Business Continuity in Information Security

Being a management consulting company CUNIX caters needs of all organizations i.e. from small and medium enterprise to big MNCs having several offices across the globe. While interacting with Information Security practitioners, we found that many of them find difficulty in understanding the concept of Business Continuity with regards to Information Security Management System. Therefore, in this article, we shall be addressing these areas.

What is BCMS- Business Continuity Management System?

  • Business Continuity Management System specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.
  • The standard for Business Continuity Management System is ISO 22301:2012
  • It was initially developed by ISO technical committee on societal security and published for the first time in May 2012.

In Information Security, not all the aspects of Business Continuity are covered. Only the selected aspects are covered like- Information Security Continuity and Redundancies.

According to ISO 27001, the Information Security Continuity broadly talks about following

1-Planning Information Security Continuity-

While building the ISMS manual, planning the InfoSec continuity is very important.

While planning, we need to consider the situations which have a catastrophic impact on the business like an earthquake, flood, terrorist attack, power failure, system breakdown, critical data breach (either by the internal or external entity), cyber-attack, hacking, political strike, tsunami, volcanic eruption etc. During such incidents, an organization has to be ready with ‘Plan B’ so that your Information Security is not at stake. You need to make sure that it stands uncompromised in any situation.

Planning Information Security Continuity comprises of following 3 steps-

Step-1: The organization needs to think all applicable situation (e.g. mentioned above) according to the geographic location, availability, manpower etc. E.g. if your office is in the historic or prime location of the city then there can be a possibility of a terrorist attack. Therefore, considering the information security the organization should have high physical security, a secret area to assemble and secure path to evacuate the office & locking the systems having confidential information.

Let’s take another example of floods.  Assume, you have an office in an area which is highly vulnerable to floods. Then, your plan shall depend upon which floor the office is situated.

If it’s on the ground or 1st floor, then the probability of water entering your office premises is high. Else, it won’t affect your systems etc. which are inside the office. In above both cases, the organization needs to be ready with the plans during floods if employees won’t be able to travel to the office from their homes due to the temporary collapse of public transport.

Step-2: The Information Security team needs to jot down all the applicable threats to the organization which may cause harm to Information Security of the company.

Now the question arises, how to bring together all the scenarios?

The answer is simple; the Information Security Team should sit and do a brainstorming session of all the situations. They need to check the historical data of past events which caused to the business continuity of organization.  There are several other methods to understand the critical situations & work upon them.

Step-3: After understanding all the scenarios, the organization needs to start evaluating the probable solution for all such events. Here the management involvement is required. After getting approval on the things like budget etc. only the InfoSec team can come up with a solution for the problems.

E.g. there are several industries where they keep the inflammable things outside their office (paper; printing industry).  Then the office is an area where the chances of catching the fire are high. To avoid fire, you need to ready with fire extinguishers, fire exit plan, assembly point etc.

Also, proper awareness & training sessions, mock drills should be conducted in regular intervals for employees

2- Implementing Information Security Continuity

Implementation phase comes after understanding & evaluating the various scenarios which may lead to having a catastrophic impact on the Information Security of the company. During this phase, the organization needs to start taking actions on what they have planned.

E.g. installing fire extinguishers, back up on the cloud, setting up a new business site (away from current location), installation of anti-virus etc.

The Information Security team should maintain logs for all the recurring activities. They can be produced as a proof of regular implementation during audits. The data can be captured by regularly filling the checklists. The checklists have all the recurring tasks for the remainder of the end user. The data can be filled in checklists according to a frequency like daily, weekly, monthly or quarterly.

3- Verify, Review and Evaluate Information Security Continuity

The organization needs to verify the established Information Security Continuity Controls at regular intervals. If there’s any change required to be made then it is reviewed and changed according to the need.

The organization needs to verify the established Information Security Continuity Controls at regular intervals. If there’s any change required to be made then it is reviewed and changed according to the need.

The effectiveness of the control also matters a lot for example if you have implemented the backup policy of senior management as 3 months but due to data loss and other problems if it’s not effective then it has to be reviewed. Based on the evaluation done, the back policy should be modified.

