The links between ISO27001 – ISO22301
Continuity – Information Security
ISO27001 provides requirements for establishment and continuous improvement of an Information Security Management System (ISMS)
ISO 22301 specifies requirements for planning, deploying, implementing and improving a system to reduce the likelihood of a disastrous event (SMCA)
The requirements of ISO22301 in terms of business continuity and THOSE of ISO27001 in terms of information security and Business Impact Analysis are inseparable on this point.
Eg2si offers its expertise precisely on the Information System part of continuity
Thanks to a cross-cutting knowledge of different professions, an in-depth knowledge of the requirements of the ISO standard and an experience of more than 15 years in the management of IT services, we folow you in all these phases.
Develop its Information Security Management Plan
Feedback on the keys success of implementing a ISMS :
- Integrating operational operations into the management of security measures
- Having a CISO
- Create a security committee
- Establish RACI matrix
- Integrate head of compagny
Choosing the perimeter of the ISMS (Plan)
Define the scope, activities and assets on which the SMSI applies, and justify, if necessary, the areas excluded from that perimeter. Identifying discrepancies
Statement of intent
Once the perimeter is delineated, define the information security strategy. This declaration of intent is formalized by a Security Policy drafted and signed by the Directorate General.
Risk analysis approach
Identify risks on the scope of activity by choosing a context-appropriate risk assessment method (Mehari, ebios, iso27005) Validation of the risk treatment plan.
Security Goals (Do)
The risk management plan guides the safety objectives to be achieved. Depending on the risks identified, the safety measures to be applied are framed by project monitoring and steering meetings.
Run ISMS (Check)
All safety measures are reviewed according to the Deming Wheel model: Plan, Do, Check, Act, the basis of continuous improvement.
Monitoring of The ISMS (Act)
Measure the health of WSIS and apply fixes in case.
it-corrective actions on non-compliances -Man
agement review and approval of the SMSI -Audit
“white” in the event of a certification audit is planned.
Develop its PCA-ISO 22301 Business Continuity Plan
Continuity management involves managing the resumption of activities in the event of an interruption, managing the process as a whole through the training of the stakeholders involved, exercises and revisions, ensuring the operationality of the BC. They apply the Plan-Do-Check-Act (PDCA) cycle to define, implement, control and improve the system.More information
Defining a perimeter
This is an essential prerequisite for the implementation of an ACMS. It is organizational, functional, physical.
It allows for the support of the Directorate and to begin mobilizing the parties involved
Documentary control and management
These controls ensure that information is available:
Readable, easily identifiable and traceable,
Stored, protected and available.
Allows the organization to understand the threats and vulnerabilities that weigh on its critical activities
Business Impact Analysis (BIA)
Identify the organization’s critical activities and the minimum resources needed to operate in degraded mode
Crisis management and continuity strategies
Implementation of the necessary arrangements to manage the crisis situation and resume operations within the target recovery time
Risk Treatment Strategies
For each of the critical activities, it is a matter of identifying measures to:
Reducing the likelihood of occurrence
Avoiding a sudden halt
Limiting the impact of a shutdown on activities
Business continuity plan
Establish documented procedures to respond to a disruptive incident and continue or re-establish activities within a predetermined time frame.
Test – Continuous Improvement
The business continuity plan implemented has been validated by tests and exercises, updated based on the results obtained.
The tests are used to verify the suitability of the PCA with the requirements related to the activity.