ISO 27001 Annex A control 5.30 ICT readiness for business continuity


26 October 2023.

ISO 27001 Annex A control 5.30 ICT readiness for business continuity

Qudos has published an extensive massive series of articles over the past year on the latest version of ISO 27001. Those are all still available from links here. Now, we are take a deeper dive into some of the 11 new controls that were introduced in the most recent update. The first article in this new series was Annex A control 5.23 Information security in the use of cloud services. This second article in the series looks at Annex A control 5.30 ICT readiness for business continuity.

Technically, this is a new control in ISO 27001:2022. However, there was some relevance in ISO 27001:2013 control A17 'Information security aspects of business continuity management'. Any existing arrangements to address that requirement may also be useful to incorporate here. The title in the 2022 edition suggests a wider application. The intention is to ensure the availability of information assets in the event of disruption. Of course, ICT (Information and Communications Technology) is a key element of all modern organizations, and the readiness of ICT is vitally important to achieve business continuity.

Business Continuity Planning

Business continuity management is dealing with the impact of disruptions in order to continue providing services or products. That is, at least to acceptable levels and time frames. As we have come to expect from ISO 27001, it is not overly prescriptive on what must be done. A BCP or Business Continuity Plan should be established, maintained and tested. It is necessary to establish what are the requirements and objectives for business continuity apply to your organisation.

As with any complex problem, establishing a BCP can be made more manageable by breaking it down into sections. We establish considering possible disruption scenarios and what are the objectives / requirements for continuing or restoring operations.

Your plan should include arrangements for prevention, preparation, response and recovery to build resilience in the face of those disruptions. Those 4 key steps are neatly illustrated here.

Business continuity cycle

Resilience in the face of disruption

The appropriate level of resilience will depend upon the context of your organization. That includes the nature of your services and products, your customers, and other interested parties. Clearly, business continuity is about more than information security. Business continuity management can help protect life and limb as well as reducing financial and reputational loss.

The organization should determine its information security requirements in the event of a disruption or adverse event, and then plan how to meet those requirements. That includes considering the need for recovery time objectives to be set, ICT continuity plans or procedures to be documented, a reporting structure to be in place, responsibility to be assigned, adequate system redundancy to be available, a communications plan, and the need for periodic checking / testing of the provisions and / or recovery exercises to ensure that they are fit for purpose and adequately address the risks identified.

The standard does not explicitly require a documented business continuity policy. However, some organizations choose to have one to provide a statement of intent which may be used to assure clients and other interested parties. An example policy is included in the Qudos3 ISO 27001 InfoSec Toolkit.

See reference below to a template Business Continuity Plan.

This control also closely relates to another control in ISO 27001 - 5.29 Information security during disruption. That topic was previously control A 17.1 in the previous edition of the standard. There are also several other ISO standards are also relevant to the topic:

ISO 27031 - Information technology - Security techniques - Guidelines for information and communication technology readiness for business continuity

This standard provides guidance on the concepts and principles behind the role of ICT in ensuring business continuity. It suggests a structure or framework, Identifies and specifies aspects of an ISMS for improving ICT readiness, and enables an organisation to measure its readiness for business continuity in the face of disruption.

ISO 22301 - Security and resilience - Business continuity management systems

In the light of recent events, governments, regulators and business clients will increasingly want to be confident of resilience in their supply chains. More and more, they will seek assurance that key suppliers have implemented an appropriate level of business continuity planning. That resilience may be achieved with a BCMS and may be demonstrated by the BCMS being independently certified. Fortunately, there is an international certification standard that specifies requirements for a BCMS, and that standard is ISO 22301.

The most recent (2019) version of ISO 22301 is based on the common high-level clause structure and terminology used in the current generation of ISO management system standards. These have also been applied to various other standards such as ISO 9001 (Quality), ISO 45001 (OH&S), ISO 14001 (Environment), and of course, ISO 27001 (Information Security).

Whilst individual standards add additional, discipline-specific requirements, there is clearly scope for business continuity to form part of an IMS (integrated management system). For those that would like to investigate the topic and ISO 22301 further, there is further information in this blog article on the Qudos web site.

Webinar on ICT readiness for business continuity

The Queensland Government is offering a series of free webinars to Queensland businesses and stakeholders.

The latest webinar in the series will explore the role played by ICT in ensuring successful business continuity and disaster recovery in the face of adverse environmental or man-made events. It will discuss how a business can ensure continuity of service, your business continuity plan and ISO 27001 controls and include practical demonstrations and scenarios.

This webinar will be held on November 2, 2023 at 1.00 to 2.00pm Brisbane Time. Click here to register.

There is no charge to attend.

Qudos Management is delighted to be presenting this webinar on behalf of Queensland Government.

Template Business Continuity Plan

To supplement this article and forthcoming webinar, we are including a new template Business Continuity Plan with our November 2023 newsletter. This latest template from the Qudos3 ISO 27001 InfoSec Toolkit is in Microsoft Word DOCX format for easy customising.

'ISO 27001 Information Security in plain English'

As a service to our visitors, this web site includes a series of blog articles where we work through requirements of all the clauses and controls in ISO 27001. You will find them to be a great starting point for developing your ISMS.

The series began with an introductory webinar. A copy of the slide deck is available for you here:

Qudos_ISO_27001 Information_Security_in_plain_English (PDF)

Click the LinkedIn Follow button below to receive notification of further articles and webinars.

There's nothing like word of mouth to share creative content. So, if you found this blog informative, please share it with a colleague or business associate.

Ready to start your journey to ISO 27001?

The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.

Contact us today to discuss your needs!