Introduction:
Availability of information processing facilities is a critical aspect of information security management.
It is imperative that organizations maintain the availability of their ICT services to avoid any disruptions to their business operations.
The availability requirements for ICT services must be identified, and suitable arrangements must be put in place to ensure the resilience, capacity, and performance of the services.
In this article, we will discuss the requirements of A.17.2.1 from the ISO 27001 standard and provide a sample checklist to help organizations evaluate their compliance with the standard.
Sample Checklist:
- Have availability requirements for ICT services been identified?
- Are suitable arrangements in place to ensure the resilience, capacity, and performance of ICT services?
- Are key information security controls implemented and functional at disaster recovery/fall-back sites?
- Are the additional risks of controls at DR/fall-back sites being treated appropriately?
- Are incident records examined regularly to identify unreliable services, equipment, facilities, servers, apps, links, functions, organizations, etc.?
- Is dynamic load balancing in place to manage capacity and performance issues?
- Is there a mechanism in place to monitor and adjust the availability arrangements?
- Are the DR/fall-back sites tested regularly to ensure the resilience, capacity, and performance of ICT services?
- Is there a documented procedure in place to activate the DR/fall-back sites in case of an outage?
Conclusion:
Ensuring the availability of information processing facilities is critical for the success of any organization.
A.17.2.1 of the ISO 27001 standard provides guidelines for maintaining the availability of ICT services.
Organizations must identify the availability requirements for their services and put suitable arrangements in place to ensure their resilience, capacity, and performance.
Regular monitoring and adjustments are required to manage capacity and performance issues, and the DR/fall-back sites must be tested regularly to ensure their effectiveness.
Organizations must also implement suitable information security controls at the DR/fall-back sites and monitor incident records regularly to identify any unreliable services or equipment.
The sample checklist provided in this article can help organizations evaluate their compliance with the A.17.2.1 requirements.