I take the opportunity to ask a question about the kit I purchased.
in the Project Checklist for ISO 22301 Implementation document, I have references to several documents that I didn't find in the zipped folder I downloaded.
Did I do something wrong?
Who is the person in the organization who should document this procedure?
The Lead internal Auditor
The Information Security Manager
Top Management
Thank you in advance.
Hi, we are a software company, and we are currently implementing the ISO27k1 according to your documentation kit.
We do not have a business continuity plan ( ISO22301 might implement in the near future if we succeed with the iso27k1 ). At this point we would just like to implement a disaster recovery plan.
Background about the company : software company; all of our critical services are in the cloud ; we are cloud agnostic - can migrate the entire infrastructure in a matter of hours; coworkers are used to working from home; we have just one office location; all services running in the local datacenter are also backuped on the cloud and can migrate there in a matter of minutes with minimal data loss; we work exclusively through VPN/IPSec tunnels and we use 2FA authentication for 90% of the services
My questions are the following:
In a case of a major event that has led us to start the disaster recovery plan:
1. Is it possible to describe a scenario when something has happened to our office and all our coworkers just get a laptop and a 4g hot spot and connect to a VPN in the cloud where our services run. So, this means they can work from home and not be in the office. The communication channel will always be secure and encrypted. And in the risk assessment we consider this to be an acceptable risk. The corona virus situation actually has proven this to be quite an effective strategy since we've been working like that for more than a year and we haven't run into problems of any kind. We miss partying together tho ... Would an ISO27k1 auditor be comfortable with a solution like this one?
2. Our servers and services run in the cloud, so even if there is a breach or some other kind of event related to information loss, we can pretty much return everything to working order in a matter of hours. And we've stated that we are ok with 1 day of loss of information, so based on the risk assessment and scope it's OK. But again, I am not sure an auditor would see it this way.
3. We are creating copies of the servers/services and backing up those to different cloud providers, so if an event that only takes out one cloud provider happens, we can still operate with just spinning up the infrastructure on another cloud provider. Would that cover all of our bases ? In an event where the internet is lost, or the major cloud providers are gone ... we might not want to continue operations.
4. How thorough we need to be when describing major events/incidents that can lead to the decision to put the disaster recovery into operation ? Do we need to list every event possible or incident ? Like hacker attack, cryptovariation ransomware attack, worm attack, political embargo on services or war, force majeure conditions ? The only change in the disaster recovery plan is whether the office is still usable and standing - if it is we just continue from backups or migrate everything. If the office is not there all coworkers start working from home. I've tried to find the answers to those questions in your blogs and literature online, but I really don't know the mindset of an auditor and what they consider a good solution or a solution that is in line with the risk assessment that we will present to them. Thank you in advance.
Bom dia,
Estamos preenchendo o documento intitulado: Politica_de_classificacao_da informacao_PT.
Surgiu uma dúvida quanto a definição de quem deverá realizar a classificação da informação quando recebida de fora da organização, uma vez que temos várias pessoas de diferentes áreas de podem receber esse tipo de informação, seja em meio físico, como correspondências, como em meio eletrônico como e-mails ou links de acesso a pastas de repositórios de dados.
O texto original do modelo é:
“Se informações classificadas forem recebidas de fora da organização, o [cargo] é responsável por sua classificação de acordo com as regras descritas nesta Política. Esta pessoa torna-se proprietário desses ativos de informação.”
Podemos colocar da seguinte forma?
“Se informações classificadas forem recebidas de fora da organização, o recebedor é responsável por sua classificação de acordo com as regras descritas nesta Política. Caso o recebedor não seja o destinatário final da informação, deverá encaminhar para quem de direito, e esta pessoa torna-se proprietário desses ativos de informação."
Dejan,
I know as part of the toolkit I can ask questions via email – but I am not sure who I am supposed to ask. So you win 😊
We are in the process of starting to implement the various components of ISO27001. Most are not documented yet. I am also starting my internal audit program planning. Here is my questions:
Do I need to complete an internal audit of ALL areas of ISO27001 BEFORE I can schedule/conduct my first external regulatory audit? It is my understanding that as part of continuous monitoring of the systems most companies break down the audit into sections and in a rolling 3 year period cover the entire standard. If that is the schedule I create, then my first external audit I will only have a portion of the standard covered by internal audit. Is that acceptable? Assuming it is, how much of the standard do you think (and I understand this is subjective) we should have completed before the external audit.
Please let me know if you have any questions
I'm trying to find document that maps the ASD (Australian Signals Directorate) ISM (Information Security Manual) controls to the ISO 27001 elements / controls. Do you know of such a document, or can you point me to someone who may know?
Hi, I would like to perform a BIA analysis based on the Advisera form. I have read your article - How to define activities when implementing business continuity according to ISO 22301. He's great and translates a lot. However, I have a problem with the approach to analysis in my case.
The company has a department which comprises 40 locations. They carry out the same activities but independently. An average of 100-150 people in one location.
1. Should I analyze the entire department at once and sum up the effects of losses (qualitative and financial) from all 40 locations?
2. Should I choose the largest location and analyze only one?
3. Or maybe I should complete 40 questionnaires?
I would like my approach to be in line with good business continuity practices.
How to conduct a risk analysis in this case? I understand that I need to analyze the risks for 40 locations?
Hi Dejan,
Hope you are doing well.
I bought your toolkit, but I still have some issues with the SMSI documents preparation.
For instance :
- The Document of the scope
The company has around 120 employees, has 2 sites, and 3 different activities: IT Solution integration, Training, and Cloud service provider.
One site contains the IT Solution integration and training Divisions with the HR & Commercial Departments, the other site contains the Cloud Division.
The company wants to certify only the Cloud Activity, but I want to check if we should include in the Scope the HR and Commercial departments to respond to the A.7 requirements and the security of customers personnel information & customers Contracts.
- The Business Continuity
Should we also prepare all the documents related to A.17 requirements even if the company doesn't plan to include the SMCA and business continuity certification in this scope ?
Thanks in advance for your support.
Dear Dejan,
I have a question for you about the Statement of Applicability. I’m doing an ISO 27001 implementation at a software company and the shareholders have given us only a couple of months. So I want to do a minimal project, doing only all the necessary policies, with the idea that we can expand on that in the coming years. So I looked at what documents are mandatory and which ones are not. But now I wonder how that translates into the SoA.
Example. We have a SaaS solution, so all information from customers is on very secure cloud systems from our suppliers. We don’t have very much information that is very exciting on Sharepoint servers. If the classification policy is not mandatory and if it’s not a risk coming out of risk analysis that we need to control, does this mean we can say No on A.8.2.1 and following controls, or can I say Yes and fill in the limited measures we have, like the secure data center and so on. How would you go about this?
If the organization has remote work for all employees, it does not have a physical environment and all processes are worked in the cloud, do these controls apply to the organization?
A.11.2.1 Equipment siting and protection
A.11.2.2 Supporting utilities
A.11.2.3 Cabling security
Thank you in advance.
