DRP applicability
A customer will have an ISO 27001 certification audit in July and the drp plan is already contracted for delivery in December with a signed contract. However, we know that in July there will be no evidence of the drp test, only the project purchased with the evolution. He wants to know if this would lead to a major non-compliance, making the certification recommendation unfeasible.
The company in question has 2 servers in 2 cities. However, the systems are NOT complementary. One would not support the other in the event of a disaster. The DRP solution was then contracted to increase the capacity of the smaller equipment to supply in case of interruption of the larger server. They already have the backup procedure, however, in the current situation, the company was not able to be operating all systems in the event of a disaster. The contracted project will be operational in December, but the audit will be in July now. The concern is that the DRP is stated in the applicability document, and in July, we will not yet have the main evidence of a test carried out showing that the DRP is working. Only in December, as promised. The question is whether this will be considered a Major NC for lack of practical evidence of the DRP test, or if it would be a minor NC, for showing that the situation is contracted to resolve in December.
Assign topic to the user
ISO 27001 STATEMENT OF APPLICABILITY
List all controls and determine which are applicable and why.
Get it now 
ISO 27001 STATEMENT OF APPLICABILITY
List all controls and determine which are applicable and why.
Get it now
ISO 27001 STATEMENT OF APPLICABILITY
List all controls and determine which are applicable and why.
Get it now
Unimplemented controls reported as applicable in the Applicability Statement may in fact lead to non-compliance, but their degree will depend on other factors, such as whether they are related to relevant risks, or cause a mandatory clause of the standard to be breached.
In situations when a control is not yet implemented by the time of the certification audit, the best alternative to avoid a nonconformity is to accept the risks related to this control, inform in the Statement of Applicability (SoA) that the control is in an implementation situation, and present to the auditor the evidence of progress in implementation.
This way, the implementation situation cannot be characterized as a non-conformity.
These articles can provide more information:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- Infographic: The brain of an ISO auditor - What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/.
This material can also provide more information:
- ISO 27001 / ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
Comment as guest or Sign in
Mar 26, 2021