ISO 27001 - Annex A.17 and Business Continuity Management

Apr 17, 2023by Maya G

Organizations are susceptible to disruptions and other emergencies, so it's critical to put policies in place that, if feasible, provide preventive and, in the event of unavoidable circumstances, ensure rapid recovery. Planning for the unexpected requires taking into account people, places, and systems; Annex A.17 of the Annex A controls does this, guaranteeing that information security is maintained despite unfavorable circumstances.

What is Annex A.17?

Annex A.17 of ISO 27001 is titled “Information Security Management System Incident Management”. The annex provides requirements for establishing, maintaining, and improving an incident management system. The purpose of this system is to manage incidents in a way that minimizes the harm to the organization and its customers.

Annex A.17 requires the organization to define an incident management procedure. This procedure should be reviewed and updated on a regular basis. The procedure should include:

  • A description of how incidents will be managed
  • Roles and responsibilities for incident management
  • The steps to be taken during an incident
  • A timeline for incident response
  • Communication plans for incidents
  • A method for recording and tracking incidents
  • A post-incident review process

What is Business Continuity Management?

Business continuity management (BCM) is a framework for identifying an organization's risk of exposure to internal and external threats.

BCM includes the processes and policies used to ensure that an organization can continue to operate despite disruptions to its normal functions.

A key part of BCM is the development of a business continuity plan (BCP), which is a document that outlines how an organization will continue to function in the event of an interruption to its normal operations.

BCM is an important part of any organization's risk management strategy and is required by the international standard ISO 27001.

Why is Business Continuity Management important for your organisation?

Business continuity management (BCM) is a framework for identifying an organisation's risk of exposure to internal and external threats. It helps an organisation to develop plans and procedures to ensure that essential functions can continue during and after an incident.

The goal of BCM is to reduce the chances of an incident occurring and to minimise the impact of an incident if it does occur.

BCM is a proactive approach that helps organisations to be better prepared for disruptions. It is an important part of an organisation's risk management strategy and should be included in an organisation's business continuity plan.

 ISO 27001 is the international standard that sets out the requirements for an information security management system (ISMS). It can help organisations to protect their information assets from threat.

 What are the Annex A.17 controls?

Four controls are included in Annex A.17 over two subsets to ensure, plan, and implement information security continuity. The following are the controls:

A.17.1 Information Security Continuity

A.17.1 Information Security Continuity  (ISO 27001) is an international standard that provides guidance on how to plan, implement, and maintain an information security management system (ISMS).

The standard helps organizations to keep their information security risks under control and to protect their data from unauthorized access, use, disclosure, or destruction. It is based on a risk management approach and covers all aspects of information security, including physical security, network security, and employee security.

A.17.1 Information Security Continuity  (ISO 27001) is a comprehensive standard that can be used by any organization, regardless of size or industry. Implementing the standard can help organizations to protect their information assets and reduce their information security risks.

 A.17.1.1 Planning Information Security Continuity

The goal of A.17.1.1 Planning Information Security Continuity is to ensure that the organization has the necessary plans and procedures in place to protect its information and systems in the event of an incident. This includes identifying the potential risks and vulnerabilities and determining the appropriate responses.

A.17.1.1 Planning Information Security Continuity is a requirement of the ISO 27001 standard. Organizations that are certified to ISO 27001 must have a plan in place that covers all aspects of information security continuity. This includes identifying the risks and vulnerabilities and determining the appropriate responses.

Organizations should review their plans on a regular basis to ensure that they are still relevant and up to date.

A.17.1.2 Implementing Information Security Continuity

The A.17.1.2 Implementing Information Security Continuity standard is a key component of the ISO 27001 information security management system. It requires organizations to develop and implement a plan to ensure the continuity of information security in the event of an incident or crisis.

The goal of the A.17.1.2 standard is to help organizations keep their information security systems up and running during and after an incident. This includes ensuring that information security personnel are available and that all data and systems are backed up and accessible.

The A.17.1.2 standard is important for all organizations that rely on information security to protect their data and systems. This includes organizations in all industries, from banking and finance to healthcare and government.

A.17.1.3 Verify, Review & Evaluate Information Security Continuity

Organizations store a great deal of confidential information, which is why it is essential to have continuity plans in place to protect this data in the event of a disaster. Information security continuity (ISO 27001) is a process that helps organizations ensure the availability of their critical information and systems in the event of a disruption.

A.17.1.3 Verify, Review & Evaluate Information Security Continuity is a Requirements specification of ISO 27001. It states the specific requirement for an organization to Review and Evaluate its business continuity plans.

The process of Review and Evaluation includes:

  • Identifying the organization’s key stakeholders
  • Reviewing the organization’s current business continuity plans
  • Evaluating the adequacy of the plans
  • Determining the need for improvements to the plans

A.17.2 Redundancies

An important part of any security system is the provision of redundancy. This is necessary to ensure that the system can continue to function in the event of a failure of any single component.

The requirements for redundancy will vary depending on the nature of the system and the consequences of any downtime. For example, a security system for a small office may only require a single backup power supply, whereas a system for a data center would require multiple backups of both power and data.

When designing a security system, it is important to consider the requirements for redundancy and to ensure that these are built into the system. This includes not only the hardware but also the software, the people, and the procedures.

A.17.2.1 Availability of Information Processing Facilities

The purpose of A.17.2.1 is to ensure that information processing facilities are available when required to support the operation of the organization’s IS. The availability of information processing facilities is typically determined by specifying required service levels for the IS.

To achieve the required availability of information processing facilities, the organization should implement suitable policies, procedures, and controls. For example, A.17.2.1.1 (Back-up Procedures) requires that the organization has suitable procedures in place to ensure that data can be recovered in the event of a failure of information processing facilities.

The organization should also consider the impact of planned and unplanned events on the availability of information processing facilities. For example, A.17.2.1.2 ( Disaster Recovery Planning) requires that the organization has a plan in place to restore information processing facilities in the event of a disaster.

 Conclusion :

If properly implemented, the Annex A Controls list guarantees that the requirement for a business continuity plan is diminished. Although though an ISMS that complies with ISO 27001 and has strong risk-prevention procedures is preferable, A.17 contingencies may occasionally be required by an organization.