–Gunjar Fuley

isms policies

Indicative List of Policies to be framed for ISO 27001:2013

The organization should define information security related policies which is approved by management and sets the organization’s approach to managing its information security objectives.
a) Business Strategy, b) contracts, regulations and legislations and c) security threat environment are the source of requirements which “information security policies” should address.

What should “Information Security Policy” cover?

a) Definition of Information security, objectives and principles to direct all activities related to information security
b) Assignment of responsibilities of Information Security management to defined roles
c) Processes of handling non-conformities and exceptions

Indicative List of policies:

1) Information Security
2) Access control
3) Information classification and handling
4) Physical and environmental security
5) Acceptable use of assets
6) Clear Desk and clear screen
7) Information Transfer
8) Mobile device and teleworking
9) Restriction on software installations and use
10) Back-up
11) Protection from malware
12) Management of technical vulnerabilities
13) Cryptographic controls
14) Communication security
15) Privacy and protection of personally identifiable information
16) Supplier relationships
These policies should be communicated to relevant internal and stakeholders in the context of awareness of information security.

iso 27001

Structure of ISO 27001:2013

Controls (Annex A)

A.5: Information Security Policies – Controlling how policies are written and revised

A.6: Information Security Organization – Controls on how responsibilities are assigned; also includes controls for mobile devices

A.7: Human Resources Security – Pre-employment, during and after employment controls

A.8: Asset management – Asset inventory and acceptable use controls; also for information classification and media management

A.9: Access control – Access control policy, user access management, system and application access control

A.10: Cryptography – Encryption and Key Management Controls

A.11: Physical and environmental security – Controls defining secure areas, entry controls, protection against threats, security of the equipment, secure removal, clear desk and clear screen policy, etc.

A.12: Operational security – Procedures and responsibilities, malware, backup, logging, monitoring, installation, vulnerability etc.

A.13: Communications Security – Network security, information transfer, e-mail security checks etc.

A.14: Acquisition, development and maintenance of the system – Controls defining security requirements and security in the development and support processes

A.15: Vendor Relations – Controls on what to include in agreements and how to monitor suppliers

A.16: Information Security Incident Management – Controls to signal events and weaknesses, define responsibilities, assessment of events, response and learn from incidents and collection of evidences.

A.17: Aspects of information security in the management of continuity of operations – Controlling the planning, implementation and review of the continuity of information security operations.

A.18: Compliance – Controls Requiring the Identification of Applicable Laws and Regulations, Protection of Intellectual Property, Protection of Personal Data and Examination of the Security of Personal Information

One of the biggest myths about ISO 27001 implementation is that it is computer-centric. On the contrary it involves various aspects as mentioned above in Annexure.

Controls mentioned in Appendix A are essential part of ISO 27001 Implementation. As per the risk assessment, an organization can decide the applicability of the controls with valid rationale.

ISO 27001

What is ISO 27001?

ISO 27001 is a standard which helps organizations manage information security. It was published by International Standardization Organization (ISO). The latest revised version is ISO 27001:2013. First version was published in 2005. This standard was developed on British Standards BS 7799-2.

Which type of organizations can get certified for ISO 27001?

ISO 27001 can be implemented in any kind of organization, profit or non-profit, private or state-owned, small or large. ISO 27001 establishes framework for the implementation of information security management in an organization. Organizations can also get certified for ISO 27001. The independent certification bodies perform the audit and upon compliance with the standard, it issues the certificate to organizations.

What are the benefits of ISO 27001?

  1. New client acquisition and retention of old clients
  2. Avoid losses and penalties for data breaches
  3. Comply with business, legal and regulatory requirements
  4. Protect and enhance organization’s reputation
  5. Provide competitive advantage
  6. Consistency in the delivery of service or product
  7. Builds a culture of security

How ISO 27001 standard is structured?

ISO 27001 is split into 11 sections, plus Annex A. Sections 0 to 3 are introductory (and are not mandatory for implementation), while sections 4 to 10 are mandatory – meaning that all their requirements must be implemented in an organization if it wants to be compliant with the standard. Controls from Annex A must be implemented only if declared as applicable in the Statement of Applicability.

How to implement ISO 27001?

