The webinar covers:
• ISO27001/ISO22301 differences
• ISO27001/ISO22301 relationship
• Conclusions
Presenter:
This webinar was presented by Michèle COPITET. Prior to founding her company; Michèle has been working for 10 years in CAP GEMINI as consultant and project manager and currently is accredited trainer for PECB and for APMG. Her company EGONA-CONSULTING 0(mc@egona-consulting.eu) provides consultancy, assessment and training in IT security management and in IT services quality management in France and abroad. She is certified against ISO22301 LI/LA, ISO27001 LA, ISO27005 RM, CISM, Expert ITILV3, ISO20000, COBIT5, Assessor, Prince2 practitioner.
Link of the recorded session published on YouTube: https://youtu.be/_z_BAchDQxM
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: confusing or relationship?
1. ISO27001 control A17(Continuity on
Information Security), and ISO22301:
confusing or relationship"?
PECB Webinar 18/02/2016
Michèle COPITET
EGONA-CONSULTING
2. Michèle COPITET
Michèle has been working for 10 years in CAP GEMINI as consultant and project manager and
currently is accredited trainer for PECB and for APMG.
Her company EGONA-CONSULTING provides consultancy, assessment and training in IT security
management and in IT services quality management in France and abroad.
She is certified ISO22301 LI/LA, ISO27001 LA, ISO27005 RM, CISM, Expert ITILV3, ISO20000, COBIT5,
Assessor, Prince2 practitioner
.
+33 233070358
egona@egona-consulting.fr
linkedin.com/ Michele COPITET
3. ISO 27001 ISO 22301 Differences
EGONA-CONSULTING 18/02/16 PECB Webinar- Diffusion, reproduction,
utilisation interdites
3
ISO /IEC/ 27001:2013
Information technology — Security techniques —
Information security management systems —
Requirements
ISO 22301:2012
Societal Security – Business continuity
management systems - Requirements
4. ISO 27001 ISO 22301 Differences
ISO22301 is more holistic and ensures that your critical business,
‘value generating’ products/services are up and running at the
earliest in case of disruptions.
ISO/IEC/27001 is more information infrastructure focusing on
protection of IT assets supporting the products/services business
processes.
ISO 27001 A17 about business continuity management but no
details
BUT for both, the main point is Business continuity
EGONA-CONSULTING 18/02/16 PECB Webinar- Diffusion, reproduction,
utilisation interdites
4
5. ISO 27001 ISO 22301 Differences
EGONA-CONSULTING 18/02/16 PECB Webinar- Diffusion, reproduction,
utilisation interdites
5
A17.1 Objective: Information security continuity shall be
embedded in the organization’s business continuity
management systems
A17.1.1: Planning information security continuity
Control:The organization shall determine its requirements for
information security and the continuity of security management in
adverse situations e.g. disaster
A.17.1.3 Verify,review and evaluate information
security continuity
Control: The organization shall verify the established and
implemented information security continuity controls at regular
intervals in order to ensure that they are valid and effective during
adverse situations.
6. ISO 27001 ISO 22301 Differences
A17.1.3 means that an organisation should enable its
information security to continue after an incident as
described in SLA requirements, to protect the assets
A17.1 is covered basically by a DRP
ISO22301: development of more documents and
processes like BIA, Business continuity plans, tests and
exercices, communication plan etc.
ISO27001 focuses on removing vulnerabilities whose
exploit can result in an incident for the IT assets
ISO22301 focuses on Business risks and opportunities
EGONA-CONSULTING 18/02/16 PECB Webinar- Diffusion, reproduction,
utilisation interdites
6
7. ISO 27001 ISO 22301 Differences
So...ISO27001 implements only the
Information technologies continuity plan
(DRP) supporting the business continuities
activities in case of disruption.
And if you want your organisation
becomes RESILIENT, you will need more.
ISO22301 gives you the How-Know
EGONA-CONSULTING 18/02/16 PECB Webinar- Diffusion, reproduction,
utilisation interdites
7
8. ISO 27001 ISO 22301 Relationship
Information security and business continuity
both protect availability, but too confidentiality
and integrity of the information, so this is why
to include A17 controls
Like other ISO management standards, they are
based on –Plan Do Check Act – cycle
So, if these cycle is implemented for ISO27001,
then it is fully compliant with ISO22301
Risk management: the objectives are different
but the goals and process are similar
(ISO31000)
EGONA-CONSULTING 18/02/16 PECB Webinar- Diffusion, reproduction,
utilisation interdites
8
9. Conclusion
So, ISO27001 should be implemented as
planned for, and to controls A17 the core
business continuity elements ISO22301
should be implemented.
EGONA-CONSULTING 18/02/16 PECB Webinar- Diffusion, reproduction,
utilisation interdites
9
10. Conclusion
And with both standards implemented at the
same time (with compatible scope), DRP
would be compliant with governance
principes:
Aligning IT with Business needs as described in
e.g., COBIT5 DSS04 process
Assurance to be compliant with information
security controls in business continuity activities
EGONA-CONSULTING 18/02/16 PECB Webinar- Diffusion, reproduction,
utilisation interdites
9
11. Questions ?
To join me…. A mail within LINKED IN
And for FUN…
EGONA-CONSULTING 18/02/16 PECB Webinar- Diffusion, reproduction,
utilisation interdites
11
12. EGONA-CONSULTING 18/02/16 PECB Webinar- Diffusion, reproduction,
utilisation interdites
12
ISO 22301, ISO
27001, ISO 9001,
ISO 20000, ISO
….. phew!!!