ISO 27001 - Annex A.17: Information Security Aspects of Business Continuity Management
What is the objective of Annex A.17.1 of ISO 27001:2013?
Annex A.17.1 is about information security continuity. The objective in this Annex A control is that information security continuity shall be embedded in the organisation’s business continuity management systems. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.
A.17.1.1 Planning Information Security Continuity
The organisation must determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. The best ISMS’s will already have broader Annex A controls that mitigate against a need to implement a disaster recovery process or business continuity plan in line with A.17. Despite that effort, more significant disruptive incidents may still happen so planning for them is important. What happens when a major data centre with your information and applications in it becomes unavailable? What happens when a major data breach occurs, a ransomware attack is made or a key person in the business is out of action, or perhaps Head Office suffers a major flooding……..?
Having considered the various events and scenarios that need to be planned for, the organisation can then document the plan in whatever detail is required to demonstrate it understands those issues and the steps required to address them.
ISO 22301 offers a more structured approach to business continuity that dovetails very elegantly with the main requirements of ISO 27001.
A.17.1.2 Implementing Information Security Continuity
The organisation needs to establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during a disruptive situation. Once requirements have been identified, the organisation must implement policies, procedures and other physical or technical controls that are adequate and proportionate in order to meet those requirements. Description of the responsibilities, activities, owners, timescales, mitigating work to be undertaken (beyond risks and policies already in operation e.g. crisis communications). A management structure and relevant escalation trigger points should be identified to ensure that if and when an event increases in severity the relevant escalation to the appropriate authority is made effectively and in a timely manner. It should also be made clear when there is a return to business as usual and any BCP processes stop.
A.17.1.3 Verify, Review & Evaluate Information Security Continuity
The organisation must verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during these situations. The controls implemented for information security continuity must be tested, reviewed and evaluated periodically to ensure they are maintained against changes in the business, technologies and risk levels.The auditor will want to see that there is evidence of; Periodic testing of plans and controls; Logs of plan invocations and the actions taken through to resolution and lessons learnt; and Periodic review and change management to ensure that plans are maintained against change.
A.17.2.1 Availability of Information Processing Facilities
A good control describes how information processing facilities are implemented with redundancy sufficiency to meet availability requirements. Redundancy refers to implementing, typically, duplicate hardware to ensure availability of information processing systems. The principle is that if one or more items fail, then there are redundant items that will take over. Critical to this is the testing of redundant components and systems periodically to ensure that fail-over will be achieved in a reasonable time-frame. Redundant components must be protected at the same level or greater than the primary components. Many organisations use cloud based providers so they will want to ensure redundancy is addressed effectively in their contracts with suppliers and as part of the policy in A.15.
The auditor will expect to see that testing is carried out on a periodic basis, where redundant components & systems are in place and in the control of the organisation.
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement