You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. Your bank is implementing an information security management system (ISMS) compliant with ISO 27001 and undergoing a certification audit. An external auditor is interviewing with you. In which of the following issues is the auditor least likely to be interested during the interview?
A. Are the roles and responsibilities assigned and communicated
B. Is the information security policy available as documented information
C. Are there any needs for changes to the ISMS
D. Is risk assessment conducted before business impact analysis
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Is risk assessment conducted before business impact analysis.
The following are requirements per ISO 27001:
- Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. (5.3 Organizational roles, responsibilities, and authorities)
- The information security policy shall be available as documented information. (5.2 Policy)
- The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. (9.3 Management review)
Information security risk assessment is required in clause 6.1.2, but the business impact analysis (BIA) is not required.
BIA is a requirement of ISO 22301 (BCMS, Business Continuity Management System). The order of risk assessment and BIA is not a BCMS requirement. They can be conducted in any order; it depends on the organization’s needs.