Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 27001

[AnandR]

Good Morning,

I am team member in my company performing Risk Assessment, Business Continuity Planning, Testing BCP, etc as part of ISO 27001. We have employed quite a few consultants to seek their guidance to guide us in completing the activities mentioned. But, each one directs us in different directions and we have spent considerable amount of time and money with no deliverables.

Requesting help on what to do.

Thanks
Anand

 

[Richard Regalado]

Re: Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 2

Good Morning,

I am team member in my company performing Risk Assessment, Business Continuity Planning, Testing BCP, etc as part of ISO 27001. We have employed quite a few consultants to seek their guidance to guide us in completing the activities mentioned. But, each one directs us in different directions and we have spent considerable amount of time and money with no deliverables.

Requesting help on what to do.

Thanks
Anand

Hey AnandR! How are you man?!

Can you put more context into your question?

Where are you with the risk management process? What have you done so far? ISO/IEC 27001 provides certain tasks which must be completed -

- asset identification
- asset valuation in terms of CIA
- threat and vulnerability determination
- determine impacts to these threats
- etc etc etc

Have you performed the above steps?

Do you have a copy of ISO/IEC 27005:2011 Information security risk management? (http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=56742)

Cheers!

 

[AnandR]

Re: Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 2

hello richard,
Thanks for your response. Yes, the asset identification with CIA and possible threats and vulnerabilities are completed. We now need to define Risk Criteria, etc and then come up with BCP and perform couple of BCP test.
Thanks
Anand

 

[Richard Regalado]

Re: Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 2

hello richard,
Thanks for your response. Yes, the asset identification with CIA and possible threats and vulnerabilities are completed. We now need to define Risk Criteria, etc and then come up with BCP and perform couple of BCP test.
Thanks
Anand

By risk criteria are you referring to the levels of acceptable risks? If so, go and ask your management for this. They are the ones responsible for defining the amount of risk that your organization can tolerate.

Do you need a BCP?

Regards!

 

[AnandR]

Re: Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 2

Yes Richard. If I can get a sample document for BCP it would be great. Thanks

 

[Richard Regalado]

Re: Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 2

Yes Richard. If I can get a sample document for BCP it would be great. Thanks

Why do you need a BCP for your organization AnandR?

• Is it because of the risk assessment process?
• Is it because your consultants told you to have it?
• Is it because you just want to have one?

 

[AnandR]

Re: Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 2

Hello Richard,
It is beacuse of SLA where we need to provide continued service.
Thanks
Anand

 

[Richard Regalado]

Re: Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 2

Hello Richard,
It is beacuse of SLA where we need to provide continued service.
Thanks
Anand

Thank you Anand.

This sample from Enisa is good: http://www.enisa.europa.eu/activiti...es-and-micro-enterprises/example-bcp-template

You may also want to check the SANS website for their own BCP template.

Go Google!

 

[AnandR]

Re: Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 2

Thanks a lot Richard