Guest user Created: Dec 20, 2018 Last commented: Dec 20, 2018

Application of BCP on ISO 27001

If there is no commitment to contracts for customers on providing resiliency, and risk is acceptable not to have a BCP... will ISO 27001 still be looking at a information security continuity in BCP plan ( Not BCP plan, so no information continuity)?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Dec 20, 2018

Answer:

Any control from ISO 27001 Annex must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., contracts, laws, and regulations) that require the implementation of the control
- There is a top management decision requiring the implementation of the control

If none of these occur there is no need to implement any control considering ISO 27001 requirements, including BCPs.

So, considering your scenario, besides risks and contracts you should also verify if there are no laws and regulations applicable to your business requiring the implementation of BCPs, and the explicit intention of top management not to implement BCPs for ISO 27001.

This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Dec 20, 2018

Expert Advice Community