ISO 27001 & 22301 - Expert Advice Community

Choose to Not implement a security control

I am a bit conflicted about this and need to hear what you think. I have asked Experta but I am stil not sure. Feels like there must be a clear answer to this. So my question is... can I (according to iso27001) choose to Not implement a security control from annex A even if I can see a risk with not implementing it? If we identify the risk but choose to accept the risk without any mitigating actions. In this case there won't be any risk treatment plans to connect to the Security control. The risk is accepted by the company and we choose Not Implemented and no plans to implement. The risk and security control will be re-evaluated yearly. Is this okay or what should we do with the security control if we only have one or several risks linked to it that are accepted without further actions?

The reason to Not Implement could be that the risk is very very low, very very unlikely and/or would cost more to implement than the consequence of the risk.  

Business continuity plan, RTO and MTPD

In our BCP for external threats like Cyber Attacks it is mentioned that "RTO is not applicable in this case, however it is recommended to contain the threat within a defined period" so the MTPD for such kind of disruptions is 2 hour but it took us more than 4 days to resume all critical systems and services , what do you guys thing should I raise a non conformity for this.

Information Security Goals

Please help me sample examples of information security goals that can be easily measured. Thank you so much!

RTO in the BIA questionnaire

I purchased your ISO 22301 package in 2022, but only now have I been able to start delving into its contents. I have a question: in the 05.1_Business_Impact_Analysis_Questionnaire_22301_EN file, where do I find the RTO listed?

Understanding the core concepts of RPO & RTO - ISO 22301

Hi, I am new to the this community and a newbie in the field of information Security. ISO 22301 - BCMS has captured my focus as a starting point.
I've been reading about RTO and RPO and has quite an understading about these concepts now. At least enought to ask some stupid question. Please don't mind if my question does not make sense as I am still absorbing.

I have read an example about how Business Processes have their own set of  Business-RTO(BRTO) and Business-RPO(BRPO) based on their crticality, and these values are set by their respective Business Owners. Further, these processes are dependant on the supporting infrastucture, such as application assets, vendors, locations, and other resources.

Additionally, applications that supports processes have their own set of Application-RTO(ARTO) and Application-RPO(ARPO) set by their respective application owners. Also, there needs to be a roll-up RTO and RPO for applications as an application may tagged to multiple processes and it must be aligned with the minimum of all the tagged processes BRTO and BRPO values. Based on the comparison of the roll-up value and the owner assigned value, we can identify a gap for an application.

Now, my question is that a process can be directly depandant on the RTO of an application because to run that process, the application must be up and running. However, it's not the same for the application RPO. RPO depends on the backup rate of the database and if still an application is down but we have not lost any data or much data (under RPO values), we can still interact with that data through other means/alternatives, correct? I think my concept about RPO is not clear and how it is related to application. I need a more experinced view on this. 

Thanks in advance.

Residual Risk Calculations

Hi, I understand that the conformio software auto calculates the residual risk after controls are added. so 2 questions:

1. What is the recommended base for controls? Is more better as in comprehensively covered or the minimum to reduce the resdiual risk?

2. Do we assume that the controls reduces the impact rating? I'm unsure of how that will happen. Can you please explain? For example - Desktop Computers > Downloads from internet not controlled > Infections with malicious software > Controls choosen are: A.5.7, A.5.10, A.5.17, A.5.24, A.5.25, A.5.26, A.5.27, A.5.28, A.5.37, A.6.1, A.6.2, A.6.3, A.6.4, A.6.8, A.8.7, A.8.19, A.8.21

The residual risk is now 0 but I don't understand how the Impact is reduced to 0 with these. Please help.

Thanks

SoA Tasks

Hi,

If I specify a user defined task for an Annex A control, and later want to specify the same task as an implementation method for another control, should I re-enter the task in the second control under task option, refer to the previously entered task in earlier control under text entry option, or do nothing, as the task already exists.

I am concerned that duplicating the task in more than one control might lead to odd/spurious records being generated as the automtic process compiles the information I have entered.

Many thanks.

BIA Questionaire Assistance

Please let me know what resources are available from Advisera to assist with filling out the BIA Questionaire from the ISO 22301 Toolkit?

Guidance on Missing ISMS Documentation and Implementation Drafts

1. We have the initial audit with external agencies to get the accreditation, and an agenda for the one-day assessment on November 21st has been sent to us. Please find the attached image which details the ISMS Document review. However, we are missing documents for Compliance, Operational Security, Communication, Development Security, Incident Processes, and Business Continuity Management. Could you please confirm if there are drafts available or advise on how to proceed, as I'm unable to locate them in the Conformio tool? Your guidance on this matter would be greatly appreciated.

2. Additionally, for ISMS Implementation, there is a requirement for Design, Development & Test, and Facility and Asset Management. I have checked the documents, as well as the Conformio tool, but I couldn't find any drafts pertaining to these areas. Can you please advise on this?