ISO 27001 - Business Continuity Event Simulation Testing

john.b

Involved In Discussions
#1
Can anyone provide input about business continuity event simulation testing they have used? We need to improve our ISO 27001 system testing practices and documentation related to this. Any input would help (feedback, references, whatever).

As background, ISO 27001 requires business continuity planning and also testing of the planning and functional preparations. In the past we have used different types of "testing" as functional reviews and evidence:

-IT systems recovery testing, generally related to contracted customer requirements

-planned down-time as a functional test of power back-up systems

-fire drill practice as a test of emergency response planning (we didn't document as a "BCP test," but it relates)

-desk-top tests to review other planning (a meeting).


Our auditors would prefer to see simulation testing, that we set up a scenario and test responses to this event as a run-through. It's not as easy as it sounds. How do you really simulate a flood?

The basics are obvious enough, the actual practice something else. You write out a scenario and then set aside a time and staff to conduct a response drill. Most critical is having the scenario and test conditions clearly spelled out and having observers to document what is happening as results, so later you can assess the success or failure of planning and event responses.

The reason we haven't done this is because we're not certified to a business continuity standard, only 27001, so it's not clearly required (testing is, not the form of it), and because it's not simple.

Thanks in advance for input.
 
Elsmar Forum Sponsor

john.b

Involved In Discussions
#4
I have a more general question about business continuity references I'll add here since it's not so different than this earlier one. I don't expect much to come of this either, just checking.

Now we are going to deepen our BCMS coverage by developing existing planning and documentation further, so I'm looking for more reference to help with that (in addition to past narrower request related to only testing scope).


To get that started I'll mention a few related ideas.


Of course training courses are a primary reference, and consultant support comes in after that, and templates and standard plans don't work because it all needs to relate to one particular company--the standard answers. A BIA or risk assessment template should be possible, something like this for 27001 (information security).

One decent general reference source is the Business Continuity Institute's Good Practice Guidelines. I have a copy of an earlier version when they were freely available, but now they charge for these (24 pounds; 30-some dollars, not a lot as reference texts go). The only problem with the earlier version was how general it was, just vague background, but good for that.

Related to the previous question of testing, we've since went through some emergency response testing and communications planning testing. It's very difficult to test the types of systems failures we might experience that are most likely to cause disruptions (a flood or fire, UPS failure, etc.) but not so difficult to do a little with some aspects of responses.

Since some test types are walk-throughs you really don't always need to flip breakers on critical systems for it to be a real test, just hard to do the full-scale major event simulations in any form. We're lucky we keep having real events here in Thailand to help us push planning (flooding, political crisis, etc.).

Input is appreciated, or I hope some of this is at least of interest.
 

Richard Regalado

Trusted Information Resource
#5
Hello Brian. One of the confusing element of ISO/IEC 27001:2005 is the security domain on business continuity.

Fortunately, clarification has been made in the ISO/IEC 27001:2013 version. The requirement for a risk assessment in A.14.1.2 (2005 version) is no longer present in the 2013 version. The focus now is to maintain information security during adverse conditions and have sufficient redundancies to ensure availability.

To understand where you're coming from, are you planning to implement BCMS alongside your existing management systems? Are you looking for references/help on how to do this?

Cheers!
 

john.b

Involved In Discussions
#6
That's correct, we plan to implement a BCMS / ISO 22301 system in addition to an ISO 27001 system that was implemented 6 years ago. And I'm reviewing references.

We are planning training steps as well (both implementation and audit) but I would like to generate a preliminary gap assessment (internal) before the training step to support internal planning.

We will also use an external gap assessment review, but don't plan on that until we can do more development work to have more to review.

On the one hand we have some business continuity process development in place due to implementing it over so many years time (framework, BIA, risk assessment, some BCP content, test procedure and records, communication planning, etc.). But the depth required to cover 27001 requirements and an independent BCMS is so different that what we have done isn't nearly substantial enough, so it feels a little like starting over.
 

john.b

Involved In Discussions
#8
Thanks much; that will be useful.

I had made up a draft of an implementation plan but it was missing a few ideas from this that would be helpful (eg. clearly identifying output / deliverables on this plan, breaking BIA / RA development into defined stages).

The only thing on the plan draft I've made not included here was an external gap analysis. We were considering having it conducted early in the project but a staff member that has implemented BS 25999 elsewhere recommended we do it mid-implementation or else they would only point out obvious gaps you've not started to address (less to actually assess).

Unfortunately that staff is working out notice now or we would have considerably more internal related experience to apply.

Since we are implementing this in an IT company (as he had) his input was to integrate it with an existing service catalogue and SLA parameters for services as a clear starting point for potential supporting process disruption (BIA step). Unfortunately ITSM (service management) is not a thoroughly implemented here as where he'd worked prior so we don't have a lot of the same content as well organized.
 

Richard Regalado

Trusted Information Resource
#9
Why do I keep calling you Brian? LOL.

Looking at the service catalogue and SLA parameters is useful for the initial stages. Do you already have a copy of ISO 22301? I suggest you buy a copy if you don't have it yet.

One of the initial steps you need to do is to understand the context of your organization in relation to BCMS. Basically you need to list down external and internal issues relevant to the organization which may affect the BCMS.

You can summarize these issues into:

- BCMS contractual obligations - you are a data center, what are your commitments to clients? Needs and expectations of customers?

- Legal and regulatory requirements - do you have any government reportorial duties that you need to fulfill even if you are in BCP mode? what about salaries of employees that you need to pay even if your building burns to a crisp?

From these issues and requirements, determine the scope of your BCMS.
 
Thread starter Similar threads Forum Replies Date
A Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 8
P Can anyone give Business Continuity Plan (BCP) (ISO 27001) Business Continuity & Resiliency Planning (BCRP) 10
T ISO 27001 sample audit report IEC 27001 - Information Security Management Systems (ISMS) 0
M Choosing Auditors - ISO 9001 / ISO 27001 (UK) IEC 27001 - Information Security Management Systems (ISMS) 2
M ISO 27001 ISMS scope for companies with subsidiaries IEC 27001 - Information Security Management Systems (ISMS) 0
S How to Learn all aspects of ISO 27001:2013 | The best way to grab the knowledge on 27001:2013 (Step by Step) IEC 27001 - Information Security Management Systems (ISMS) 7
P Relevance of Offsite backups process compliance and ISO 27001 certification. IEC 27001 - Information Security Management Systems (ISMS) 3
P Why does the standard clause use the term Issues in place of Context - ISO 27001 4.1 IEC 27001 - Information Security Management Systems (ISMS) 3
P What is the exact difference between Risk and Opportunity in context of ISO 27001? IEC 27001 - Information Security Management Systems (ISMS) 7
L Implementation of ISO 27001 as part of the GDPR compliance journey Other Medical Device Related Standards 2
Le Chiffre Is ISO/IEC 27001 appropriate for most small businesses? IEC 27001 - Information Security Management Systems (ISMS) 2
A Policies Mandatory or essential for ISO 27001 implementation IEC 27001 - Information Security Management Systems (ISMS) 6
A ISO/IEC 27001 - Issue during implementation of system IEC 27001 - Information Security Management Systems (ISMS) 3
A ISMS implementation - ISO 27001: 2013 Company Objectives IEC 27001 - Information Security Management Systems (ISMS) 1
B Integrating ISO 9001/27001 External Audits - Audit Time Reduced? Discounts? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
Richard Regalado ISMS Auditing Guideline V2 (based from ISO/IEC 27001:2013) IEC 27001 - Information Security Management Systems (ISMS) 7
K Risk Assessment Registry - ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 8
Richard Regalado ISO/IEC 27001:2016 Overview and Vocabulary - FREE! IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado ISO/IEC 27001 Mandatory Documentation Checklist IEC 27001 - Information Security Management Systems (ISMS) 1
P Recommended books on ISO 27001:2013 Implementation and Internal Auditing IEC 27001 - Information Security Management Systems (ISMS) 4
A ISO 27001 function wise or department wise audit questionnaire with control & clauses IEC 27001 - Information Security Management Systems (ISMS) 3
S Sample document for integrated ISO 20000 & ISO 27001 Other ISO and International Standards and European Regulations 3
W What are the benefits of ISO 27001 for my IT Organization IEC 27001 - Information Security Management Systems (ISMS) 3
S Clarification in organizing required documents for ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 6
A Risk Register template as per ISO 27001:2013 wanted IEC 27001 - Information Security Management Systems (ISMS) 9
Richard Regalado Sharing a Statement of Applicability (SOA) for ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 2
S ISO 27001:2013 - How to document Context Of the Organization IEC 27001 - Information Security Management Systems (ISMS) 13
C ISO 27001:2013 ISMS Internal Audit Checklist/Questionnaire IEC 27001 - Information Security Management Systems (ISMS) 20
G ISO 27001 for a Hosting Provider IEC 27001 - Information Security Management Systems (ISMS) 3
P ISO 27001:2013 Clause 4.1 and 4.2 Clarification and Guidance IEC 27001 - Information Security Management Systems (ISMS) 13
W Working in a company where we try to implement ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 9
L Where to purchase ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 3
L Implementing ISO 27001 A12.1.1 Security Requirements Analysis and Specification IEC 27001 - Information Security Management Systems (ISMS) 2
I ISO 27001:2013 Released - Transition Requirements? IEC 27001 - Information Security Management Systems (ISMS) 6
R Required artifacts (records) for ISO 27001 Auditing IEC 27001 - Information Security Management Systems (ISMS) 9
P What are the benefits of certified ISMS for ISO 27001 standard? IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado DRAFT ISO/IEC 27001:201? ISMS Requirements (Open for Comments!) IEC 27001 - Information Security Management Systems (ISMS) 0
R ISO 27001 A.8.2.2 Information Security Awareness, Education and Training IEC 27001 - Information Security Management Systems (ISMS) 10
K Information Classification Labeling - ISO/IEC 27001:2005 Labeling Requirements IEC 27001 - Information Security Management Systems (ISMS) 1
L Time Required to Implement ISO 27001 if ISO 9001 certified & SOX compliant? IEC 27001 - Information Security Management Systems (ISMS) 3
G Customer Property Cl. 7.5.4 - Where does ISO 9001 stop and ISO 27001 start? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 33
T ISO/IEC 27001 to ISO/IEC 12207 Mapping - Cross Reference Matrix IEC 27001 - Information Security Management Systems (ISMS) 2
T Person in charge's role or responsibility in ISMS? ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado A.15 Compliance - One of the grey areas of ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 7
S Checklist for ISO 27001 ISMS Internal Audit IEC 27001 - Information Security Management Systems (ISMS) 2
G ISO 27001 Corrective Action Document Requirements IEC 27001 - Information Security Management Systems (ISMS) 10
S Security Gap Assessment Methodology based on ISO 27001 or COBIT IEC 27001 - Information Security Management Systems (ISMS) 1
Richard Regalado ISMS Asset Identification Process - Clause 4.2.1.d.1 of ISO/IEC 27001 IEC 27001 - Information Security Management Systems (ISMS) 4
Richard Regalado ISO 27001 A.10.4.1 - Detecting, Preventing and Recovering from Malicious Code Threats IEC 27001 - Information Security Management Systems (ISMS) 3
P ISO 27001 Information IEC 27001 - Information Security Management Systems (ISMS) 8
Similar threads


















































Top Bottom