Assistance on nonconformities

1. Finding:

Although the principles for engineering secure system is in place, however the same is not documented and maintained.

A. 14.2.5

On reviewing the SOA it was found that secure system engineering principles is applicable , however the same is not available for review.

2. Finding :
Although bcp has been consolidated however test records for the scenarios where the probability is high is not evident.

Req: A14.1.5

Objective evidence:
On reviewing the business continuty plan & risk assessment register it was found that fire were identified under high risk category and suppose to be tested.

Answer:

Regarding finding #1, you need to document your secure engineering principles, this article will help you: What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/

Regarding finding #2, you need to perform exercising and testing of your Business continuity plan, where you will focus on scenario that is based on your biggest risk(s) - this article will help you: How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/