ISO 27001 – Annex A.17: Information Security Aspects of Business Continuity Management

What is the objective of Annex A.17.1 of ISO 27001:2013?

Annex A.17.1 is about information security continuity. The objective in this Annex A control is that information security continuity shall be embedded in the organisation’s business continuity management systems. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.

Read our free guide to achieving ISO 27001 first time

A.17.1.1 Planning Information Security Continuity

The organisation must determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. The best ISMS’s will already have broader Annex A controls that mitigate against a need to implement a disaster recovery process or business continuity plan in line with A.17.

Despite that effort, more significant disruptive incidents may still happen so planning for them is important. What happens when a major data centre with your information and applications in it becomes unavailable? What happens when a major data breach occurs, a ransomware attack is made or a key person in the business is out of action, or perhaps Head Office suffers a major flooding……..?

Having considered the various events and scenarios that need to be planned for, the organisation can then document the plan in whatever detail is required to demonstrate it understands those issues and the steps required to address them.

ISO 22301 offers a more structured approach to business continuity that dovetails very elegantly with the main requirements of ISO 27001.

A.17.1.2 Implementing Information Security Continuity

The organisation needs to establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during a disruptive situation. Once requirements have been identified, the organisation must implement policies, procedures and other physical or technical controls that are adequate and proportionate in order to meet those requirements. Description of the responsibilities, activities, owners, timescales, mitigating work to be undertaken (beyond risks and policies already in operation e.g. crisis communications). A management structure and relevant escalation trigger points should be identified to ensure that if and when an event increases in severity the relevant escalation to the appropriate authority is made effectively and in a timely manner. It should also be made clear when there is a return to business as usual and any BCP processes stop.


A.17.1.3 Verify, Review & Evaluate Information Security Continuity

The organisation must verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during these situations. The controls implemented for information security continuity must be tested, reviewed and evaluated periodically to ensure they are maintained against changes in the business, technologies and risk levels.The auditor will want to see that there is evidence of; Periodic testing of plans and controls; Logs of plan invocations and the actions taken through to resolution and lessons learnt; and Periodic review and change management to ensure that plans are maintained against change.

What is the objective of Annex A.17.2 of ISO 27001:2013?

Annex A.17.2 is about redundancies. The objective in this Annex A control is to ensure availability of information processing facilities.

A.17.2.1 Availability of Information Processing Facilities

A good control describes how information processing facilities are implemented with redundancy sufficiency to meet availability requirements. Redundancy refers to implementing, typically, duplicate hardware to ensure availability of information processing systems. The principle is that if one or more items fail, then there are redundant items that will take over. Critical to this is the testing of redundant components and systems periodically to ensure that fail-over will be achieved in a reasonable time-frame. Redundant components must be protected at the same level or greater than the primary components. Many organisations use cloud based providers so they will want to ensure redundancy is addressed effectively in their contracts with suppliers and as part of the policy in A.15.

The auditor will expect to see that testing is carried out on a periodic basis, where redundant components & systems are in place and in the control of the organisation.

See how simple it is with

How to easily demonstrate A.17 Information Security Aspects of Business Continuity Management

The platform makes it easy for you to plan, implement, verify, review and evaluate information security continuity. We’ll also help you to complete policies on ensuring availability of information processing facilities.

Step 1 : Get a 77% head start

Our pre-configured ISMS will enable you to demonstrate controls A.17.1 and A.17.2 within our platform and easily adapt it to your organisation’s needs.

You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.

This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.

Step 1 : Get a 77% head start

Step 2 : Demonstrate to your auditors

You can easily demonstrate your work to auditors by recording your evidence within the platform e.g. data, policies, controls, procedures, risks, actions, projects, related documentation and reports.
Step 2 : Demonstrate to your auditors

Step 3 : A time-saving path to certification

Our Assured Results Method, ARM, is your simple, practical, time-saving path to first-time ISO 27001 compliance or certification. A.17 is part of the second section that ARM will guide you on, where you’ll begin to describe your current information security policies and controls in line with Annex A controls.
Step 3 : A time-saving path to certification

Step 4 : Extra support whenever you need it

If you need extra support, our optional Virtual Coach provides context-specific help whenever you need it. Additionally, our Service Delivery Team and your Account Manager are only ever a phone call away.
Step 4 : Extra support whenever you need it

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.