S
Our company already has a Business Continuity Plan installed and in alignment with ISO 22301. I am reviewing the controls in Annex A of ISO 27001:2013 for the ISMS we are trying to implement and certify. I am confused by a bit of the verbiage in the control. It starts with "Information security ASPECTS OF business continuity management," and then moves onto to the control details with the end focus of "ensure the required level of continuity for information security during an adverse situation."
Do we need to draw up separate documentation for this control or can we simply defer to the company BCP, particularly the sections regarding data back-up, recovery, and restoration?
Or is this control about only establishing how the processes and procedures of the ISMS would persist through the activation of a BCP, i.e. risk assessments at the time a disaster occurs?
Hope this question makes sense
Do we need to draw up separate documentation for this control or can we simply defer to the company BCP, particularly the sections regarding data back-up, recovery, and restoration?
Or is this control about only establishing how the processes and procedures of the ISMS would persist through the activation of a BCP, i.e. risk assessments at the time a disaster occurs?
Hope this question makes sense