A.17 Information security aspects of business continuity management

A.17 Information security aspects of business continuity management

Version: 3.0

Valid until: 2025-04-10

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Theo Koster

Edward Robinson

Initiation document.


2022-07-05

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Renamed to A.17 Information security aspects of business continuity management from B18 Continuity information security.

2022-12-14

2.0Edward RobinsonAdditions/changes as part of the annual review.

Added a link to the Contingency procedure and Disaster Recovery Plan.
2023-05-19
3.0
Edward Robinson
Additions/changes as part of the annual review.

Updated the link for the Disaster Recovery Plan.

Purpose & background


In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.


The purpose of this document is to describe the information security aspects of business continuity management policy of anDREa and the associated controls, checks and administrations.


This document will be reviewed at least annually and when significant change happens.

Objectives


The objectives of this control are:


  • Information security continuity shall be embedded in the organisation’s business continuity management systems (A.17.1).

  • To ensure availability of information processing facilities (A.17.2). 

Scope


The scope of this document corresponds to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.17.1 Information security continuity

A.17.1.1 Planning information security continuity & A.17.1.2 Implementing information security continuity

“The organisation shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.”

“The organisation shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.”


The documented procedures in adverse situations are described in the Disaster Recovery Plan

A.17.1.3 Verify, review and evaluate information security continuity

“The organisation shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.”


This document (and all other documented information of anDREa’s ISMS), including the Disaster Recovery Plan, Contingency procedure
and any other associated document is periodically reviewed according to Clause 9 Performance evaluation. This process is tracked in a ticket. Moreover, aspects of the Disaster Recovery Plan are tested on validity and effectiveness and this is also tracked in a ticket.

A.17.2 Redundancies

A.17.2.1 Availability of information processing facilities

“Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.”


Data in SaaS applications used by anDREa are stored in the cloud and are backed-up according to the supplier agreements. 

anDREa itself backs up two resources:

  • myDRE source code to the Escrow party service (quarterly).

  • Knowledge Base documentation to a myDRE Workspace (biannually).


The Security Officer tracks the generation of the back-ups of the abovementioned services in a ticket and registers the confirmation by the receiving party.

Administrations


    • Related Articles

    • 20220607 Security Management Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDRE's 20220607 Security Management Report.

    • 20220714 Security Management Report Addendum

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001. This document is an addendum to the 20220607 Security Management Report and addresses the on 2022-07-14 reported findings of the ISO ...

    • 20220713 Report Azure White Box Security Audit

      Version: 2022-07-14 Introduction anDREa has a Pentest Program program as part of the commitment to protect the security of its business information. At least once a year we request an external party to do the pentest and a white box security audit. ...

    • 20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report

      In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1. The core questions being: Can non-authorized people or services access Workspaces or affect anDREa’s core services? ...

    • 20230503 - Security Management Report

      anDREa's Security Officer annually provides the management board with the Security Management Report. An annual security management report is a key part of this auditing process. The report provides a summary of the organization's ISMS activities, ...