ISO 27001 query
1. Can I seek your advise on the how much is the RTO usually set for a company offering SaaS based solutions? Does the ISO 22301 define any times? I understand that it depends on various org-specific factors, but want to get a idea on industry best practices.
2. We also had the below queries relating to BYOD, in case we want to implement a BYOD policy:
Should the organisation ensure an anti-malware / anti-virus solution has been installed on all personal devices?
3. What are the minimum device management controls that the org should have control over?
I understand that these are not specifically defined in the ISO 27001 standard, and therefore need your advise on what controls are considered bare minimum, and as per industry best practices, to help us pass the certification.
Assign topic to the user
1. Can I seek your advise on the how much is the RTO usually set for a company offering SaaS based solutions? Does the ISO 22301 define any times? I understand that it depends on various org-specific factors, but want to get a idea on industry best practices.
ISO 22301 does not prescribe RTO values. Instead, it provides a framework for organizations to understand their business continuity needs and define the proper RTO values according to the criticality of their services and risk tolerance. Normally RTOs are measured in terms of hours, minutes, or seconds, with lower numbers representing less downtime but greater costs in investments.
You should avoid taking as reference values from other organizations because RTOs need to be based on the specificities of your own business.
For further information, see:
- What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
2. We also had the below queries relating to BYOD, in case we want to implement a BYOD policy:
Should the organisation ensure an anti-malware / anti-virus solution has been installed on all personal devices?
Please note that security controls to be implemented need to be based on the results of risk assessment and applicable legal requirements.
In case you do not have any relevant risk, or laws, regulations, or contracts demanding an anti-malware / anti-virus solution, you do not need to implement it. However, in most cases, we see companies implementing anti-malware on all laptops.
For further information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
3. What are the minimum device management controls that the org should have control over?
I understand that these are not specifically defined in the ISO 27001 standard, and therefore need your advise on what controls are considered bare minimum, and as per industry best practices, to help us pass the certification.
The same answer from the previous question applies here. You need to perform a risk assessment and evaluate applicable legal requirements to identify relevant controls to be implemented for device management.
Please note that simply applying best practices will not help you with the certification process, because the certification auditor will look for if you have implemented controls based on risk assessment and evaluation of legal requirements properly performed. Further, there are no "industry best practices" that would be universally accepted.
This material may help you:
- Checklist of Cyber Threats & Safeguards When Working From Home https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home
Comment as guest or Sign in
Mar 01, 2023