Relevance of Offsite backups process compliance and ISO 27001 certification.

[patkim]

Hi,
My company is ISO 27001:2013 certified. It has multiple facilities across cities within the same country. Backups and business continuity related controls are applicable and all centers are within scope. Yet one of the centers did not have offsite backups. Separate offsite backup media were maintained but there was no real offsite location identified (Due to certain administrative issues). Media were all just kept at onsite itself (In a fire proof vault), waiting to be transferred to offsite location once it would be identified, which never happened for a long time and even when ISO 27001 certification audit happened there.

The center got certified for ISO 27001 and this gap did not reflect in the audit report as Non Conformity (Neither Major nor Minor).

Can an organization get ISO 27001 certified (Assuming it displays compliance with all other requirements) if it fails to maintain offsite backups for one of its center under the scope, when business continuity & backup related controls are applicable?

I am just trying to understand the Lead Auditor perspective behind not identifying this gap as a major NC.
Thanks.

 

[AndyN]

What's the risk involved? Maybe the Lead Auditor considered it to be low risk (although based on what?)

 

[patkim]

As such I was not the risk owner, however the risks involved that I am aware of are non availability of backup due to Fire, Natural Calamity etc, when one needs to make alternate arrangements for business continuity.
Business continuity has been identified as a required control in the SOA.

 

[smohanarangan]

You have a backup process in place but saving it in offsite location or in cloud alone is not there. I understand your concern during Fire or natural calamity.

If the business owner want to accept this risk with some future action plan in place, then I don't think this will be a problem.