ISO 27001 Annex A.17: Information Security Aspects of Business Continuity Management
The controls in this section aim to configure an efficient system that can handle business disruptions with a focus on information security threats and controls. How can you guarantee that your business will survive after facing and resolving a threat?
A.17.1 Security continuity
A.17.1.1 Planning information security continuity
The most successful businesses are those which plan for disaster and have clear alignment to information security threats and response scenarios. You’re not negative but, rather are covering your bases and ensuring that your company has a Plan B for when the unexpected happens.
Amid crisis, what are some of the services you’ll still need and expect your ISMS to deliver? What would happen if a significant data source from your system is affected and what would your response be?
Consider all possibilities in terms of the worst threats that could happen? Do you have an emergency plan in place to address such incidents to ensure that good planning will save your business from the negative effects of an information security breach.
A.17.1.2 Implementing information security continuity
Once you’ve plotted possible threat outcomes, it’s time to strategise. And your continuity policy must have documentation related to:
- Trigger points that will signal if an incident is about to escalate and steps to sustain information security controls during an incident
- Recovery procedures that you’ll implement after the start of a crisis
- Processes you’ll use to maintain conditions that favour business continuity after the recovery phase. Descriptions of all additional roles, activities, owners and risk reduction techniques that will assignat each stage of the policy.
- Proposed duration for the information security or business continuity plan. Estimated time frames within when business will return to normal.
A.17.1.3 Verify, review and evaluate information security continuity
All continuity controls will need to be monitored and reviewed during the recovery phase to gauge the company’s progress. Testing of these controls should have recurring schedules and the results will be used to determine if the controls need adjusting to match the system’s current recovery state..
As risk levels change, so should your processes, otherwise your procedures will no longer benefit the system. During your internal audit, you’ll be asked to present logs of all recovery controls implemented during the process. Documents of the events that followed recovery, setbacks and developments will also come into play as the recovery phase as a learning process for your firm. Make sure you take notes of those lessons.
A.17.2 Redundancies
A.17.2.1 Availability of information processing facilities
Redundancy helps your stored copies to maintain the availability of your information systems. In simple terms if one of your originals fails, you’ll have a backup copy available to replace it.
You should conduct regular tests to confirm the viability of your redundancies as It would be a major disappointment if your backup also failed. Since redundant items are of such great value to your system continuity, they must be stored either at the same level or better than your originals. Most companies these days use cloud storage to preserve their redundancies, if you have a supplier relationship, you should discuss the status of your redundancies in the cloud. They should be well informed of the risks you face related to data security. Transparency is key.