Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Ensuring and testing the resilience of data processing environment

Critical
High
Normal
Low

Organization must identify the required level of availability for the services it offers as well as for any related data systems and other data processing environment. The organization must plan its systems and operations so that the availability level can be met.

When planning a resilient data processing environment, the organization should consider the following factors:

  • use of resilient networks
  • use of two geographically separate data centers with mirrored databases
  • use of several parallel software components with automatic load sharing
  • use of duplicated key components in systems (e.g. CPU, hard drives, memories) or networks (e.g. firewalls , routers, switches)

For example, in important production systems, the resilience should also be tested regularly to ensure a smooth transition to backup solutions during incidents.

Connected other frameworks and requirements:
8.14: Redundancy of information processing facilities
ISO 27001

Definition and monitoring of alarm policies

Critical
High
Normal
Low

Often, security tools provide a way to set alert policies when something potentially dangerous happens in an organization's environment. For example, Microsoft 365 has built-in alert policies to alert you to abuse of administrator privileges, malware, potential internal and external risks, and data security risks.

The organization must identify security-related events in data systems and the environments in which they operate. To respond to changes related to these events, alarm policies must be created.

Alarm policies need to be actively monitored and modified based on experience.

Connected other frameworks and requirements:
12.4.1: Event logging
ISO 27001
16.1.7: Collection of evidence
PR.DS-4: Availability
NIST CSF
DE.AE-5: Incident alert thresholds
NIST CSF
RS.AN-1: Notifications from detection systems
NIST CSF

Basic service testing, fault tolerance evaluation and verification

Critical
High
Normal
Low

The operation of basic services (such as electricity, telecommunications, water supply, sewerage, heating, ventilation and air conditioning) will be monitored to ensure that their capacity covers business growth.

Connected other frameworks and requirements:
Toiminnan jatkuvuuden hallinta
F08: Toiminnan jatkuvuuden varmistaminen
11.2.2: Supporting utilities
ISO 27001
11.1.4: Protecting against external and environmental threats
ISO 27001
PR.IP-5: Physical operating environment
NIST CSF

Multiple providers for critical network equipment

Critical
High
Normal
Low

For example, when the fault tolerance of a telecommunication network is critical, it can be further improved by procuring basic network services through several routes and through several service providers.

Connected other frameworks and requirements:
13.1.2: Security of network services
ISO 27001
ID.BE-4: Dependencies and critical functions
NIST CSF
ID.BE-5: Resilience requirements
NIST CSF
8.14: Redundancy of information processing facilities
ISO 27001
8.21: Security of network services
ISO 27001
No items found.