BS 7799/ISO 17799
Redundancy - Is it mandatory ? Dec 20 2007 07:17AM
iso 27000 (is27001 gmail com) (3 replies)
RE: Redundancy - Is it mandatory ? Dec 20 2007 09:18AM
Andreas Rauer (Andreas Rauer helpag de) (1 replies)
RES: Redundancy - Is it mandatory ? Dec 20 2007 03:23PM
Leandro Takegami (ltakegami msccruzeiros com br)
Re: Redundancy - Is it mandatory ? Dec 20 2007 07:34AM
Kosala Atapattu (kosala atapattu gmail com)
Re: Redundancy - Is it mandatory ? Dec 20 2007 07:29AM
K K Mookhey (kkmookhey gmail com) (1 replies)
RE: Redundancy - Is it mandatory ? Dec 20 2007 08:59AM
Craig Wright (Craig Wright bdo com au)
The record of past uptime is a statistical prior. It is not a control and can not be used as one.

As for the judgement to if a redundant link is necessary, this is a question of the business model deployed - that is the risk model, business need and other factors that are not being mentioned.

Dr Craig Wright (GSE-Compliance)

Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright (at) (dot) au [email concealed]
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at or by emailing administrator (at) (dot) au. [email concealed]

BDO Kendalls is a national association of separate partnerships and entities.


From: listbounce (at) securityfocus (dot) com [email concealed] [listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of K K Mookhey [kkmookhey (at) gmail (dot) com [email concealed]]
Sent: Thursday, 20 December 2007 6:29 PM
To: iso 27000
Cc: bs7799 (at) securityfocus (dot) com [email concealed]
Subject: Re: Redundancy - Is it mandatory ?

Redundancy is not mandatory. In fact, your mitigating controls - the
SLA and the historical data to support your link uptime - do seem to
be quite effective. Your ISO 27001 audit won't fail, but the
consultant does have a valid point - link redundancy (of a lower
bandwidth) would be a worthwhile idea if your business does depend so
much on the link.

K. K. Mookhey
Principal Consultant
NII Consulting
Mobile (India): +919820049549
Mobile (GCC): +97339754742
Tel: +91-22-2839 2628

AuditPro - Comprehensive policy-based security auditing

On Dec 20, 2007 12:47 PM, iso 27000 <is27001 (at) gmail (dot) com [email concealed]> wrote:
> Hi,
> We are in the process of getting ready for ISO 27001.
> We have an Internet link . Lot of our business has dependency on
> Internet link being up.
> The ISO consultant helping us has been insisting that I buy a spare
> router and get a backup Internet link. That obviously means I need to
> put some money.
> I am not convinced about this need because
> - Last 4 years the router has not failed. I am convinced about its resilience
> - Internet link service provider has been meeting his SLAs consistently
> My question is
> - Is the ISO 27001 auditor going to question my above conviction. Is
> redundancy a mandatory requirement or can I document that as an
> acceptable risk[ or something else]?

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus