ISO/IEC 27001 •

ISO 27001 – Annex A.17: Information Security Aspects of Business Continuity Management

See how you can achieve ISO 27001 faster with ISMS.online

See it in action
By Max Edwards | Updated 14 December 2023

Please be aware that as of October 2022, ISO 27001:2013 was revised and is now known as ISO 27001:2022. Please see the full revised ISO 27001 Annex A Controls to see the most up-to-date information.

See revised Annex A controls

Jump to topic


What is the objective of Annex A.17.1?

Annex A.17.1 is about information security continuity. The objective in this Annex A control is that information security continuity shall be embedded in the organisation’s business continuity management systems. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification.

A.17.1.1 Planning Information Security Continuity

The organisation must determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. The best ISMS’s will already have broader Annex A controls that mitigate against a need to implement a disaster recovery process or business continuity plan in line with A.17.

Despite that effort, more significant disruptive incidents may still happen so planning for them is important. What happens when a major data centre with your information and applications in it becomes unavailable? What happens when a major data breach occurs, a ransomware attack is made or a key person in the business is out of action, or perhaps Head Office suffers a major flooding..?

Having considered the various events and scenarios that need to be planned for, the organisation can then document the plan in whatever detail is required to demonstrate it understands those issues and the steps required to address them.

ISO 22301 offers a more structured approach to business continuity that dovetails very elegantly with the main requirements of ISO 27001.

A.17.1.2 Implementing Information Security Continuity

The organisation needs to establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during a disruptive situation. Once requirements have been identified, the organisation must implement policies, procedures and other physical or technical controls that are adequate and proportionate in order to meet those requirements.

Description of the responsibilities, activities, owners, timescales, mitigating work to be undertaken (beyond risks and policies already in operation e.g. crisis communications). A management structure and relevant escalation trigger points should be identified to ensure that if and when an event increases in severity the relevant escalation to the appropriate authority is made effectively and in a timely manner. It should also be made clear when there is a return to business as usual and any BCP processes stop.

A.17.1.3 Verify, Review & Evaluate Information Security Continuity

The organisation must verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during these situations. The controls implemented for information security continuity must be tested, reviewed and evaluated periodically to ensure they are maintained against changes in the business, technologies and risk levels.

The auditor will want to see that there is evidence of; Periodic testing of plans and controls; Logs of plan invocations and the actions taken through to resolution and lessons learnt; and periodic review and change management to ensure that plans are maintained against change.


What is the objective of Annex A.17.2?

Annex A.17.2 is about redundancies. The objective in this Annex A control is to ensure availability of information processing facilities.

A.17.2.1 Availability of Information Processing Facilities

A good control describes how information processing facilities are implemented with redundancy sufficiency to meet availability requirements. Redundancy refers to implementing, typically, duplicate hardware to ensure availability of information processing systems. The principle is that if one or more items fail, then there are redundant items that will take over.

Critical to this is the testing of redundant components and systems periodically to ensure that fail-over will be achieved in a reasonable time-frame. Redundant components must be protected at the same level or greater than the primary components.

Many organisations use cloud based providers so they will want to ensure redundancy is addressed effectively in their contracts with suppliers and as part of the policy in A.15.

The auditor will expect to see that testing is carried out on a periodic basis, where redundant components & systems are in place and in the control of the organisation.

Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISO 27001 requirements


ISO 27001 Annex A Controls


About ISO 27001


ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more