Steps involved are:

  1. Get Sponsorship for the project
  2. Define the scope for ISO 27001
  3. Conduct ISO 27001 Awareness Training
  4. Establish top-level Information security policy
  5. Prepare the asset list
  6. Perform the risk assessment and risk treatment
  7. Write the Statement of Applicability
  8. Prepare Risk treatment plan
  9. Implement all applicable controls and procedures
  10. Conduct Internal Auditor Training
  11. Perform internal audit
  12. Perform management review
  13. Implement corrective actions
  14. Conduct Certification Audits
Work place

Identify Risk At Early Stage To Mitigate The Legal Risks For Your Business

Every entrepreneur seeks business success. Since you want the same thing, act now to help your business manage its risks. Risk management is part of business planning. The process of managing risk is meant to reduce or do away with the events that could have a negative impact on your business. It entails identification, assessment and prioritizing of different kinds of risks. As soon as the risks are detected, the risk manager can create a plan to reduce or get rid of the impact of the negative circumstances. Risk management strategies are many, including the use of the best enterprise risk-management standards developed by ISO (International Organization for Standardization).

Understanding the types of risks you face

Different sorts of risks exist and you need various risk management plans to mitigate or eliminate them. Common risks include fire or accidents on your business premises and catastrophic events triggered by nature. As well, your business risk can be legal: sexual harassment lawsuits, accounting frauds, and theft. Additionally, risks can arise from your normal business practices, volatile nature of the money markets, poor data handling and storage, unpaid loans, and project failures. If you want to be in control always, take the time to understand your business risks.

What are the goals of risk management?

After you have identified your business threats and risks, and decide to manage them, the next big action to take is to come up with goals. The biggest goal you should aim at is to protect your enterprise from being at risk. Other small goals should include protection of your employees and customers’ welfare. Furthermore, you should aim to shield general public from negative events that may affect your business premises and them. Proper risk management practices are also about the conservation of your physical facility, data, and records storage systems and physical assets like business vehicles and equipment. Although all business risks can be costly, you don’t want persistent legal battles. Hence, your main goal when developing risk management strategies should be to protect your business from legal consequences.

The best solution – ISO31000:2009

The risk management principles and guidelines provided by ISO31000:2009 are the best solutions you have. They entail a framework, a set of principles and a logical process of managing risk. With this solution, you can do the most effective enterprise risk management in India. It will be an effective way of identifying opportunities and threats and allocate your resources wisely. The ISO31000 is easy to install if you consult an expert like It entails only eight steps that you won’t have to carry out yourself.

CUNIX will be happy to do this task for you in exchange for a manageable fee. The company offers a Risk Management workshop. This workshop is conducted to create awareness to the targeted audience. It includes a lot of training via several case studies to boost the participants’ level of understanding and to assist them to develop a habit of managing risk in their businesses. Second, CUNIX offers Risk Management Consulting. This entails help and guidance on how to implement ISO31000:2009 steps. By – cunixinfotech.

Know How of CMMI #1

This is a weblog series. You are reading first (#1) log of the series. Please follow us regularly to know more about CMMI and to not miss any links in between. We would love to hear your valuable comments and suggestions.

  • CMMI stands for Capability Maturity Model Integration.
  • CMMI is a framework for business process improvement.
  • CMMI is NOT an engineering development standard or a development life cycle.
  • CMMI is meant to help organizations improve their performance of and capability to consistently and predictably deliver the products, services, and sourced goods their customers want, when they want them and at a price they’re willing to pay. From a purely inwardly-facing perspective, CMMI helps companies improve operational performance by lowering the cost of production, delivery, and sourcing.
  • CMMI’s a place to start, not a final destination. CMMI can’t tell an organization what is or isn’t important to them. CMMI, however, can provide a path for an organization to achieve its performance goals.
  • CMMI doesn’t have its own context; every organization has its own unique one to implement CMMI.
  • What CMMI practices are, are practices that improve existing work practices, but do not define what those work practices must be for any given activity or organization.

