ISO 27001 - Business Continuity Event Simulation Testing

john.b

Involved In Discussions
Can anyone provide input about business continuity event simulation testing they have used? We need to improve our ISO 27001 system testing practices and documentation related to this. Any input would help (feedback, references, whatever).

As background, ISO 27001 requires business continuity planning and also testing of the planning and functional preparations. In the past we have used different types of "testing" as functional reviews and evidence:

-IT systems recovery testing, generally related to contracted customer requirements

-planned down-time as a functional test of power back-up systems

-fire drill practice as a test of emergency response planning (we didn't document as a "BCP test," but it relates)

-desk-top tests to review other planning (a meeting).


Our auditors would prefer to see simulation testing, that we set up a scenario and test responses to this event as a run-through. It's not as easy as it sounds. How do you really simulate a flood?

The basics are obvious enough, the actual practice something else. You write out a scenario and then set aside a time and staff to conduct a response drill. Most critical is having the scenario and test conditions clearly spelled out and having observers to document what is happening as results, so later you can assess the success or failure of planning and event responses.

The reason we haven't done this is because we're not certified to a business continuity standard, only 27001, so it's not clearly required (testing is, not the form of it), and because it's not simple.

Thanks in advance for input.
 

john.b

Involved In Discussions
I have a more general question about business continuity references I'll add here since it's not so different than this earlier one. I don't expect much to come of this either, just checking.

Now we are going to deepen our BCMS coverage by developing existing planning and documentation further, so I'm looking for more reference to help with that (in addition to past narrower request related to only testing scope).


To get that started I'll mention a few related ideas.


Of course training courses are a primary reference, and consultant support comes in after that, and templates and standard plans don't work because it all needs to relate to one particular company--the standard answers. A BIA or risk assessment template should be possible, something like this for 27001 (information security).

One decent general reference source is the Business Continuity Institute's Good Practice Guidelines. I have a copy of an earlier version when they were freely available, but now they charge for these (24 pounds; 30-some dollars, not a lot as reference texts go). The only problem with the earlier version was how general it was, just vague background, but good for that.

Related to the previous question of testing, we've since went through some emergency response testing and communications planning testing. It's very difficult to test the types of systems failures we might experience that are most likely to cause disruptions (a flood or fire, UPS failure, etc.) but not so difficult to do a little with some aspects of responses.

Since some test types are walk-throughs you really don't always need to flip breakers on critical systems for it to be a real test, just hard to do the full-scale major event simulations in any form. We're lucky we keep having real events here in Thailand to help us push planning (flooding, political crisis, etc.).

Input is appreciated, or I hope some of this is at least of interest.
 

Richard Regalado

Trusted Information Resource
Hello Brian. One of the confusing element of ISO/IEC 27001:2005 is the security domain on business continuity.

Fortunately, clarification has been made in the ISO/IEC 27001:2013 version. The requirement for a risk assessment in A.14.1.2 (2005 version) is no longer present in the 2013 version. The focus now is to maintain information security during adverse conditions and have sufficient redundancies to ensure availability.

To understand where you're coming from, are you planning to implement BCMS alongside your existing management systems? Are you looking for references/help on how to do this?

Cheers!
 

john.b

Involved In Discussions
That's correct, we plan to implement a BCMS / ISO 22301 system in addition to an ISO 27001 system that was implemented 6 years ago. And I'm reviewing references.

We are planning training steps as well (both implementation and audit) but I would like to generate a preliminary gap assessment (internal) before the training step to support internal planning.

We will also use an external gap assessment review, but don't plan on that until we can do more development work to have more to review.

On the one hand we have some business continuity process development in place due to implementing it over so many years time (framework, BIA, risk assessment, some BCP content, test procedure and records, communication planning, etc.). But the depth required to cover 27001 requirements and an independent BCMS is so different that what we have done isn't nearly substantial enough, so it feels a little like starting over.
 

Richard Regalado

Trusted Information Resource
Brian, I am sharing here a BCMS project implementation plan which I use in developing BCMS for my clients. You can use this as your guide in implementing BCMS for your organization.

Feel free to ask me more questions.

Cheers!
 

Attachments

  • The Cove-Richard Regalado-BCMS Project Plan.xlsx
    28.2 KB · Views: 516

john.b

Involved In Discussions
Thanks much; that will be useful.

I had made up a draft of an implementation plan but it was missing a few ideas from this that would be helpful (eg. clearly identifying output / deliverables on this plan, breaking BIA / RA development into defined stages).

The only thing on the plan draft I've made not included here was an external gap analysis. We were considering having it conducted early in the project but a staff member that has implemented BS 25999 elsewhere recommended we do it mid-implementation or else they would only point out obvious gaps you've not started to address (less to actually assess).

Unfortunately that staff is working out notice now or we would have considerably more internal related experience to apply.

Since we are implementing this in an IT company (as he had) his input was to integrate it with an existing service catalogue and SLA parameters for services as a clear starting point for potential supporting process disruption (BIA step). Unfortunately ITSM (service management) is not a thoroughly implemented here as where he'd worked prior so we don't have a lot of the same content as well organized.
 

Richard Regalado

Trusted Information Resource
Why do I keep calling you Brian? LOL.

Looking at the service catalogue and SLA parameters is useful for the initial stages. Do you already have a copy of ISO 22301? I suggest you buy a copy if you don't have it yet.

One of the initial steps you need to do is to understand the context of your organization in relation to BCMS. Basically you need to list down external and internal issues relevant to the organization which may affect the BCMS.

You can summarize these issues into:

- BCMS contractual obligations - you are a data center, what are your commitments to clients? Needs and expectations of customers?

- Legal and regulatory requirements - do you have any government reportorial duties that you need to fulfill even if you are in BCP mode? what about salaries of employees that you need to pay even if your building burns to a crisp?

From these issues and requirements, determine the scope of your BCMS.
 
Top Bottom