August 7, 2024

ISO 27001:2022 Annex A Control 5.30: ICT Readiness for Business Continuity

Annex A control 5.30 of the 2022 version of the ISO 27001 standard is a new control and therefore cannot be mapped to any control from ISO 27001:2013.

By
Full name
Share this post

Control 5.20 focuses on the role of ICT services and platforms in business continuity, in the event of a disruption. The Annex defines an organisation’s recovery time objective (RTO) and business impact analysis (BIA), outlining how ICT services interact with them. Information integrity and availability must be maintained before, during and after a business interruption.

Understanding control 5.30

A BIA explores how business continuity is impacted by a disruption of any kind, regardless of impact and the variables involved.

Creating processes and procedures under control 5.30 requires a comprehensive BIA, in order to understand how the organisation should respond to a disruption.

An agreed RTO must set clear goals for the return to normal operation. To achieve this, organisations should consider assessing both the magnitude and the nature of the disruption.

Within their BIA, organisations must be able to identify the services and functions required for recovery, as well as their capacity requirements. Conducting a risk assessment of ICT systems is key to developing an ICT continuity strategy that can be launched before, during, and after an incident.

Processes should be put in place after a strategy has been developed to make sure services can support critical processes both during and after a disruption.

Control 5.30 guidance points

The main guidance points in control 5.30 regarding ICT continuity plans are:

  1. Senior staff members should make quick IS decisions to expedite the recovery process.
  2. There should be a strong chain of command in place for business continuity and RTO adherence. It should include competent individuals who can make authoritative decisions.
  3. Structures must be up to date and communicated widely to encourage adequate communication and fast recovery times.
  4. Regular testing and evaluation should be part of ICT continuity plans, as well as senior management approval.
  5. Key metrics should be measured, such as response and resolution times.
  6. Test runs should take place to measure the effectiveness of systems.
  7. ICT continuity plans should include the following details:
    a. Capacity and performance requirements of any recovery processes.
    b. RTOS for all ICT services and plans for how to restore them.
    c. Defining a recovery point objective (RPO) for each ICT resource, and creating restoration procedures.

How have things changed since 2013?

As a new control, 5.30 doesn’t feature in ISO 27001:2013 in any capacity.

Risk Management
Compliance Reporting
Policy Management
Incident Management
Audits and Assessments

Ready to Take Control of Your Privacy Compliance?

Book a demo and experience the difference with Hicomply.

By providing your email, you agree that Hicomply may contact you for scheduling and marketing purposes, subject to Hicomply’s Privacy Policy. You can unsubscribe at any time.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Risk Management
Compliance Reporting
Policy Management
Incident Management
Audits and Assessments