BS 7799/ISO 17799
Redundancy - Is it mandatory ? Dec 20 2007 07:17AM
iso 27000 (is27001 gmail com) (3 replies)
RE: Redundancy - Is it mandatory ? Dec 20 2007 09:18AM
Andreas Rauer (Andreas Rauer helpag de) (1 replies)
Hello list members,

as an intro:
an ISMS based upon ISO/IEC 27001:2005 does not mean implementing and
ticking off security controls from ISO 27002 (ex-17799), it's a complex
process to analyse and manage the risks for information risks in regard
to your critical business processes.
(Something which cannot be said often enough.)

> We are in the process of getting ready for ISO 27001.
>
> We have an Internet link . Lot of our business has dependency on
> Internet link being up.

So it's definitely a (critical) business asset.
And therefore a good point for a business impact analysis. -> What
happpens, if it crashes?
Kosala Atapattu did a good sketch in his post for this.

> The ISO consultant helping us has been insisting that I buy a
> spare router and get a backup Internet link. (..)

He insisted?
Spare router and backup link are good proposals as a measure for risk
treatment, but it's still the duty of your companys management to
evaluate the risk and to make the choice for appropiate risk treatment.

If they say it wouldn't be tolerable losing the internet link for two or
more days (i'm just taking Kosalas numbers here) because some age-old
router hardware went to hardware heaven and therefore all business would
go down, then the spare router should be ordered already last week ;-)
If management think the company can live just fine without internet for
some days, accept "loss of internet connectivity due router hardware
failure" as a residual risk and relay on your hardware vendor to ship
you a replacement in time.

> I am not convinced about this need because
> - Last 4 years the router has not failed. I am convinced about its
> resilience
> - Internet link service provider has been meeting his SLAs
> consistently

These are good experiences as input for a risk analysis focused on the
internet link, but they do not say anything about the future. At least i
would look for a replacement for the "age-old" router. "Trusty" hardware
becomes "rusty" just overnight - and tend to fail over the next weekend.

At least in my experience ;-)

> My question is
>
> - Is the ISO 27001 auditor going to question my above
> conviction. Is redundancy a mandatory requirement or can I
> document that as an acceptable risk[ or something else]?

Redundancy is no mandatory requirement of ISO 27001.
It's most of the time resulting as a response to the question "Okay, we
have here a network link, which has a really high demand in terms of
availability. How can we prevent/reduce outage time?"

One could argue "link redundancy" as a part of the implementation of
control 10.6.2 of ISO 27002.
Control 10.8.4 (implementation guidance c)! ) as well.

If you document your choice for the risk treatment of "loss of internet
connectivity due router hardware failure" comprehensible, no auditor
should have any problem with that.

It's the auditors job to check if you operate your ISMS correctly, if
you _know_ about the concrete (information security) risks for _your_
business processes and _do_ something about them - it's not to evaluate
if your choice for a cisco router was good or you better else had chosen
a juniper.

He may make a remark about his concerns using an old router, but this is
(/should be) no major non-conformity preventing certification. But: you
should use any such remarks it as input for the next ISMS review!

Kind regards,

Andreas Rauer
Consultant for Strategic Information Security
ISMS Lead Auditor

--

Andreas Rauer

help AG | Zum Wartturm 9 | 63571 Gelnhausen | www.helpag.de

T +49 6051 9749-42 | F +49 6051 979710

andreas.rauer (at) helpag (dot) de [email concealed]

Vorstand: Soren Kroh, Christian Lumperda
Vorsitzender des Aufsichtsrats: Ralf Sonnen
Firmensitz: Gelnhausen, AG Hanau HRB 13144

0? / *?H?÷
 ? 0? 1 0 +0  *?H?÷
 ? ~0?0?l¹/`Ì??¡zF ¸[pl?¯0
 *?H?÷
0Á1 0 UUS10U
VeriSign, Inc.1<0:U 3Class 2 Public Primary Certification Authority - G21:08U 1(c) 1998 VeriSign, Inc. - For authorized use only10U VeriSign Trust Network0
980518000000Z
280801235959Z0Á1 0 UUS10U
VeriSign, Inc.1<0:U 3Class 2 Public Primary Certification Authority - G21:08U 1(c) 1998 VeriSign, Inc. - For authorized use only10U VeriSign Trust Network0?0
 *?H?÷
0?§?!t,çð?á?<!ñ?Û?é?ü¾_RÈÌ,V,¸i,Ì?­°?®yò9Á{?º
,èÂ?,ªié ôÇ©¤BÂ#OJØð¢û1lÉæo?'õæôLx?mëF?ú¹?ÉTò²Ä¯ÔFZÉ0ÿ
lõ-mÎw0
 *?H?÷
r.ùÑñqûÄ?öÅ^Q?@?¸hø??Ø❽ÿí¡æfê/ ôÊ×ê¥+?ö$`?MD.?¥Ä- Ó®xiorÚl®ðc?7æ»Ä0­wÌI5ªÏ؏Ѿ·?GsjT"4d-¶?Y[´QY:³ 
ôßg ô­2d^±Fr'?{ÅD´®0?60?? vd³ [Fjï$%!B¼d0
 *?H?÷
0C10U
VeriSign1.0,U %VeriSign Class 2 OnSite Individual CA0
070530000000Z
080529235959Z0­10U
help AG10U Security1F0DU =www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)9910U
Andreas Rauer1&0$ *?H?÷
 andreas.rauer (at) helpag (dot) de0 [email concealed]?0
 *?H?÷
0?ÜPJ;?VSaú®'úÎñÑåð8Íû·iw7ðè3¾yÍx#?: ëô?2É-?4=¾| 8ñÁø?âÒ? å?ªàBÔ¼?ÙTDÀ>{ò¤+¿)ë/[ÅKÓ#%÷?_?p?*¬í¤-? Yº?@,Ñ[BåÿhuXw£¿0¼0 U00DU =0;09 `?H?øE0*0(+https://www.verisign.com/rpa0 U
 0 `?H?øB?0IUB0@0> < :?8http://onsitecrl.verisign.com/OnSitePu
blic/LatestCRL.crl0
 *?H?÷
Äá2Û^Î:Hóñ*úi?^Å|üËzì»r(VJ:Õþø³dlÎÀÐÂ5H?"?â?ã?øßæ³ý>3­¼
¡ÓPÈëQýÝpJKé@µL,VR¤¶®Ñ¦>¬zo¡v ®?ÍÄ??d4Ú
WîºÐU¸}?Ôb?dm???ܼÃî0?90?¢ CÞE~?í;¶päRfIµ0
 *?H?÷
0Á1 0 UUS10U
VeriSign, Inc.1<0:U 3Class 2 Public Primary Certification Authority - G21:08U 1(c) 1998 VeriSign, Inc. - For authorized use only10U VeriSign Trust Network0
980519000000Z
091012235959Z0C10U
VeriSign1.0,U %VeriSign Class 2 OnSite Individual CA00
 *?H?÷
?0?Ü*?n3ü»AvÄ9÷vçtUaar<ø7Ké0pÅ?`3FHÆÐ?=v?áÁ¬Rѹ
i?\aO³ee?c¢î!|A¯­r@ÃM?³I¾?ûWÇZ.°K§ï $ó8Å?ÚJ§?Q©Ø0v-jÖ¯/~Û*?ûe`ZE裁°0­0U0ÿ0DU =0;09 `?H?øE0*0(+https://www.verisign.com/rpa04U-
0+0) ' %?#http://crl.verisign.com/pca2-g2.crl0 U0 `?H?øB0
 *?H?÷
?¾®s?ÜBM ïû©h[ í,E³?ë?NÏ4?¦5??д/ëª?ü6~h??ü7YSʹ ?á;d !4Du?76ŵX
¨8;¯ a¸|l?áÿáÚC¨B?]Jí?ªLÂn?C¯~?Iµ´t£n­j[ë/±Ë?¦?1?y0?u0W0C1
0U
VeriSign1.0,U %VeriSign Class 2 OnSite Individual CAvd³ [Fjï$%!B¼d0 + z0 *?H?÷
 1  *?H?÷
0 *?H?÷
 10 0
*?H?÷
0 *?H?÷
 1
071220091809Z0# *?H?÷
 1Z:QÈH4Ë ??TGd>L¦ÁÁ0
 *?H?÷
?%W½Ê#a??¨ÝR6s?!?gpeç;<Zæ.?ÜÁÛ?]5ö=î.-?²½?]È5? wÓïô#ãu³£7ŝÀZ¢? ½L5Qå°Þýòaßf\¦?&¢ï/e¬?â?@(?ºÂ ùJ?Ózpï?[X5ÚÎÍl»p{ùÍ??X

[ reply ]
RES: Redundancy - Is it mandatory ? Dec 20 2007 03:23PM
Leandro Takegami (ltakegami msccruzeiros com br)
Re: Redundancy - Is it mandatory ? Dec 20 2007 07:34AM
Kosala Atapattu (kosala atapattu gmail com)
Re: Redundancy - Is it mandatory ? Dec 20 2007 07:29AM
K K Mookhey (kkmookhey gmail com) (1 replies)
RE: Redundancy - Is it mandatory ? Dec 20 2007 08:59AM
Craig Wright (Craig Wright bdo com au)


 

Privacy Statement
Copyright 2010, SecurityFocus