Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 22 April 2013

Business Continuity Management

Our winter has been the coldest (or 2nd coldest, depending on which set of statistics you view) however, it has been a very testing time for businesses.  Heavy snow has meant that staff could not get into work and deliveries could not be made.  The end result has been that businesses are reviewing their business continuity plans.  Most have a BCP in place, but extended periods of snow were not always included.  

The revised plans should include actions to be taken when access to workplaces is impossible and of course dealing with problems associated with staff where they have managed to get to work but then cannot leave.

Some businesses are considering putting in food stores of tins and other long life stores as well as bottled water and toilet rolls etc. 

In addition, stocks of rock salt will be topped up to ensure pathways are kept clear.

Businesses in areas that were subject to power outages which lasted for several days are looking at generators and other emergency power options as well as bottled gas for heating.

2012/2013 winter may be a one off and we may not see another winter like that for another fifty years but then again we may have one next year. It is better to be safe than sorry.

Remember BCM (Business Continuity Management) is part of ISO27001 (Information Security Management) due to be reissued as ISO27001:2013 later this year.

Monday, 8 April 2013

IS027002 Information Security Code of Practice

This Standard last reviewed and updated in 2005 and linked to ISO27001, is about to be re-issued as ISO27002:2013 later this year.  The current position is that the draft has reached the “draft for public discussion” stage.

There were a number of inconsistencies in the 2005 code of practice which do seem to have been addressed in this draft:

Some of the section elements have been removed:

Addressing security when dealing with customers (6.2.2)               
Controls against mobile code (10.4.2)                                 
Information handling procedures (10.7.3)                             
Security of system documentation (10.7.4)                            
Business information systems (10.8.5)                                 
Publicly available information (10.9.3)                              
User information for external connections (11.4.2)                    
Equipment identification in networks (11.4.3)                        
Remote diagnostic and configuration port protection (11.4.4)          
Network connection control (11.4.6)                                   
Network routing control (11.4.7)                                      
Input data validation (12.2.1)                                        
Control of internal processing (12.2.2)                               
Message integrity (12.2.3)                                            
Output data validation (12.2.4)                                      
Session timeout (11.5.5)                                              
Limitation of connection time (11.5.6)                                
Sensitive system isolation (11.6.2)
Information leakage (12.5.4)                                          
Business continuity and risk assessment (14.1.2)                      
Developing and implementing business continuity plans (14.1.3)        
Business continuity planning framework (14.1.4)                       
Prevention of misuse of information processing facilities (15.1.5)    
Protection of information systems audit tools ( 15.3.2)

These controls have not entirely abandoned but have been incorporated elsewhere in the standard or have been renamed for clarity but are not duplicated as before.

There will be 14 sections in the new standard instead of the 11 sections in the 2005 standard but the number of controls required to be addressed has come down from 133 to a mere 113.

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Structure of this standard
  5. Security Policies
  6. Organisation of information security (now includes controls for mobile devices, apps and teleworking).
  7. Human resource security
  8. Asset management
  9. Access control (Password is supplemented by Secret Authentication to recognise that other methods may be used to validate users identity)
  10. Cryptography (now given a separate section to recognise its importance)
  11. Physical and environmental security
  12. Operations security (operations and communication now separate sections)
  13. Communications security
  14. System acquisition, development and maintenance
  15. Supplier relationships (new separate section). 
  16. Information security incident management
  17. Information security aspects of business continuity management
  18. Compliance

The revised standard seems to be more ordered rather that the splatter approach used in the 2005 standard.  As mentioned in the 27001 blog last time, it is a pity that there is not more emphasis on the cloud, but there is still time for this to be incorporated.

Remember, this is only a draft and it may (almost certainly will) change before final publication in 4th qtr 2013.

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design