Next log of this series will be focussing on “what CMMI can be useful for”. Watch out the space for next updates and post your queries if any at

CUNIX is a Management Consulting Organization. One of the Top 10 CMMI InstitutePartners worldwide providing CMMI Consulting Services & CMMI Certification in India & Internationally along with ISMS Consulting, Project Management and Risk Management.

Vision to Activities Lets make implementation simple

Vision to Activities Lets make implementation simple

The organizations worldwide have these two common concerns:

  1. The strategy formulated by the top management is far from the changing realities of the market
  2. And if the strategy formulated is in accordance with market realities, it is becoming difficult to translate it to the operational level and hence they remain only in the strategy documents of the company

The strategy formulation has these standard steps:

  • Defining Vision
  • Mission
  • Core Values and Objectives for the organization.

The difficult part is to convert objectives into workable units i.e. strategy implementation becomes a challenge for the Senior Management. Balanced Score Card is one good tool in this direction. I am sharing my experience of maintaining Balanced Score Card at my organization.

  1. Convert Objectives into SMART Goals: The objectives direct towards the goal definition. The goals should have the below elements: Specific, Measurable, Attainable, Realistic and Time bound.
  2. Percentage contribution of different Goals to a particular objective: The % contribution of the goals to the particular objective needs to be analyzed by the Senior Management in accordance with their past experience.
  3. Conduct Synergy meets to get Ideas: The people at the operations level face the ground level challenge related to different functions in the organization. Ideas from them will be vital to the success of the organization. Conducting Synergy meets at regular intervals and gathering ideas from them will lead to a priceless repository of potential future initiatives.
  4. Map Ideas to Goals:Map the ideas to the goals it intends to satisfy and rate them majorly on two factors (These factors can be different for different businesses):a) Effectiveness of the Idea to achieve Goal, b) Impact of the Idea on the Goal
  5. Qualify Idea to Initiatives: After rating Ideas on the above two parameters, discuss and make some rules (on the basis of your organizational preference) to qualify these ideas to the initiatives.
  6. Choose among initiatives:Previous step will give handful of ideas which have potential to become initiatives. Rate those ideas on the different parameters derived from the focus on customers, finance, internal processes and people.
  7. Prepare a Work Breakdown Structure: Afterthe initiative qualifies, break it down to the activities to be performed with the Responsibilities, End Date, Duration, Completion Status etc. mentioned.

This 7 step process has converted the broad level vision into the doable activities with clear-cut responsibilities to perform.


Understanding Balanced Scorecard Design and Implement

  • Balanced Scorecard is a tool. In this particular post we will be focussing more on the issues this tool resolves in the organization. In later posts we will be exploring the tool itself.
  • Balanced Scorecard as a tool drives below systems:
    1. Communication System
    2. Performance Management System
    3. Strategic Management System
  • Factors affecting organizations in todays dynamic environment:
    1. Too much focus on financial measures of performance, to measure organizations success
    2. In this era of Information Technology, the intangible assets which are creating far more value for customers are less understood and evaluated
    3. Difficulty in percolation of formulated strategy to all the levels of the organization and hence challenges in strategy execution
  • Balanced Scorecard helps organization in overcoming above mentioned factors affecting the organization, by addressing them as below:
    1. Introducing other measure also to ensure effective Organizational Performance Measurement
    2. Taking into account the value creation aspects of intangible assets
    3. Cascading it to the different levels in the organization to address the challenges in Strategy implementation
  • The next blog of this series will be focussing on “Financial measures and their limitations”. Stay tuned to this space and post your queries if any at
Project Management

How Software Development Organizations Get Various Benefits From A CMMI Certification

The software industry is one of the fastest growing industries in the world today . As such, you can expect a very stiff competition between the industry players. For you to be able to survive this industry your organization needs to be at their very best when it comes to delivering the goods when it matters most.

The different departments of any software development organization need to communicate effectively with one another so as to enhance optimal performance during the course of executing any project. This post will be intimating you with the various benefits a software organization stands to gain when they implement the CMMI as part of their work culture.

Read carefully and find out how we can help improve the management structure of other software development organizations.

Industry Standards

This is one very good way your organization will get to benefit from this certification. When people are certified in this regards they tend to carry out every task with industry standards in mind. Employing industry standards in the various roles of a software development organization will only help to make the various processes in the organization link up nicely with each other.

