A.17 Information security aspects of business continuity management
Version: 3.0
Valid until: 2025-04-10
Classification: Low
Version Management
Version | Author(s) | Change(s) | Date approved |
1.0 | Stefan van Aalst Theo Koster Edward Robinson | Initiation document.
| 2022-07-05 |
1.1 | Edward Robinson | Additions/changes as part of the periodic review and improvement.
Renamed to A.17 Information security aspects of business continuity management from B18 Continuity information security. | 2022-12-14 |
2.0 | Edward Robinson | Additions/changes as part of the annual review.
Added a link to the Contingency procedure and Disaster Recovery Plan.
| 2023-05-19 |
3.0 | Edward Robinson | Additions/changes as part of the annual review.
Updated the link for the Disaster Recovery Plan.
| |
Purpose & background
In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.
The purpose of this document is to describe the information security aspects of business continuity management policy of anDREa and the associated controls, checks and administrations.
This document will be reviewed at least annually and when significant change happens.
Objectives
The objectives of this control are:
Scope
The scope of this document corresponds to Clause 4 Context of the organisation.
Availability
This document is:
Norm elements
A.17.1.1 Planning information security continuity & A.17.1.2 Implementing information security continuity
“The organisation shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.”
“The organisation shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.”
A.17.1.3 Verify, review and evaluate information security continuity
“The organisation shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.”
A.17.2 Redundancies
A.17.2.1 Availability of information processing facilities
“Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.”
Data in SaaS applications used by anDREa are stored in the cloud and are backed-up according to the supplier agreements.
anDREa itself backs up two resources:
The Security Officer tracks the generation of the back-ups of the abovementioned services in a ticket and registers the confirmation by the receiving party.
Administrations
Related Articles
20220607 Security Management Report
As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDRE's 20220607 Security Management Report.
20220714 Security Management Report Addendum
As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001. This document is an addendum to the 20220607 Security Management Report and addresses the on 2022-07-14 reported findings of the ISO ...
20220713 Report Azure White Box Security Audit
Version: 2022-07-14 Introduction anDREa has a Pentest Program program as part of the commitment to protect the security of its business information. At least once a year we request an external party to do the pentest and a white box security audit. ...
20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report
In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1. The core questions being: Can non-authorized people or services access Workspaces or affect anDREa’s core services? ...
20230503 - Security Management Report
anDREa's Security Officer annually provides the management board with the Security Management Report. An annual security management report is a key part of this auditing process. The report provides a summary of the organization's ISMS activities, ...