ISO 27001 Annex: A.17 Information Security Aspects of Business Continuity Management

This article discusses Information Security Continuity, Planning Information Security Continuity and Implementing Information Security Continuity controls.

A.17.1 Information Security Continuity

This process is meant to optimize the organization’s business continuity management processes through the integration of information security.

A17.1.1 Planning Information Security Continuity


Under adverse circumstances, such as when the company faces a crisis or a catastrophe, the company will determine how information security standards and security management will be implemented.

Implementation Guidance

Organizations should determine whether continuity of security is part of the disaster recovery process or the business continuity process. When preparing for business continuity or disaster recovery, information security standards will be established.

Business continuity and disaster recovery plans should address the requirements of information security in adverse situations, with or without formal business continuity and disaster recovery measures. Organizations may also conduct business impact analyses of information security issues to determine security criteria related to adverse circumstances.

Other Information

To minimize the time and expense involved in an external business impact analysis for information security, the security aspects of information should be included in the standard business continuity or disaster recovery management business impact analysis. The criteria for continuity information protection are specifically formulated in disaster recovery or business continuity management systems.

A.17.1.2 Implementing Information Security Continuity


To achieve a high degree of information security consistency under adverse conditions, the company ought to define, document, implement and maintain systems.

Implementation Guidance

An organization should ensure the following:

– An appropriate level of management structure with the authority, expertise, and competence to plan, manage, and respond to disruptive events;
– The incident response personnel are assigned the necessary responsibility, authority, and expertise in the area of incident management and information security;
– It develops and approves the documents detailing how the organizations handle an event that disrupts their routine operations and maintain their information security to predetermined levels based on the approved information security continuity objectives.

The following information security continuity provisions should be established, documented, implemented, and maintained by the organization:

– Maintaining security standards and processes, supporting systems and equipment, and providing business continuity or disaster recovery planning.
– Maintaining existing information security controls by implementing processes, procedures, and changes in an adverse situation;
– Compliance with information security management measures that can’t be enforced in certain situations.

Other Information

Details of the processes and procedures related to business continuity, disaster recovery, etc., could be described in various ways. It’s important to include information that is stored inside these processes and procedures or in systems that support these processes and procedures. Thus, information security professionals will be in charge of developing, implementing and managing business continuity systems, as well as disaster recovery procedures.

Despite adverse circumstances, information security checks should still be conducted. It is necessary to establish, enforce, and maintain other information security controls to ensure appropriate information security when there are no effective information security controls.

Related Questions

1. What does continuity management disaster recovery mean?
2. What are the steps involved in implementing ISO27001?
3. How are business continuity and disaster recovery-related?
4. What is the best way to write a simple business continuity plan?
5. What controls adhere to ISO 27001 Annex: A.17 Information Security Aspects of Business Continuity Management?

About Author /

Start typing and press Enter to search