BRC issue 8, clause 3.11 - cyber security procedure

Under section 3, clause 3.11.1 it is a requirement that organizations implement procedures to document and handle cyber attacks or the failure of their internet security. Does anybody have this type of document or procedure?

Thank you 

Under section 3, clause 3.11.1 it is a requirement that organizations implement procedures to document and handle cyber attacks or the failure of their internet security. Does anybody have this type of document or procedure?

 

Thank you 

Under section 3, clause 3.11.1 it is a requirement that organizations implement procedures to document and handle cyber attacks or the failure of their internet security. Does anybody have this type of document or procedure?

 

Thank you 

Hi Maria,

JFI, note that the text is -

This shall include consideration of contingency plans to maintain product safety, quality and legality. Incidents may include .............

Under section 3, clause 3.11.1 it is a requirement that organizations implement procedures to document and handle cyber attacks or the failure of their internet security. Does anybody have this type of document or procedure?

 

Thank you 

The point Charles raises about the "shall" vs. "may" requirements in the clause is very valid - I'd start by doing a documented assessment of what IT you're actually using. If your production process is manually controlled or not linked to any sort of network, and your order processing is all on paper, then the potential significance of a cyber attack is extremely limited. Conversely, if your production equipment is all linked to your company LAN and all order and warehouse management is computerised then one case of the encryption malware that seems to be increasingly common at present will bring your entire operation to a halt...

Really the scope and significance of this type of procedure is very much dependent on exactly what you're doing, so start with an assessment of that. If you don't have in-house IT staff then it might be worth bringing a consultant in.

IMEX BRC auditors aren't necessarily expecting IT security systems to be documented as part of your "normal" quality manual - merely a few notes in your crisis management plan documenting broad details (existence of backups, existence of security controls etc) is sufficient. The scale of what you'll be able to do may depend on your company's approach, too. For example we have extremely comprehensive IT security protocols, but no-one outside of the most senior levels of IT are allowed to see the full details of these, let alone copy them into another procedure for BRC! 

The actual specifics of the plan are a difficult item to share as, understandably, it's not something that many businesses want to become public knowledge given that this could very significantly undermine the effectiveness of the plan - e.g. if an attacker knows where and how our backups are stored then they're significantly less reliable...