Expert Advice Community

Guest

ISO 27001 query

  Quote
Guest
Guest user Created:   Jun 14, 2021 Last commented:   Jun 14, 2021

ISO 27001 query

Hi, we are a software company, and we are currently implementing the ISO27k1 according to your documentation kit. We do not have a business continuity plan ( ISO22301 might implement in the near future if we succeed with the iso27k1 ). At this point we would just like to implement a disaster recovery plan. Background about the company : software company; all of our critical services are in the cloud ; we are cloud agnostic - can migrate the entire infrastructure in a matter of hours; coworkers are used to working from home; we have just one office location; all services running in the local datacenter are also backuped on the cloud and can migrate there in a matter of minutes with minimal data loss; we work exclusively through VPN/IPSec tunnels and we use 2FA authentication for 90% of the services My questions are the following: In a case of a major event that has led us to start the disaster recovery plan: 1. Is it possible to describe a scenario when something has happened to our office and all our coworkers just get a laptop and a 4g hot spot and connect to a VPN in the cloud where our services run. So, this means they can work from home and not be in the office. The communication channel will always be secure and encrypted. And in the risk assessment we consider this to be an acceptable risk. The corona virus situation actually has proven this to be quite an effective strategy since we've been working like that for more than a year and we haven't run into problems of any kind. We miss partying together tho ... Would an ISO27k1 auditor be comfortable with a solution like this one? 2. Our servers and services run in the cloud, so even if there is a breach or some other kind of event related to information loss, we can pretty much return everything to working order in a matter of hours. And we've stated that we are ok with 1 day of loss of information, so based on the risk assessment and scope it's OK. But again, I am not sure an auditor would see it this way. 3. We are creating copies of the servers/services and backing up those to different cloud providers, so if an event that only takes out one cloud provider happens, we can still operate with just spinning up the infrastructure on another cloud provider. Would that cover all of our bases ? In an event where the internet is lost, or the major cloud providers are gone ... we might not want to continue operations. 4. How thorough we need to be when describing major events/incidents that can lead to the decision to put the disaster recovery into operation ? Do we need to list every event possible or incident ? Like hacker attack, cryptovariation ransomware attack, worm attack, political embargo on services or war, force majeure conditions ? The only change in the disaster recovery plan is whether the office is still usable and standing - if it is we just continue from backups or migrate everything. If the office is not there all coworkers start working from home. I've tried to find the answers to those questions in your blogs and literature online, but I really don't know the mindset of an auditor and what they consider a good solution or a solution that is in line with the risk assessment that we will present to them. Thank you in advance.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 14, 2021

1. Is it possible to describe a scenario when something has happened to our office and all our coworkers just get a laptop and a 4g hot spot and connect to a VPN in the cloud where our services run. So, this means they can work from home and not be in the office. The communication channel will always be secure and encrypted. And in the risk assessment we consider this to be an acceptable risk. The corona virus situation actually has proven this to be quite an effective strategy since we've been working like that for more than a year and we haven't run into problems of any kind. We miss partying together tho ... Would an ISO27k1 auditor be comfortable with a solution like this one?

As long as you can evidence that this strategy is achieving your defined objectives (e.g., Recovery Time Objective and Recovery Point Objective), it will be acceptable by the certification auditor.

For further information, see:

2. Our servers and services run in the cloud, so even if there is a breach or some other kind of event related to information loss, we can pretty much return everything to working order in a matter of hours. And we've stated that we are ok with 1 day of loss of information, so based on the risk assessment and scope it's OK. But again, I am not sure an auditor would see it this way.

The same answer for the previous question applies here.

Please note that the certification auditor will not provide an opinion about your strategies, he will only check if you fulfill the standard’s requirements and if the decisions are backed up by gathered information. For example, he will check which information you used to define the 1-day loss limit to see if the rationale makes sense.

For further information, see:

3. We are creating copies of the servers/services and backing up those to different cloud providers, so if an event that only takes out one cloud provider happens, we can still operate with just spinning up the infrastructure on another cloud provider. Would that cover all of our bases ? In an event where the internet is lost, or the major cloud providers are gone ... we might not want to continue operations.

The decision about which bases to cover will depend on the impact that losing them will have on your business, as well as on how long you can wait for them to be recovered. To have data for an informed decision, you should consider performing a Business Impact Analysis (BIA) considering the business process which relies on such bases (please note that BIA is not required by ISO 27001, and in this case, it would be a good practice to help you make a decision).

For further information, see:

4. How thorough we need to be when describing major events/incidents that can lead to the decision to put the disaster recovery into operation ? Do we need to list every event possible or incident ? Like hacker attack, cryptovariation ransomware attack, worm attack, political embargo on services or war, force majeure conditions ? The only change in the disaster recovery plan is whether the office is still usable and standing - if it is we just continue from backups or migrate everything. If the office is not there all coworkers start working from home. I've tried to find the answers to those questions in your blogs and literature online, but I really don't know the mindset of an auditor and what they consider a good solution or a solution that is in line with the risk assessment that we will present to them. Thank you in advance.

To activate the disaster recovery plan you do not need to take into account which event/incident has occurred, only the time that will be needed to recover operations. If this time is above the defined threshold in the disaster recovery plan, then you need to activate it.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 14, 2021

Jun 14, 2021