ISO 22301 certification
I have two questions and I hope you can help finding the answers.
1. When looking for certification in *** I realize that there are not really a lot of people with experience in 22301. I talked to *** and they all struggle to find a proper contact to talk to. On the ISO Website, I saw the 2018 survey than resulted in a total of 1128 certifications worldwide and only 7 in ***. Do these numbers seem correct to you? Do you know German companies with a 22301 certification?
2. We realized that a cyber attack is a very likely threat. As Financial Services we rely heavily on our IT department (who is in the process of getting certified by 27001). How can we handle that in the scope of the BC Plan? Is it OK to delegate the responsibility to IT or do we have to come up with our own detailed plans? We need to come up with ideas and plans on what to do when such an incident occurs and how we e.g. bridge the first hours and days, but it is difficult to take ownership for fixing the IT part. How can that be handled?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. When looking for certification in *** I realize that there are not really a lot of people with experience in 22301. I talked to *** and they all struggle to find a proper contact to talk to. On the ISO Website, I saw the 2018 survey than resulted in a total of 1128 certifications worldwide and only 7 in ***. Do these numbers seem correct to you? Do you know German companies with a 22301 certification?
We do not know this country ISO 22301 environment well enough to provide an objective answer, but we can suggest you contact certification bodies in this country and ask for the number of companies they certified in this country.
2. We realized that a cyber attack is a very likely threat. As Financial Services we rely heavily on our IT department (who is in the process of getting certified by 27001). How can we handle that in the scope of the BC Plan? Is it OK to delegate the responsibility to IT or do we have to come up with our own detailed plans? We need to come up with ideas and plans on what to do when such an incident occurs and how we e.g. bridge the first hours and days, but it is difficult to take ownership for fixing the IT part. How can that be handled?
Please note that a BC Plan has to cover two major groups of activities: support activities and business activities. Considering that, although you can delegate the recovery of information systems to the IT department, there may be a need for other actions not related to IT to be executed. For example, in case of disruption of internal organization's communication services, an emergent alternative could be resuming activities through employees' cellphones, and such activity should be organized by the manager of each team until the IT can recover internal communications.
This article will provide you a further explanation about elaborating a BCP:
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
This material can also help:
- Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
Comment as guest or Sign in
Jun 10, 2020