LIVE VIRTUAL TRAININGS
Learn in small groups from top experts and real-life examples

Expert Advice Community

Guest

Controls A.17.1

  Quote
Guest
Guest user Created:   Dec 03, 2021 Last commented:   Dec 03, 2021

Controls A.17.1

1 - Como definir los controles de seguridad de la información dentro de las actividades del plan de continuidad ? No entiendo si hay que definir en cada actividad como se aseguraría la seguridad de la información o tener un apartado general el plan de continuidad donde se mencioné que en todas las actividades se aplican los controles de seguridad de la información establecidos en los ambientes productivos. 2 - Adicionalmente como se prueba que hay controles de seguirdad de la información en el plan de continuidad? 1 - How to define the information security controls within the activities of the continuity plan? I do not understand if it is necessary to define in each activity how the security of the information would be ensured or have a general section the continuity plan where I mentioned that the information security controls established in the production environments are applied in all activities. 2 - Additionally, how is it proven that there are information security controls in the continuity plan?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 03, 2021

1 - How to define the information security controls within the activities of the continuity plan? I do not understand if it is necessary to define in each activity how the security of the information would be ensured or have a general section the continuity plan where I mentioned that the information security controls established in the production environments are applied in all activities.

The easiest way to comply with A.17.1 is to list all security processes within your company, and ensure these processes are covered through the Disaster Recovery Plan. In other words, do not focus on security controls, but focus on security processes.

To see how a Disaster Recovery Plan compliant with ISO 27001 looks like, please take a look at this template: https://advisera.com/27001academy/documentation/disaster-recovery-plan/

For further information, see:
- Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/


2 - Additionally, how is it proven that there are information security controls in the continuity plan?

Answer: The easiest way is to include references to controls described in ISO 27001 Annex A into the Disaster Recovery Plan document. For example, in the abovementioned template, you can add a section to include the controls covered by the actions defined in the plan.

For example, in case your plan includes activities for recovery of access control, then you can include the reference “Controls from ISO 27001 Annex A.9” 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 03, 2021

Dec 03, 2021