Redundancy - Is it mandatory ?

Hi,

We are in the process of getting ready for ISO 27001.

We have an Internet link . Lot of our business has
dependency on
Internet link being up.

The ISO consultant helping us has been insisting that I buy
a spare
router and get a backup Internet link. That obviously means
I need to
put some money.

I am not convinced about this need  because

-  Last 4 years the router has not failed. I am convinced
about its resilience

- Internet link service provider has been meeting his SLAs
consistently

My question is

- Is the ISO 27001 auditor going to question my above
conviction. Is
redundancy a mandatory requirement or can I document that as
an
acceptable risk[ or something else]?

Redundancy is not mandatory. In fact, your mitigating
controls - the
SLA and the historical data to support your link uptime - do
seem to
be quite effective. Your ISO 27001 audit won't fail, but
the
consultant does have a valid point - link redundancy (of a
lower
bandwidth) would be a worthwhile idea if your business does
depend so
much on the link.

K. K. Mookhey
Principal Consultant
NII Consulting
Web: http://www.niiconsulting
.com
Mobile (India): +919820049549
Mobile (GCC): +97339754742
Tel: +91-22-2839 2628

AuditPro - Comprehensive policy-based security auditing
h
ttp://www.niiconsulting.com/products/auditpro.html

On Dec 20, 2007 12:47 PM, iso 27000 <is27001gmail.com> wrote:
> Hi,
>
> We are in the process of getting ready for ISO 27001.
>
> We have an Internet link . Lot of our business has
dependency on
> Internet link being up.
>
> The ISO consultant helping us has been insisting that I
buy a spare
> router and get a backup Internet link. That obviously
means I need to
> put some money.
>
> I am not convinced about this need  because
>
> -  Last 4 years the router has not failed. I am
convinced about its resilience
>
> - Internet link service provider has been meeting his
SLAs consistently
>
> My question is
>
> - Is the ISO 27001 auditor going to question my above
conviction. Is
> redundancy a mandatory requirement or can I document
that as an
> acceptable risk[ or something else]?
>

On Dec 20, 2007 10:17 AM, iso 27000 <is27001gmail.com> wrote:
> Hi,
>
> We are in the process of getting ready for ISO 27001.
>
> We have an Internet link . Lot of our business has
dependency on
> Internet link being up.
>
> The ISO consultant helping us has been insisting that I
buy a spare
> router and get a backup Internet link. That obviously
means I need to
> put some money.
>
> I am not convinced about this need  because
>
> -  Last 4 years the router has not failed. I am
convinced about its resilience

Beside the point that whether this is compliant with the
iso27001, you
can look at it from another perspective.

As you said since lot of your businesses depending on this
link, what
would be the loss, if this link is unavailable, to the
business. If
the loss is higher than the cost of the router it makes
sense to keep
a redundant unit.

For example if this router failed, 10 people of your
organization
unable to perform their duties, and if it takes two days to
replace
the router, then roughly we can consider the loss to be 20
man days,
irrespective of the lost opportunities to the business.
Actually this
is a concept we practiced for LAN switches, since the
downtime cost
will be very high.

The router was running for four years without any issue does
not mean
that it'll continue to do so for another 4 years!!!

I hope you get my point. I see this more as a bussiness
decision you
have to make.

Cheers,
-- 
Kosala
--------------------------------------------
Disclaimer: Views expressed in this mail are my personal
views and
they would not reflect views of the employer.
--------------------------------------------
blog.kosala.net
www.linux.lk/~kosala/
www.kosala.net

Hello list members, 

as an intro:
an ISMS based upon ISO/IEC 27001:2005 does not mean
implementing and
ticking off security controls from ISO 27002 (ex-17799),
it's a complex
process to analyse and manage the risks for information
risks in regard
to your critical business processes.
(Something which cannot be said often enough.)


> We are in the process of getting ready for ISO 27001.
> 
> We have an Internet link . Lot of our business has
dependency on
> Internet link being up. 

So it's definitely a (critical) business asset.
And therefore a good point for a business impact analysis.
-> What
happpens, if it crashes? 
Kosala Atapattu did a good sketch in his post for this.

> The ISO consultant helping us has been insisting that I
buy a
> spare router and get a backup Internet link. (..)

He insisted? 
Spare router and backup link are good proposals as a measure
for risk
treatment, but it's still the duty of your companys
management to
evaluate the risk and to make the choice for appropiate risk
treatment.

If they say it wouldn't be tolerable losing the internet
link for two or
more days (i'm just taking Kosalas numbers here) because
some age-old
router hardware went to hardware heaven and therefore all
business would
go down, then the spare router should be ordered already
last week  
If management think the company can live just fine without
internet for
some days, accept "loss of internet connectivity due
router hardware
failure" as a residual risk and relay on your hardware
vendor to ship
you a replacement in time.
 
> I am not convinced about this need  because
> -  Last 4 years the router has not failed. I am
convinced about its
> resilience 
> - Internet link service provider has been meeting his
SLAs
> consistently 

These are good experiences as input for a risk analysis
focused on the
internet link, but they do not say anything about the
future. At least i
would look for a replacement for the "age-old"
router. "Trusty" hardware
becomes "rusty" just overnight - and tend to fail
over the next weekend.

At least in my experience 

 
> My question is
> 
> - Is the ISO 27001 auditor going to question my above
> conviction. Is redundancy a mandatory requirement or
can I
> document that as an acceptable risk[ or something
else]?

Redundancy is no mandatory requirement of ISO 27001.
It's most of the time resulting as a response to the
question "Okay, we
have here a network link, which has a really high demand in
terms of
availability. How can we prevent/reduce outage time?"

One could argue "link redundancy" as a part of the
implementation of
control 10.6.2 of ISO 27002.
Control 10.8.4 (implementation guidance c)! ) as well.

If you document your choice for the risk treatment of
"loss of internet
connectivity due router hardware failure"
comprehensible, no auditor
should have any problem with that.

It's the auditors job to check if you operate your ISMS
correctly, if
you _know_ about the concrete (information security) risks
for _your_
business processes and _do_ something about them - it's not
to evaluate
if your choice for a cisco router was good or you better
else had chosen
a juniper. 

He may make a remark about his concerns using an old router,
but this is
(/should be) no major non-conformity preventing
certification. But: you
should use any such remarks it as input for the next ISMS
review!

Kind regards,

Andreas Rauer
Consultant for Strategic Information Security
ISMS Lead Auditor




--

Andreas Rauer

help AG | Zum Wartturm 9 | 63571 Gelnhausen | www.helpag.de

T +49 6051 9749-42 | F +49 6051 979710

andreas.rauerhelpag.de

Vorstand: Soren Kroh, Christian Lumperda
Vorsitzender des Aufsichtsrats: Ralf Sonnen
Firmensitz: Gelnhausen, AG Hanau HRB 13144