Lets take coding for instance, when this model is implemented during the course of code development, the developer ensures that every detail about his code is comprehensively documented.

This way, it will not be difficult for any other developer who will be coming on board to continue from where he or she has stopped. In other words, with this model in place, you can expect easy maintenance of any application.

Quick Turnaround

Another thing you can benefit from such a model is getting your projects finished way ahead of time. Doing what has to be done will help to save a great deal of time. There will be more projects to handle because clients trust you can deliver on your promises. This is simply one of the secrets of success in this industry.

Better Communication

For projects to move smoothly when there is an improved workflow, employees and senior team members will need to understand the need for seamless communication within a project team. They need to understand the significance of giving feedback as at when appropriate. This is very important that it cannot be overemphasized.

During the course of any project, there should be proper communication every step of the way between members. This will go a long way to improving the way projects are being executed in the workplace.

Process Analysis

This model does not only benefit the software development organization from an internal perspective. It also helps to make them more effective before their clients. What this means is that your organization will have the expertise needed to study and analyze other processes so that they can suggest various improvement techniques that will bring about improved productivity.

Are you a software development organization in India or Mumbai and you are looking for a consulting company that can render this type of service? Well, look no further because we do not only provide CMMI Certification in Mumbai but we also provide CMMI Certification In philippines, United Kingdom(UK), ArgentinaEgypt.

CMMI Consulting and Appraisal

5 Ways To Achieve CMMI Level 3 Certification For Any Organization

Gaining a CMMI Certification is like conducting a fitness check for an organization to figure out any impairments in its processes, workflows, procedures, and practices that affect productivity and hamper growth. Various best practices and processes are included at different maturity levels of a CMMI Certification. These CMMI process areas target the identification, effective management, and continuous improvement of various business processes by applying generic practices under every process area. CMMI Maturity Level 1 targets reactive unpredictable processes that are poorly controlled and inefficiently managed. CMMI Maturity Level 2 targets reactive project-specific processes. CMMI Maturity Level 3 targets proactive organizational-level processes. CMMI Maturity Level 4 targets properly measurable controlled processes. CMMI Maturity Level 5 is the optimization phase that focuses majorly on process improvement.

Any organization can achieve CMMI Level 3 Certification in India by following certain steps. There are various renowned consultancy firms in cities like Delhi, Mumbai, Ahmedabad, Bangalore, Chennai, and Pune that facilitate consulting services for CMMI Certification. 5 ways to achieve CMMI Level 3 Certification are as follows:

1- Gap Analysis: The first and foremost step is to find any gaps in the specified process areas defined under CMMI Model for that level. The insights gained at this step form the basis for any future decisions that greatly impact an organization.

2- Training: This phase involves learning industry standards, best practices, methodologies, and organizational procedures that comply with the CMMI process areas for that level. In other words, this phase teaches process engineering for designing and developing business processes.

3- Tune-up: This phase helps the organizations in applying the cognizance gained in the previous step onto their business processes. This involves the implementation of a plan that includes identification of required tuning up as well as the development of processes to fill in the gaps identified in the first phase.

4- SCAMPI B: This step provides a formal appraisal to serve as a tool for facilitating the necessary information required to understand the current state of an organization with respect to the CMMI. It gives an indication of successful completion of the CMMI Maturity Level 3.

5- SCAMPI A: This phase marks the successful completion of the appraisal to the next level.

With an increasing demand for streamlined procedures and global standards across all software development industries, CMMI Certification In India is gradually gaining attention. But the wave is not limited to the native boundaries. Even countries like the USA are showing increased inclination towards standardized procedures with CMMI Certification. Many renowned organizations have undertaken CMMI Certification in Washington to gain a valuable insight into the industry procedures and best practices and applied the same to improve processes, assess risks, and devise strategies for continuous improvement of operational procedures. Many organizations in Washington have embraced growth, productivity, and success with CMMI Certification.

Although there are various organizations that provide CMMI Certification, CUNIX infotech is a reliable name known worldwide for its imperative analysis, in-depth research, knowledge across various industrial domains, and years-long industry experience.