ISO 27001 & 22301 - Expert Advice Community

ISO 27001 Internal Audits

We are an IT Service provider in the healthcare industry and have different internal IT teams. We have an IT Field Engineering team, Data Centre, Directory Services, Networks and Telecoms, IT Server team, Project Management Office (PMO) teams etc. These are all specialist teams and their members are SMEs in their field they know the benefits of ISO 27001 and are committed to helping us the Compliance Team however auditing these technical experts from clauses 4 – 10 is a challenge.

So, what we have been doing auditing these internal teams from the controls of Annex A we created a template around these controls. Each team is audited around these controls for example

A6.1.2 Segregation of Duties

A8 Assets

A9 User Access Management

A11 Physical & Environment Security

A12 Operations

A15 Suppliers

A16 Information Security Incidents etc

However, during the recent Surveillance audit, the external auditor issued a non-conformity saying.

“Audits conducted to date have covered service delivery: to date, there has been no audit to conformity with ISO27001 clauses 4-10”

My question is these technical people don’t know what is in clauses 4 -10 of ISO27001. How should we audit them from clauses of the standard? For example, they don’t know the basic questions

Are relevant internal and external issues that can affect an organization's ISMS identified?

Are all relevant interested parties identified, together with their requirements?

Is top-level Information security policy documented?

Are management reviews performed as planned?

Is the Risk Assessment and Risk Treatment Methodology reviewed before the regular review of existing risk assessment?

The only option we can see is if someone within the organization who is independent audits us The Compliance team from Clause 4 – 10 and we continue auditing technical teams from Annex A controls. Please advise if this approach is sufficient to improve our auditing process. Many thanks, Ash

Automated Firewall Review

We are a SaaS-based company and we are hosted on AWS cloud. Hence we use AWS Security groups which act as virtual firewalls. We have multiple security groups. One of the controls in ISO is that a Firewall review needs to be performed. The traditional approach is that the Firewall owner reviews the rules and provides sign-off off etc. However, since we have multiple security groups it becomes difficult to review each. We have implemented a CIS benchmark tailored for AWS. Deploy regular scans on AWS Security Groups, using parameters established by the CIS benchmark. The focus is on detecting potential misconfigurations, especially in the context of publicly open ports, ensuring a robust defence against unauthorized access. Weekly reports are generated and sent to the team.

My question is as part of an audit. Can this evidence suffice since we have automated the process of firewall review and not perform manual review?

Choose to Not implement a security control

I am a bit conflicted about this and need to hear what you think. I have asked Experta but I am stil not sure. Feels like there must be a clear answer to this. So my question is... can I (according to iso27001) choose to Not implement a security control from annex A even if I can see a risk with not implementing it? If we identify the risk but choose to accept the risk without any mitigating actions. In this case there won't be any risk treatment plans to connect to the Security control. The risk is accepted by the company and we choose Not Implemented and no plans to implement. The risk and security control will be re-evaluated yearly. Is this okay or what should we do with the security control if we only have one or several risks linked to it that are accepted without further actions?

The reason to Not Implement could be that the risk is very very low, very very unlikely and/or would cost more to implement than the consequence of the risk.  

Business continuity plan, RTO and MTPD

In our BCP for external threats like Cyber Attacks it is mentioned that "RTO is not applicable in this case, however it is recommended to contain the threat within a defined period" so the MTPD for such kind of disruptions is 2 hour but it took us more than 4 days to resume all critical systems and services , what do you guys thing should I raise a non conformity for this.

Information Security Goals

Please help me sample examples of information security goals that can be easily measured. Thank you so much!

RTO in the BIA questionnaire

I purchased your ISO 22301 package in 2022, but only now have I been able to start delving into its contents. I have a question: in the 05.1_Business_Impact_Analysis_Questionnaire_22301_EN file, where do I find the RTO listed?

Understanding the core concepts of RPO & RTO - ISO 22301

Hi, I am new to the this community and a newbie in the field of information Security. ISO 22301 - BCMS has captured my focus as a starting point.
I've been reading about RTO and RPO and has quite an understading about these concepts now. At least enought to ask some stupid question. Please don't mind if my question does not make sense as I am still absorbing.

I have read an example about how Business Processes have their own set of  Business-RTO(BRTO) and Business-RPO(BRPO) based on their crticality, and these values are set by their respective Business Owners. Further, these processes are dependant on the supporting infrastucture, such as application assets, vendors, locations, and other resources.

Additionally, applications that supports processes have their own set of Application-RTO(ARTO) and Application-RPO(ARPO) set by their respective application owners. Also, there needs to be a roll-up RTO and RPO for applications as an application may tagged to multiple processes and it must be aligned with the minimum of all the tagged processes BRTO and BRPO values. Based on the comparison of the roll-up value and the owner assigned value, we can identify a gap for an application.

Now, my question is that a process can be directly depandant on the RTO of an application because to run that process, the application must be up and running. However, it's not the same for the application RPO. RPO depends on the backup rate of the database and if still an application is down but we have not lost any data or much data (under RPO values), we can still interact with that data through other means/alternatives, correct? I think my concept about RPO is not clear and how it is related to application. I need a more experinced view on this. 

Thanks in advance.

Residual Risk Calculations

Hi, I understand that the conformio software auto calculates the residual risk after controls are added. so 2 questions:

1. What is the recommended base for controls? Is more better as in comprehensively covered or the minimum to reduce the resdiual risk?

2. Do we assume that the controls reduces the impact rating? I'm unsure of how that will happen. Can you please explain? For example - Desktop Computers > Downloads from internet not controlled > Infections with malicious software > Controls choosen are: A.5.7, A.5.10, A.5.17, A.5.24, A.5.25, A.5.26, A.5.27, A.5.28, A.5.37, A.6.1, A.6.2, A.6.3, A.6.4, A.6.8, A.8.7, A.8.19, A.8.21

The residual risk is now 0 but I don't understand how the Impact is reduced to 0 with these. Please help.

Thanks

SoA Tasks

Hi,

If I specify a user defined task for an Annex A control, and later want to specify the same task as an implementation method for another control, should I re-enter the task in the second control under task option, refer to the previously entered task in earlier control under text entry option, or do nothing, as the task already exists.

I am concerned that duplicating the task in more than one control might lead to odd/spurious records being generated as the automtic process compiles the information I have entered.

Many thanks.

BIA Questionaire Assistance

Please let me know what resources are available from Advisera to assist with filling out the BIA Questionaire from the ISO 22301 Toolkit?