disaster recovery." It's not clear to me if its enough with Polices and Procedures and BIA, or is needed something else (some kind of controls), Could please put some light in my doubts?
Answer:
ISO 27001 nor ISO 27002 are not very clear when it comes to business continuity. But yes - BCM policy, business impact analysis, but also identification of context and interested parties should be enough to identify all the requirements for business continuity.
It seems to me you are referring to your question to ISO 27002, so you should primarily read what ISO 27001 says in its clause 4.
2. The field Valid as of date indicates the date from which the document and its content is applicable. It me be months after validation, for example when the organisation has to acquire and install technology or gain a specific competence.
Best regards
security audit of a hypothetical supplier
Hi Victor
The audit should go on how the provider complies with the contract your company did pass with them. Controls A15.1.1 to A15.2.2 are pertinent for the security clauses when they are included in the SOA:
A15.1.1 Information policy for supplier relationship;
A15.1.2 Addressing security within supplier agreements;
A15.1.3 Information and communication technology supply chain;
A15.2.1 Monitoring and review supplier services;
A15.2.2 managing changes to supplier services.
To whom to handover confidential data in case of a disaster?
As part of your business continuity plans, you have to define the deputies/substitutes for each and every person who perform certain important activity. Therefore, you have to define upfront who will be responsible to manage those important files in case the persons who are normally in charge for that would be unavailable.
There is a crucial difference between ISO 27001 and ISO 27002. The first one is a set of requirements for an information security management system. The second one a code of practice with a list of controls to operate and manage information security and can be uses without relation with ISO 27001.
SO 27001 requires an audit and a system of audits. This is a mandatory procedure to make sure the ISMS still complies with the documentation and, if certified, with the certificate.
This is not the case for ISO 27002 where the controls are to be selected them through a risk management process. None is, initially a mandatory procedure.
ISO 27002:2013 control 12.7.1 covers the risk that an audit would disturb the business process and the operation. So the intention is completely different to the requirement in ISO 27001 and there is no reason worry about.
List of Legal, Regulatory, Contractual and Other Requirements
First of all, you should list laws and regulations that are applicable to your company; if you don't have supplier contracts you should list all your partners and customers with whom you have contracts or other arrangements. You should list only those that have an influence on your information security - e.g. those with requirements on backup, access control, physical protection, etc.
There is no special preparation for those surveillance visits, you just have to make sure you do everything you have written in your BCMS documentation. Here is one article that speaks about ISO 27001, but it is completely applicable to ISO 22301 as well: How to maintain the ISMS after the certification https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/
Regarding the internal audit, it doesn't really matter whether it is performed internally or by an external party as long as in this internal audit the auditor checks whether your company (1) complies with ISO 22301, and (2) complies all the policies, procedures and plans you have written in your BCMS. This article can help you: How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Senior management does not want to spend money and resources
What level of training a Business Owner [who is in charge of many applications] is required to manage the risk in the applications with PII, with many partners?
How to I bring these Business Owners on board to manage risk in their applications?
[Frankly they will attest any documentation that I ask for..., without understanding the full implications; but that do not mitigate data security specially under PII].
Concern is Reference to Annex A: the 14th domain of ISO 27001:2013 - System acquisition, development and maintenance
Can the entire controls of 14th domain be excluded from Statement of Applicability with appropriate justifying statements?
OR
Would certain sub domains of the 14th domain, which do not specify application relevance and in general addresses 'systems' have to be included in Statement of Applicability?
Answer :
You should select the controls based on 1) legal, regulatory and contractual requirements, 2) risk management activity.
You dont tell if A14 controls are excluded due to the rule above or Application Development and Maintenance are outsourced (because you dont have the internal capability) or are simply excluded from the scope for any other reason.
In the second case, what you out source has to be covered by the controls A15.
However, it sounds me strange to certify an empty IT infrastructure. You probably have data and applications on it. A14.1 is then fully mandatory based on the rule in the first sentence.