All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

ICT readiness for business continuity

Annex A control 5.30 of the 2022 version of the ISO 27001 standard is a new control and therefore cannot be mapped to any control from ISO 27001:2013.

Control 5.20 focuses on the role of ICT services and platforms in business continuity, in the event of a disruption. The Annex defines an organisation’s recovery time objective (RTO) and business impact analysis (BIA), outlining how ICT services interact with them. Information integrity and availability must be maintained before, during and after a business interruption.

Understanding control 5.30

A BIA explores how business continuity is impacted by a disruption of any kind, regardless of impact and the variables involved.

Creating processes and procedures under control 5.30 requires a comprehensive BIA, in order to understand how the organisation should respond to a disruption.

An agreed RTO must set clear goals for the return to normal operation. To achieve this, organisations should consider assessing both the magnitude and the nature of the disruption.

Within their BIA, organisations must be able to identify the services and functions required for recovery, as well as their capacity requirements. Conducting a risk assessment of ICT systems is key to developing an ICT continuity strategy that can be launched before, during, and after an incident.

Processes should be put in place after a strategy has been developed to make sure services can support critical processes both during and after a disruption.

Control 5.30 guidance points

The main guidance points in control 5.30 regarding ICT continuity plans are:

  1. Senior staff members should make quick IS decisions to expedite the recovery process.
  2. There should be a strong chain of command in place for business continuity and RTO adherence. It should include competent individuals who can make authoritative decisions.
  3. Structures must be up to date and communicated widely to encourage adequate communication and fast recovery times.
  4. Regular testing and evaluation should be part of ICT continuity plans, as well as senior management approval.
  5. Key metrics should be measured, such as response and resolution times.
  6. Test runs should take place to measure the effectiveness of systems.
  7. ICT continuity plans should include the following details:
    a. Capacity and performance requirements of any recovery processes.
    b. RTOS for all ICT services and plans for how to restore them.
    c. Defining a recovery point objective (RPO) for each ICT resource, and creating restoration procedures.

How have things changed since 2013?

As a new control, 5.30 doesn’t feature in ISO 27001:2013 in any capacity.