Question about IS in Business Continuity Management (A.17.1)

S

Sizzles

#1
Our company already has a Business Continuity Plan installed and in alignment with ISO 22301. I am reviewing the controls in Annex A of ISO 27001:2013 for the ISMS we are trying to implement and certify. I am confused by a bit of the verbiage in the control. It starts with "Information security ASPECTS OF business continuity management," and then moves onto to the control details with the end focus of "ensure the required level of continuity for information security during an adverse situation."

Do we need to draw up separate documentation for this control or can we simply defer to the company BCP, particularly the sections regarding data back-up, recovery, and restoration?

Or is this control about only establishing how the processes and procedures of the ISMS would persist through the activation of a BCP, i.e. risk assessments at the time a disaster occurs?

Hope this question makes sense :(
 
Elsmar Forum Sponsor
#2
Our company already has a Business Continuity Plan installed and in alignment with ISO 22301. I am reviewing the controls in Annex A of ISO 27001:2013 for the ISMS we are trying to implement and certify. I am confused by a bit of the verbiage in the control. It starts with "Information security ASPECTS OF business continuity management," and then moves onto to the control details with the end focus of "ensure the required level of continuity for information security during an adverse situation."

Do we need to draw up separate documentation for this control or can we simply defer to the company BCP, particularly the sections regarding data back-up, recovery, and restoration?

Or is this control about only establishing how the processes and procedures of the ISMS would persist through the activation of a BCP, i.e. risk assessments at the time a disaster occurs?

Hope this question makes sense :(
Great question! As far as I understand, you can simply align to you BCM plan, while you ensure the SECURITY aspects are also taken care of.
 

Richard Regalado

Trusted Information Resource
#3
Hello. As quick and as simple as I can because the wife is calling me now.

BC strategy: when the stuff hits the fan, transfer operations from Site A to Site B which is 100 kms away.

To address the requirements of ISO/IEC 27001 A.17 whatever infosec controls you have in Site A must also be existing in Site B. It makes sense. The information you are trying to preserve and protect did not change. Your environment and geographical location did, maybe some of the processes did (from automatic to manual - remember you are in BCP mode) but the information, it is the same, same sensitivity, same criticality, same requirements for availability, etc.

Meaning, if you have ABC anti-virus in Site A and router XYZ and guard Jane to protect the employees, the same must also be in Site B. Well,maybe not Jane (could be Karen) exactly but someone who can offer the same level of protection.

In a nutshell, that is information security continuity.

Goodnight good folks of the Cove.
 
Thread starter Similar threads Forum Replies Date
E A question about small business qualification applying 510(k) for new product US Food and Drug Administration (FDA) 6
S Study sign off question / responsibilities ISO 17025 related Discussions 0
S Qualification question - ISO 13485 Reliability Analysis - Predictions, Testing and Standards 0
M Question for Auditors - "Off the Record" Conversation? General Auditing Discussions 14
D Question regarding ECO process, specifically for Life Science products and defining form fit and function ISO 13485:2016 - Medical Device Quality Management Systems 1
R Accelerated Aging - Creating test samples - Implantable medical device Question Other Medical Device Related Standards 4
A Question on Authorized Representative in Malaysia Other Medical Device Regulations World-Wide 1
D Limited Scope for second site Question? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
I ISO 2233:2000 Question - Medical Device Shipping/Transportation Validation Other ISO and International Standards and European Regulations 1
Anonymous16-2 Labeling Question (Dietary Supplements/Food) Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
T Question for: Cg & Cgk calculation General Measurement Device and Calibration Topics 3
N ASL Question for GitHub ISO 13485:2016 - Medical Device Quality Management Systems 6
hogheavenfarm GDT Flatness measurement question Inspection, Prints (Drawings), Testing, Sampling and Related Topics 10
A Question on ISO 14001:2015 - Are annual audits required? ISO 14001:2015 Specific Discussions 8
dinaroxentool Question about FDA Classification of a Device 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
J Another DFAR question 252.225-7009 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
F Conflict Mineral Smelter Question RoHS, REACH, ELV, IMDS and Restricted Substances 8
R NRTL - Scope Question - Off-the-Shelf Plug In IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D API 6A Certification Question Oil and Gas Industry Standards and Regulations 4
dinaroxentool Question about qualification as a medical device or accessory in Europe EU Medical Device Regulations 2
R DHR question: Traceability of components ISO 13485:2016 - Medical Device Quality Management Systems 2
C MDR - Question around software accesories EU Medical Device Regulations 2
K My question is, what/when is a nonconformity? Therefore what requires an NCR? Nonconformance and Corrective Action 9
Watchcat Authoritative References about the Research Question? Quality Tools, Improvement and Analysis 0
T Question about Quality Department employee position titles Quality Manager and Management Related Issues 10
N Question on creepage/clearance requirements for HF Active Accessories for 2nd edition 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
I Question 1 - Nitpicking on Document Approval - can a document approval record be separate? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
J Question: How to create an IMDS RoHS, REACH, ELV, IMDS and Restricted Substances 3
K Question on whether IEC 60601-2-62 standard is applied IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
B QMS question in regards to multiple medical devices/products and N/A activities Other Medical Device Related Standards 12
C NB approval - Basic question about Notified Bodies and their role EU Medical Device Regulations 10
G Question about Non-conformances during New Product Introduction Nonconformance and Corrective Action 14
F ISO 13485 8.2.3 Reporting to regulatory authorities: Question regarding a procedure for this clause. ISO 13485:2016 - Medical Device Quality Management Systems 4
O Mitutoyo Digital Caliper to PC USB question General Measurement Device and Calibration Topics 2
R Probability - Need a help to solve the below question Statistical Analysis Tools, Techniques and SPC 5
B Minitab Type 1 Gage Study on True Position Question Measurement Uncertainty (MU) 1
Q Supplier audit question cataloque VDA Standards - Germany's Automotive Standards 0
Ed Panek Inactive key supplier question - We are not actively buying from them ISO 13485:2016 - Medical Device Quality Management Systems 2
T Potential Off-Label Use question 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
R Question on determining defective units - I am not recording fixture to part rejected Statistical Analysis Tools, Techniques and SPC 5
Ed Panek Rule 11 Question - CE approvals for software as well as the medical device EU Medical Device Regulations 6
H Question about implications of performing Firmware upgrade via MDDS - Medical Device Data Systems 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
D Company Moving - Relabelling Question Medical Device and FDA Regulations and Standards News 0
Ronen E Tolerance intervals (?) question - Flow Rate Probability Range Statistical Analysis Tools, Techniques and SPC 6
S Conformity Assessment Route question for Class IIa medical device under MDR EU Medical Device Regulations 3
K AS9100D 8.4.1.1 external providers question - Walmart, Home Depot, our lawn care team. etc. AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 20
E Question on GD&T added to print - Positional callout for the small holes Inspection, Prints (Drawings), Testing, Sampling and Related Topics 3
J IEC 60601-1, ed 3.1 - Blue icon question IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
A PFMEA English language question IATF 16949 - Automotive Quality Systems Standard 4
D GD&T Drawing Question - I have a drawing and it makes no sense to me whatsoever Inspection, Prints (Drawings), Testing, Sampling and Related Topics 7

Similar threads

Top Bottom