Question about IS in Business Continuity Management (A.17.1)

[Sizzles]

Our company already has a Business Continuity Plan installed and in alignment with ISO 22301. I am reviewing the controls in Annex A of ISO 27001:2013 for the ISMS we are trying to implement and certify. I am confused by a bit of the verbiage in the control. It starts with "Information security ASPECTS OF business continuity management," and then moves onto to the control details with the end focus of "ensure the required level of continuity for information security during an adverse situation."

Do we need to draw up separate documentation for this control or can we simply defer to the company BCP, particularly the sections regarding data back-up, recovery, and restoration?

Or is this control about only establishing how the processes and procedures of the ISMS would persist through the activation of a BCP, i.e. risk assessments at the time a disaster occurs?

Hope this question makes sense

 

[AndyN]

Our company already has a Business Continuity Plan installed and in alignment with ISO 22301. I am reviewing the controls in Annex A of ISO 27001:2013 for the ISMS we are trying to implement and certify. I am confused by a bit of the verbiage in the control. It starts with "Information security ASPECTS OF business continuity management," and then moves onto to the control details with the end focus of "ensure the required level of continuity for information security during an adverse situation."

Do we need to draw up separate documentation for this control or can we simply defer to the company BCP, particularly the sections regarding data back-up, recovery, and restoration?

Or is this control about only establishing how the processes and procedures of the ISMS would persist through the activation of a BCP, i.e. risk assessments at the time a disaster occurs?

Hope this question makes sense

Great question! As far as I understand, you can simply align to you BCM plan, while you ensure the SECURITY aspects are also taken care of.

 

[Richard Regalado]

Hello. As quick and as simple as I can because the wife is calling me now.

BC strategy: when the stuff hits the fan, transfer operations from Site A to Site B which is 100 kms away.

To address the requirements of ISO/IEC 27001 A.17 whatever infosec controls you have in Site A must also be existing in Site B. It makes sense. The information you are trying to preserve and protect did not change. Your environment and geographical location did, maybe some of the processes did (from automatic to manual - remember you are in BCP mode) but the information, it is the same, same sensitivity, same criticality, same requirements for availability, etc.

Meaning, if you have ABC anti-virus in Site A and router XYZ and guard Jane to protect the employees, the same must also be in Site B. Well,maybe not Jane (could be Karen) exactly but someone who can offer the same level of protection.

In a nutshell, that is information security continuity.

Goodnight good folks of the Cove.