BS 7799/ISO 17799
Redundancy - Is it mandatory ? Dec 20 2007 07:17AM
iso 27000 (is27001 gmail com) (3 replies)
RE: Redundancy - Is it mandatory ? Dec 20 2007 09:18AM
Andreas Rauer (Andreas Rauer helpag de) (1 replies)
RES: Redundancy - Is it mandatory ? Dec 20 2007 03:23PM
Leandro Takegami (ltakegami msccruzeiros com br)
Hello iso27000 and members.

In our company we don´t work thinking about being in compliance with ISO27000, so far. We are just concerned about not losing money for any reason, and this comprises not having our internet link down, since we depend 100% on it.

So, we thought about having a backup link and router as well, but the costs were too high to have a "stand-by" and "maybe useless asset - hope so". As told here, management prefered to take the risks and carry on with our current and unique link, since acceptable statistical history is being provided along with a good sla contract.

You didn´t informed how is the usage of your link, but if I could I´d suggest you to consider about having load balancing with another provider, by "downgrading" your current link with this provider and try to hire another one, maybe the costs would be shared among them.

This is my experience.
Best regards,

-----Mensagem original-----
De: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] Em nome de Andreas Rauer
Enviada em: Thursday, December 20, 2007 7:18 AM
Para: iso 27000; bs7799 (at) securityfocus (dot) com [email concealed]
Assunto: RE: Redundancy - Is it mandatory ?

Hello list members,

as an intro:
an ISMS based upon ISO/IEC 27001:2005 does not mean implementing and ticking off security controls from ISO 27002 (ex-17799), it's a complex process to analyse and manage the risks for information risks in regard to your critical business processes.
(Something which cannot be said often enough.)

> We are in the process of getting ready for ISO 27001.
> We have an Internet link . Lot of our business has dependency on
> Internet link being up.

So it's definitely a (critical) business asset.
And therefore a good point for a business impact analysis. -> What happpens, if it crashes?
Kosala Atapattu did a good sketch in his post for this.

> The ISO consultant helping us has been insisting that I buy a spare
> router and get a backup Internet link. (..)

He insisted?
Spare router and backup link are good proposals as a measure for risk treatment, but it's still the duty of your companys management to evaluate the risk and to make the choice for appropiate risk treatment.

If they say it wouldn't be tolerable losing the internet link for two or more days (i'm just taking Kosalas numbers here) because some age-old router hardware went to hardware heaven and therefore all business would go down, then the spare router should be ordered already last week ;-) If management think the company can live just fine without internet for some days, accept "loss of internet connectivity due router hardware failure" as a residual risk and relay on your hardware vendor to ship you a replacement in time.

> I am not convinced about this need because
> - Last 4 years the router has not failed. I am convinced about its
> resilience
> - Internet link service provider has been meeting his SLAs
> consistently

These are good experiences as input for a risk analysis focused on the internet link, but they do not say anything about the future. At least i would look for a replacement for the "age-old" router. "Trusty" hardware becomes "rusty" just overnight - and tend to fail over the next weekend.

At least in my experience ;-)

> My question is
> - Is the ISO 27001 auditor going to question my above conviction. Is
> redundancy a mandatory requirement or can I document that as an
> acceptable risk[ or something else]?

Redundancy is no mandatory requirement of ISO 27001.
It's most of the time resulting as a response to the question "Okay, we have here a network link, which has a really high demand in terms of availability. How can we prevent/reduce outage time?"

One could argue "link redundancy" as a part of the implementation of control 10.6.2 of ISO 27002.
Control 10.8.4 (implementation guidance c)! ) as well.

If you document your choice for the risk treatment of "loss of internet connectivity due router hardware failure" comprehensible, no auditor should have any problem with that.

It's the auditors job to check if you operate your ISMS correctly, if you _know_ about the concrete (information security) risks for _your_ business processes and _do_ something about them - it's not to evaluate if your choice for a cisco router was good or you better else had chosen a juniper.

He may make a remark about his concerns using an old router, but this is (/should be) no major non-conformity preventing certification. But: you should use any such remarks it as input for the next ISMS review!

Kind regards,

Andreas Rauer
Consultant for Strategic Information Security ISMS Lead Auditor


Andreas Rauer

help AG | Zum Wartturm 9 | 63571 Gelnhausen |

T +49 6051 9749-42 | F +49 6051 979710

andreas.rauer (at) helpag (dot) de [email concealed]

Vorstand: Soren Kroh, Christian Lumperda Vorsitzender des Aufsichtsrats: Ralf Sonnen
Firmensitz: Gelnhausen, AG Hanau HRB 13144

[ reply ]
Re: Redundancy - Is it mandatory ? Dec 20 2007 07:34AM
Kosala Atapattu (kosala atapattu gmail com)
Re: Redundancy - Is it mandatory ? Dec 20 2007 07:29AM
K K Mookhey (kkmookhey gmail com) (1 replies)
RE: Redundancy - Is it mandatory ? Dec 20 2007 08:59AM
Craig Wright (Craig Wright bdo com au)


Privacy Statement
Copyright 2010, SecurityFocus