So if we dig out our copy of the ISO 27001 standard we read stuff like:
Backup copies of information, software and system images shall be taken and tested regularly.
The use of resources shall be monitored, tuned and projections made of future capacity requirements.
I've worked on ISO certs but I don't think I've ever seen the very expensive official documentation. I thought it was completely unprescriptive about what controls are needed, and says that should flow from your risk assessments? That's why I've always preferred NIST SP 800/53 with it's nice long list of controls...
Biting the hand that feeds IT
