Question about IS in Business Continuity Management (A.17.1)

S

Sizzles

#1
Our company already has a Business Continuity Plan installed and in alignment with ISO 22301. I am reviewing the controls in Annex A of ISO 27001:2013 for the ISMS we are trying to implement and certify. I am confused by a bit of the verbiage in the control. It starts with "Information security ASPECTS OF business continuity management," and then moves onto to the control details with the end focus of "ensure the required level of continuity for information security during an adverse situation."

Do we need to draw up separate documentation for this control or can we simply defer to the company BCP, particularly the sections regarding data back-up, recovery, and restoration?

Or is this control about only establishing how the processes and procedures of the ISMS would persist through the activation of a BCP, i.e. risk assessments at the time a disaster occurs?

Hope this question makes sense :(
 
Elsmar Forum Sponsor
#2
Our company already has a Business Continuity Plan installed and in alignment with ISO 22301. I am reviewing the controls in Annex A of ISO 27001:2013 for the ISMS we are trying to implement and certify. I am confused by a bit of the verbiage in the control. It starts with "Information security ASPECTS OF business continuity management," and then moves onto to the control details with the end focus of "ensure the required level of continuity for information security during an adverse situation."

Do we need to draw up separate documentation for this control or can we simply defer to the company BCP, particularly the sections regarding data back-up, recovery, and restoration?

Or is this control about only establishing how the processes and procedures of the ISMS would persist through the activation of a BCP, i.e. risk assessments at the time a disaster occurs?

Hope this question makes sense :(
Great question! As far as I understand, you can simply align to you BCM plan, while you ensure the SECURITY aspects are also taken care of.
 

Richard Regalado

Trusted Information Resource
#3
Hello. As quick and as simple as I can because the wife is calling me now.

BC strategy: when the stuff hits the fan, transfer operations from Site A to Site B which is 100 kms away.

To address the requirements of ISO/IEC 27001 A.17 whatever infosec controls you have in Site A must also be existing in Site B. It makes sense. The information you are trying to preserve and protect did not change. Your environment and geographical location did, maybe some of the processes did (from automatic to manual - remember you are in BCP mode) but the information, it is the same, same sensitivity, same criticality, same requirements for availability, etc.

Meaning, if you have ABC anti-virus in Site A and router XYZ and guard Jane to protect the employees, the same must also be in Site B. Well,maybe not Jane (could be Karen) exactly but someone who can offer the same level of protection.

In a nutshell, that is information security continuity.

Goodnight good folks of the Cove.
 
Thread starter Similar threads Forum Replies Date
E A question about small business qualification applying 510(k) for new product US Food and Drug Administration (FDA) 6
T FDA UDI Question - Class II Medical Device Other US Medical Device Regulations 0
C Complaint Return Sample Size Question 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
8 Drawing Feature Question Inspection, Prints (Drawings), Testing, Sampling and Related Topics 8
D Question: How to analyze numerical and attribute data Reliability Analysis - Predictions, Testing and Standards 11
D Question on electronic signatures and initials on batch records ISO 13485:2016 - Medical Device Quality Management Systems 3
A Special Characteristic question from Automotive CSR Customer and Company Specific Requirements 9
Ron Rompen GDT Question - is this even correct? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 3
A PPAP question for audit APQP and PPAP 16
C ISO Question - Do you say "I-S-O" or "I-Soh"? Misc. Quality Assurance and Business Systems Related Topics 14
D Question regarding where "validations" fit according to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
D Question on Supplier Quality (SCAR) ISO 13485:2016 - Medical Device Quality Management Systems 6
A +0/-.001 Tolerance question - Feature size is 1.249 +0/-.001 - Actually measures 1.2493 (.0003 OHL Inspection, Prints (Drawings), Testing, Sampling and Related Topics 12
D Question and advice for a supplier self audit questionnaire ISO 13485:2016 - Medical Device Quality Management Systems 6
D Question on using audit checklist ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 20
D Question on Documented Calibration versus ISO 17025 Accredited Calibration ISO 13485:2016 - Medical Device Quality Management Systems 2
A Design Change/ECO Related Question 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
S Configuration Item definition question AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
C Quality Management System Question ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 32
Q ISO 9001/IATF 16949 Audit Finding Question - Document Retention IATF 16949 - Automotive Quality Systems Standard 11
J IATF 16949 Calibration/Verification records question ISO 26262 - Road vehicles – Functional safety 6
I IMDS Error Message Question RoHS, REACH, ELV, IMDS and Restricted Substances 1
lanley liao Question regarding the calibration of monitoring and measure equipment. Oil and Gas Industry Standards and Regulations 3
C Gauge R&R Question Using Minitab Software 1
J IATF 16949 Internal Audit question - Auditor's responsibility Internal Auditing 6
K Question on MDR classification EU Medical Device Regulations 4
D Question on equipment - when to use reference only or research only stickers ISO 13485:2016 - Medical Device Quality Management Systems 5
D Work Instruction Question ISO 13485:2016 - Medical Device Quality Management Systems 5
M Clinical Decision Support Software Question 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
John C. Abnet VDA 6.3 - Question 7.3 - "blocking of parts" VDA Standards - Germany's Automotive Standards 6
D Approved supplier list - Distributors question ISO 13485:2016 - Medical Device Quality Management Systems 6
D Equipment Register and PM question ISO 13485:2016 - Medical Device Quality Management Systems 2
D Question regarding "storage and distribution" ISO 13485:2016 - Medical Device Quality Management Systems 1
D Calibration tolerance question using Pipettes Medical Device and FDA Regulations and Standards News 3
D Question regarding customer feedback process ISO 13485:2016 - Medical Device Quality Management Systems 3
D Equipment Register related question ISO 13485:2016 - Medical Device Quality Management Systems 1
S Study sign off question / responsibilities ISO 13485:2016 - Medical Device Quality Management Systems 3
S Qualification question - ISO 13485 - Setting up a small lab Reliability Analysis - Predictions, Testing and Standards 2
M Question for Auditors - "Off the Record" Conversation? General Auditing Discussions 14
D Question regarding ECO process, specifically for Life Science products and defining form fit and function ISO 13485:2016 - Medical Device Quality Management Systems 1
R Accelerated Aging - Creating test samples - Implantable medical device Question Other Medical Device Related Standards 4
A Question on Authorized Representative in Malaysia Other Medical Device Regulations World-Wide 3
D Limited Scope for second site Question? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
I ISO 2233:2000 Question - Medical Device Shipping/Transportation Validation Other ISO and International Standards and European Regulations 1
Anonymous16-2 Labeling Question (Dietary Supplements/Food) Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
T Question for: Cg & Cgk calculation General Measurement Device and Calibration Topics 3
N ASL Question for GitHub ISO 13485:2016 - Medical Device Quality Management Systems 7
hogheavenfarm GDT Flatness measurement question Inspection, Prints (Drawings), Testing, Sampling and Related Topics 10
A Question on ISO 14001:2015 - Are annual audits required? ISO 14001:2015 Specific Discussions 11
dinaroxentool Question about FDA Classification of a Device 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3

Similar threads

Top Bottom