ISO 27001 - Annex A.17 and business continuity management

Organisations can become vulnerable to disruptions and other emergencies, so it is vital to implement measures that ensure prevention, when possible, and quick recovery, in the case of unavoidable situations. People, places, and systems must be considered when planning for the unexpected—and Annex A.17 of the Annex A controls takes this into account, ensuring that information security is maintained through adverse events.

What is Annex A.17?

Annex A.17 outlines the requirements for an organisation's business continuity management in relation to its information security aspects. This ensures that any operations that rely on data and systems can be resumed during disaster recovery. So, what exactly is business continuity management?

What is Business Continuity Management?

Business continuity management – or planning – is the process of identifying real or potential threats and contingency measures to handle disruptions to normal business processes. This includes an organisation’s information security aspects, putting procedures in place to ensure the swift recovery of systems and data. Next, let us understand the importance of business continuity management and how it applies to your organisation.

Why is Business Continuity Management important for your organisation?

In the event of unavoidable or unexpected disruptions to business operations, effective business continuity planning ensures that your organisation is able to recover and regain full functionality as rapidly as possible, and minimise the impact of such disruptions. This level of planning requires risk assessment and analysis, and measures must be taken to protect the integrity, availability and confidentiality of information in accordance with all relevant regulations, legislature and policies. 

 

What are the Annex A.17 controls?

Annex A.17 comprises 4 controls across two subsets aimed at ensuring, planning and implementing information security continuity. These controls are as follows:

A.17.1 Information Security Continuity

A.17.1 states policies that ensure the continuity of information security should be considered a part of and integrated into the organisation’s business continuity management processes.

  • A.17.1.1 Planning Information Security Continuity

    When faced with disruptions and adverse circumstances, organisations must determine their requirements for the continuity of information security during and after the event. 

     

    An effectively managed ISMS may already have control mechanisms in place that reduce the need for an A.17 based disaster management plan. Even so, a detailed plan must be documented; one that ensures infosec continuity and assumes existing infosec requirements remain the same across normal and adverse conditions. Alternatively, a risk analysis may be conducted to identify new information security requirements relevant to the disruption or adverse situation at hand.

  • A.17.1.2 Implementing Information Security Continuity

    Once infosec continuity requirements have been identified, the organisation must implement policies and controls to facilitate the satisfaction of these requirements. All aspects of work (parties responsible, activities etc.) must be clearly defined along with an appropriate escalation procedure and points of contact, to ensure swift resolution and return to normal operations.
  • A.17.1.3 Verify, Review & Evaluate Information Security Continuity

    From time to time, the control measures in place must be evaluated for appropriateness and effectiveness. They must be tested to ensure that they are maintained in accordance with organisational changes and risk-based requirements. The results of testing must be logged for future review by auditors. 

     

A.17.2 Redundancies

The objective of A.17.2 is to ensure the availability of information processing facilities.

  • A.17.2.1 Availability of Information Processing Facilities

    Redundancy refers to the availability of a “backup” (usually in a different format) that ensures the survival of data in the event of failure. Typically, redundant items are duplicate pieces of hardware and must be tested at intervals to guarantee they can be relied on in emergency situations. They must also be afforded, at least, the same level of security as their primaries. 

    Periodic testing of redundant items must be documented for audit purposes. 

Conclusion

The Annex A Controls list ensures that, if implemented well, reduces the need for a business continuity plan. Although an ISO 27001 compliant ISMS with effective risk-prevention measures is ideal, an organisation may occasionally find itself in need of A.17 contingencies.

Our experts at DataGuard are here to help you strengthen your organisation's information security approach. Schedule a no-obligation phone consultation, today!

Book an appointment

 

InfoSec Beginners Guide 212x234 UK InfoSec Beginners Guide 800x600 MOBILE UK

Information Security 101

Learn how an ISMS (Information Security Management System) can protect your organisation.

Download now for free

About the author

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk