the certification.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 01, 2023

1. Can I seek your advise on the how much is the RTO usually set for a company offering SaaS based solutions? Does the ISO 22301 define any times? I understand that it depends on various org-specific factors, but want to get a idea on industry best practices.

ISO 22301 does not prescribe RTO values. Instead, it provides a framework for organizations to understand their business continuity needs and define the proper RTO values according to the criticality of their services and risk tolerance. Normally RTOs are measured in terms of hours, minutes, or seconds, with lower numbers representing less downtime but greater costs in investments.

You should avoid taking as reference values from other organizations because RTOs need to be based on the specificities of your own business.

For further information, see:

2. We also had the below queries relating to BYOD, in case we want to implement a BYOD policy:

Should the organisation ensure an anti-malware / anti-virus solution has been installed on all personal devices?

Please note that security controls to be implemented need to be based on the results of risk assessment and applicable legal requirements.

In case you do not have any relevant risk, or laws, regulations, or contracts demanding an anti-malware / anti-virus solution, you do not need to implement it. However, in most cases, we see companies implementing anti-malware on all laptops.

For further information, see:

3. What are the minimum device management controls that the org should have control over?

I understand that these are not specifically defined in the ISO 27001 standard, and therefore need your advise on what controls are considered bare minimum, and as per industry best practices, to help us pass the certification.

The same answer from the previous question applies here. You need to perform a risk assessment and evaluate applicable legal requirements to identify relevant controls to be implemented for device management.

Please note that simply applying best practices will not help you with the certification process, because the certification auditor will look for if you have implemented controls based on risk assessment and evaluation of legal requirements properly performed. Further, there are no "industry best practices" that would be universally accepted.

This material may help you:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 01, 2023

Mar 01, 2023

Suggested Topics

Guest user Created:   Jan 13, 2022 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 query

Guest user Created:   Jun 14, 2021 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 query

Guest user Created:   Apr 24, 2023 ISO 27001 & 22301
Replies: 1
0 0

Query on ISO 27001:2022 SOA