Jump to content

  • Quick Navigation
Photo

BRC issue 8, clause 3.11 - cyber security procedure

Share this

  • You cannot start a new topic
  • Please log in to reply
3 replies to this topic
- - - - -

Maria1994

    Grade - Active

  • IFSQN Active
  • 11 posts
  • 0 thanks
0
Neutral

  • Belarus
    Belarus

Posted 31 July 2020 - 03:13 PM

Under section 3, clause 3.11.1 it is a requirement that organizations implement procedures to document and handle cyber attacks or the failure of their internet security. Does anybody have this type of document or procedure?

 

Thank you 

 



Maria1994

    Grade - Active

  • IFSQN Active
  • 11 posts
  • 0 thanks
0
Neutral

  • Belarus
    Belarus

Posted 03 August 2020 - 01:22 PM

Under section 3, clause 3.11.1 it is a requirement that organizations implement procedures to document and handle cyber attacks or the failure of their internet security. Does anybody have this type of document or procedure?

 

Thank you 



Charles.C

    Grade - FIFSQN

  • IFSQN Moderator
  • 20,542 posts
  • 5662 thanks
1,544
Excellent

  • Earth
    Earth
  • Gender:Male
  • Interests:SF
    TV
    Movies

Posted 03 August 2020 - 06:14 PM

 

 

Under section 3, clause 3.11.1 it is a requirement that organizations implement procedures to document and handle cyber attacks or the failure of their internet security. Does anybody have this type of document or procedure?

 

Thank you 

 

 

Hi Maria,

 

JFI, note that the text is -

 

This shall include consideration of contingency plans to maintain product safety, quality and legality. Incidents may include .............

Kind Regards,

 

Charles.C


pHruit

    Grade - FIFSQN

  • IFSQN Fellow
  • 2,071 posts
  • 849 thanks
536
Excellent

  • United Kingdom
    United Kingdom
  • Gender:Male
  • Interests:Composing/listening to classical music, electronics, mountain biking, science, sarcasm

Posted 04 August 2020 - 07:56 AM

Under section 3, clause 3.11.1 it is a requirement that organizations implement procedures to document and handle cyber attacks or the failure of their internet security. Does anybody have this type of document or procedure?

 

Thank you 

 

The point Charles raises about the "shall" vs. "may" requirements in the clause is very valid - I'd start by doing a documented assessment of what IT you're actually using. If your production process is manually controlled or not linked to any sort of network, and your order processing is all on paper, then the potential significance of a cyber attack is extremely limited. Conversely, if your production equipment is all linked to your company LAN and all order and warehouse management is computerised then one case of the encryption malware that seems to be increasingly common at present will bring your entire operation to a halt...

Really the scope and significance of this type of procedure is very much dependent on exactly what you're doing, so start with an assessment of that. If you don't have in-house IT staff then it might be worth bringing a consultant in.

IMEX BRC auditors aren't necessarily expecting IT security systems to be documented as part of your "normal" quality manual - merely a few notes in your crisis management plan documenting broad details (existence of backups, existence of security controls etc) is sufficient. The scale of what you'll be able to do may depend on your company's approach, too. For example we have extremely comprehensive IT security protocols, but no-one outside of the most senior levels of IT are allowed to see the full details of these, let alone copy them into another procedure for BRC! 

The actual specifics of the plan are a difficult item to share as, understandably, it's not something that many businesses want to become public knowledge given that this could very significantly undermine the effectiveness of the plan - e.g. if an attacker knows where and how our backups are stored then they're significantly less reliable...



Thanked by 1 Member:


Share this

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users