ISO 27001 and ISO23301 Policies

1. Currently the password policy is part of the ISMS and has couple of lines. The policy is a framework that does not provide technical details. I see your policy template is slightly more expanded. What other document/statement/process/procedure I need to develop to complement this policy which will include a details of the implementation and controls we use within the organization.

Answer: Documents you may consider to complement this policy are related to how to configure the password rules for users and for password management in specific operating systems and applications (e.g., one procedure for such configuration on Windows SO, another for Mac SO, etc.).

Please note that ISO 27001 is based on a risk management approach, so, from a standard’s point of view, such documents are necessary only if you have relevant risks that justify their implementation. If such risks do not exist, you do not need to create additional documents.

For further information, see:
- Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

2. The password policy does not work. The people are using digital files to store their password, use the browser to remember their passwords or private password management apps. How would I define the risk associated with this. I thought risk of noncompliance, but this is not to correct main risk. So what would be the risk associated with not correctly defined password policy.

Answer:  Considering that stated scenario, you should consider at least two risks:
- loss of confidentiality, in case passwords are leaked due to, e.g., improper storage, and unauthorized people have access to them.
- loss of availability, in case passwords are lost due to, e.g., fire or media corruption and people are unable to open the files/folders they need.  

3. We have no patch policy and need to define the risk. Please note we have robust patch policy which is decent. The only issue we have is that some users do not use the devices and they become high risk. Any info on the Risk definition as well as what we can enforce so the devices are connected once in a while (month) would be appreciated.

Answer: From your statement, I’m assuming you do not have a Patch Policy document, but you have e robust patch process.

Considering that, a risk you should consider is that devices become vulnerable due to long periods without getting updated. Regarding applicable controls, if users do not use the devices, as you said, controls to enforce updates won’t be much use without monitoring controls to identify which devices have missed important updates.

You can see how to set these rules in the IT Security Policy template, section 3.16.2 Basic rules. This template is located in folder 08 Annex A Security Controls >> A.8 Asset Management

4. We have no weekly vulnerably scanning. I am not sure how to define what is the RISK in terms of definition

Answer: Without periodic vulnerability scanning, you may miss relevant zero-day threats or updates released by manufacturers that need to be applied to your assets, and outdated software may pose a risk to information security.

5. Same is for not have visibility of the security stack. The support company is slow to provide me with reporting and read access to the security systems in place. I have not good reporting to provide SME to the board.

Answer: The risk here is related to unavailable information about provided services, which may impact decision-making about information security and/or business initiatives.

In the Risk Assessment table included in your toolkit (in folder 05 Risk Assessment and Risk Treatment) you can find a set of suggestions of assets, threats, and vulnerabilities you can use to identify risks. Third-party services are also assessed through this document.

For further information, see:
- Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

BC/DR

6. On the BC/DR where do I start. We have one general overview of the BC/DR as a policy with people hierarchy.

Answer: To develop the BC/DR plans you only need to follow the steps in the “Business continuity” folder, and fill out the documents in the order they are presented in the folder.

7. Resilience and Emergency Planning exercise - We previously did a live one but should consider table top and other ways of doing (I have not been involved). What would be your recommendation how to lead, prepare for this. Please note my previous company was only 30 people and was straight forward. Now is 250, number of departments and needs to follow some Government framework.

The Total blackout plan (week of no electricity). Please note our business would not suffer any damage from this downtime. Only couple of people after that period need to be able to communicate

Any suggestions where to start with will be great.

Answer: Approaches you can consider for performing BCP tests will vary considering the effort, resource allocation, and required confidence on tests results:
Desk check – checking the plans by means of auditing, validation, and verification techniques
Plan walk-through – checking the plans by means of team interaction
Functional testing – testing all interrelated plans for selected activities (including supplier procedures) with real resources in a controlled (announced) exercise.
Full testing – all activities are relocated from the original site to the alternative site (announced or unannounced)

Our suggestion is to start with a Desk check and prepare a plan defining when other tests can be performed. This way you can ensure a gradual increase in test effort, while all people involved will gain confidence in the plan and in their skills to perform it, and at the same time, you can provide the required corrective and preventive actions.  

 For conducting BCP and DRP tests the most important points are:
- Defining the purpose of the test (e.g., check if the activities are still valid if personnel are aware of them and know how to perform them, etc)
- Define clear goals (e.g., the maximum time to conclude the test, which is how many activities were recovered, etc.)
- define test strategy (e.g., tabletop, walk-through, simulation, etc.)
- identify corrections to be made and opportunities for improvement  

ISO 22301 does not prescribe a number of disaster recovery simulations or tests to be conducted per year, only that tests must be performed to provide enough confidence that the plans will work properly when needed.

Considering that, the number and type of tests to be performed should consider:
- the criticality of the plan for business continuity (i.e., which processes and services they are related to)
- the results of risk assessment and business impact analysis
- applicable legal requirements (e.g., laws, regulations, and contracts.)

In most cases, exercising and testing are done once a year. 

This article will provide you a further explanation about BCP and DRP test:
- How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/

This material will also help you regarding BCP and DRP test:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/