Available at a fixed monthly cost

Get your quote today

What we offer at a glance

  • Get an external data protection officer
  • Audit of your data privacy status quo
  • GDPR support for small businesses and large corporations
  • Personal contact person & individual support
  • Easier communication with authorities
  • 100+ experts from the fields of law, economics & IT

Don't trust us, trust them:

Jedox  Logo Contact Demodesk Logo Contact Elevate Logo Contact Canon  Logo Contact CBTL Logo Contact Alasco  Logo Contact RightNow Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact

Learn more about our prices & services

or call us now: (020) 36956 452

ISO 27001 - Annex A.17 - Information Security Aspects of Business Continuity Management

Organisations can become vulnerable to disruptions and other emergencies, so it is vital to implement measures that ensure prevention, when possible, and quick recovery, in the case of unavoidable situations. People, places, and systems must be considered when planning for the unexpected—and Annex A.17 of the Annex A controls takes this into account, ensuring that information security is maintained through adverse events.

What is Annex A.17?

Annex A.17 outlines the requirements for an organisation's business continuity management in relation to its information security aspects. This ensures that any operations that rely on data and systems can be resumed during disaster recovery. So, what exactly is business continuity management?

What is Business Continuity Management?

Business continuity management – or planning – is the process of identifying real or potential threats and contingency measures to handle disruptions to normal business processes. This includes an organisation’s information security aspects, putting procedures in place to ensure the swift recovery of systems and data. Next, let us understand the importance of business continuity management and how it applies to your organisation.

Why is Business Continuity Management important for your organisation?

In the event of unavoidable or unexpected disruptions to business operations, effective business continuity planning ensures that your organisation is able to recover and regain full functionality as rapidly as possible, and minimise the impact of such disruptions. This level of planning requires risk assessment and analysis, and measures must be taken to protect the integrity, availability and confidentiality of information in accordance with all relevant regulations, legislature and policies. 

What are the Annex A.17 controls?

Annex A.17 comprises 4 controls across two subsets aimed at ensuring, planning and implementing information security continuity. These controls are as follows:

A.17.1 Information Security Continuity

A.17.1 states policies that ensure the continuity of information security should be considered a part of and integrated into the organisation’s business continuity management processes.

  • A.17.1.1 Planning Information Security Continuity

    When faced with disruptions and adverse circumstances, organisations must determine their requirements for the continuity of information security during and after the event. 


    An effectively managed ISMS may already have control mechanisms in place that reduce the need for an A.17 based disaster management plan. Even so, a detailed plan must be documented; one that ensures infosec continuity and assumes existing infosec requirements remain the same across normal and adverse conditions. Alternatively, a risk analysis may be conducted to identify new information security requirements relevant to the disruption or adverse situation at hand.

  • A.17.1.2 Implementing Information Security Continuity

    Once infosec requirements have been identified, the organisation must implement policies and controls to facilitate the satisfaction of these requirements. All aspects of work (parties responsible, activities etc.) must be clearly defined along with an appropriate escalation procedure and points of contact, to ensure swift resolution and return to normal operations.
  • A.17.1.3 Verify, Review & Evaluate Information Security Continuity

    From time to time, the control measures in place must be evaluated for appropriateness and effectiveness. They must be tested to ensure that they are maintained in accordance with organisational changes and risk-based requirements. The results of testing must be logged for future review by auditors. 


A.17.2 Redundancies

The objective of A.17.2 is to ensure the availability of information processing facilities.

  • A.17.2.1 Availability of Information Processing Facilities

    Redundancy refers to the availability of a “backup” (usually in a different format) that ensures the survival of data in the event of failure. Typically, redundant items are duplicate pieces of hardware and must be tested at intervals to guarantee they can be relied on in emergency situations. They must also be afforded, at least, the same level of security as their primaries. 

    Periodic testing of redundant items must be documented for audit purposes. 


The Annex A Controls list ensures that, if implemented well, reduces the need for a business continuity plan. Although an ISO 27001 compliant ISMS with effective risk-prevention measures is ideal, an organisation may occasionally find itself in need of A.17 contingencies.

Our experts at DataGuard are here to help you strengthen your organisation's information security approach. Schedule a no-obligation phone consultation, today!

Book an appointment


About the author