ISO 27001 - Annex A.17 and business continuity management

What is Annex A.17?

Annex A.17 outlines the requirements for an organisation's business continuity management in relation to its information security aspects. This ensures that any operations that rely on data and systems can be resumed during disaster recovery. So, what exactly is business continuity management?

What is Business Continuity Management?

Business continuity management – or planning – is the process of identifying real or potential threats and contingency measures to handle disruptions to normal business processes. This includes an organisation’s information security aspects, putting procedures in place to ensure the swift recovery of systems and data. Next, let us understand the importance of business continuity management and how it applies to your organisation.

Why is Business Continuity Management important for your organisation?

In the event of unavoidable or unexpected disruptions to business operations, effective business continuity planning ensures that your organisation is able to recover and regain full functionality as rapidly as possible, and minimise the impact of such disruptions. This level of planning requires risk assessment and analysis, and measures must be taken to protect the integrity, availability and confidentiality of information in accordance with all relevant regulations, legislature and policies. 

What are the Annex A.17 controls?

Annex A.17 comprises 4 controls across two subsets aimed at ensuring, planning and implementing information security continuity. These controls are as follows:

A.17.1 Information Security Continuity

A.17.1 states policies that ensure the continuity of information security should be considered a part of and integrated into the organisation’s business continuity management processes.

• A.17.1.1 Planning Information Security Continuity

  When faced with disruptions and adverse circumstances, organisations must determine their requirements for the continuity of information security during and after the event. 

   

  An effectively managed ISMS may already have control mechanisms in place that reduce the need for an A.17 based disaster management plan. Even so, a detailed plan must be documented; one that ensures infosec continuity and assumes existing infosec requirements remain the same across normal and adverse conditions. Alternatively, a risk analysis may be conducted to identify new information security requirements relevant to the disruption or adverse situation at hand.

• A.17.1.2 Implementing Information Security Continuity
  
  Once infosec continuity requirements have been identified, the organisation must implement policies and controls to facilitate the satisfaction of these requirements. All aspects of work (parties responsible, activities etc.) must be clearly defined along with an appropriate escalation procedure and points of contact, to ensure swift resolution and return to normal operations.
• A.17.1.3 Verify, Review & Evaluate Information Security Continuity
  
  

  From time to time, the control measures in place must be evaluated for appropriateness and effectiveness. They must be tested to ensure that they are maintained in accordance with organisational changes and risk-based requirements. The results of testing must be logged for future review by auditors. 

   

A.17.2 Redundancies

The objective of A.17.2 is to ensure the availability of information processing facilities.

• A.17.2.1 Availability of Information Processing Facilities
  
  

  Redundancy refers to the availability of a “backup” (usually in a different format) that ensures the survival of data in the event of failure. Typically, redundant items are duplicate pieces of hardware and must be tested at intervals to guarantee they can be relied on in emergency situations. They must also be afforded, at least, the same level of security as their primaries. 

  Periodic testing of redundant items must be documented for audit purposes. 

Conclusion

The Annex A Controls list ensures that, if implemented well, reduces the need for a business continuity plan. Although an ISO 27001 compliant ISMS with effective risk-prevention measures is ideal, an organisation may occasionally find itself in need of A.17 contingencies.

Our experts at DataGuard are here to help you strengthen your organisation's information security approach. Schedule a no-obligation phone consultation, today!