P
Hi,
My company is ISO 27001:2013 certified. It has multiple facilities across cities within the same country. Backups and business continuity related controls are applicable and all centers are within scope. Yet one of the centers did not have offsite backups. Separate offsite backup media were maintained but there was no real offsite location identified (Due to certain administrative issues). Media were all just kept at onsite itself (In a fire proof vault), waiting to be transferred to offsite location once it would be identified, which never happened for a long time and even when ISO 27001 certification audit happened there.
The center got certified for ISO 27001 and this gap did not reflect in the audit report as Non Conformity (Neither Major nor Minor).
Can an organization get ISO 27001 certified (Assuming it displays compliance with all other requirements) if it fails to maintain offsite backups for one of its center under the scope, when business continuity & backup related controls are applicable?
I am just trying to understand the Lead Auditor perspective behind not identifying this gap as a major NC.
Thanks.
My company is ISO 27001:2013 certified. It has multiple facilities across cities within the same country. Backups and business continuity related controls are applicable and all centers are within scope. Yet one of the centers did not have offsite backups. Separate offsite backup media were maintained but there was no real offsite location identified (Due to certain administrative issues). Media were all just kept at onsite itself (In a fire proof vault), waiting to be transferred to offsite location once it would be identified, which never happened for a long time and even when ISO 27001 certification audit happened there.
The center got certified for ISO 27001 and this gap did not reflect in the audit report as Non Conformity (Neither Major nor Minor).
Can an organization get ISO 27001 certified (Assuming it displays compliance with all other requirements) if it fails to maintain offsite backups for one of its center under the scope, when business continuity & backup related controls are applicable?
I am just trying to understand the Lead Auditor perspective behind not identifying this gap as a major NC.
Thanks.