ISO 27001 and the Annex Clauses - Clause A17 Business Continuity
According to Wikipedia, business continuity is defined as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident" and the business continuity planning is the planning work that goes into the systems and processes you need to put in place to account for those disruptive incidents to ensure your organisation keeps going, and you continue to provide your products or service.
We are based in Christchurch NZ which had devastating earthquakes here in 2010 which levelled the city, many organisations didn't have any contingencies for a total loss due to earthquakes, the loss of all the city infrastructure, of phone lines, water supplies, drainage. Cloud based computing and fibre broadband wasn't yet prevalent and so when the earthquakes hit, many businesses' continuity plans just didn't work. Today, you would hope they would fare better and have sound business continuity plans for a range of events.
It shouldn't surprise you then that ISO27001:2013 for Information security management Systems (ISMS) has a requirement for you to look at business continuity specifically around the aspects of your information security, that's what Annex A, clause A17 is all about.
A17.1 – Information Security continuity
The objective for this section of the clause is simple: "Information security continuity shall be embedded in the organization's business continuity management systems"
In other words, when you build your business continuity plan, you need to have your information security at the heart of it to ensure that you don't compromise the security in the event of a disruptive incident. The clause breaks things down into three sections that are designed to give you a bit of a blueprint of the steps to take
A17.1.1 – Planning information security continuity
Like all good plans, taking the time to actually do the planning up front is the key, and this is what this part of the clause is asking you to do. You need to understand what your organisation's requirements are in terms of your information security and the continuity of that information security in the event of a disruptive incident. Firstly, then you need to think about what those 'disruptive incidents' could be, is it mother nature with a hurricane, a flood, and earthquake or perhaps a local wildfire. What if it's just the power is out for 2 days, or that your building burns down or is broken into? All of these and many more scenarios are things that you would expect to see within a plan, once you have the scenario it's time to think about the impact that event would have on your information security management system.
A17.1.2 - Implementing information security continuity
The next part of the process for ISO27001's business continuity requirements is to document and implement (and of course maintain them) the plans and processes that you have determined you will need to be able to ensure continuity of your information security. It may be one overarching plan that covers all eventualities, or it may be a series of plans based on the different incident types, the latter being more likely (and useful).
Don't for get that implementing them means more than just documenting and publishing them, it means ensuring people are aware of them, that they are trained about their part of the plan and that you have put in place any extra requirements the plans have called for.
A17.1.3 - Verify, review and evaluate information security continuity
You will no doubt have heard the phrase, "trust but verify' well that's effectively what this last part of Annex clause A17.1 of ISO27001 is asking you to do, with emphasis on the verify. There is no point having great plans if you don't know they work, you need to stress test them, you need to run evaluations and see if the plan actually produces the results that you expect. Out of those evaluations you need to have a bit of a review of what worked and what didn't, if it didn't work, fix it and go again.
A17.2 – Redundancies
The redundancies section is all about having some redundancies in place for a range of eventualities. When we talk about redundancies, we mean more than just your server back-ups!
A17.2.1 - Availability of information processing facilities
The control that ISO27001:2013 talks about here is having sufficient redundancy capabilities at your information processing facilities to meet the availability requirements that you have should things go wrong. Keep in mind that tour processing facility is effectively anywhere you manage information (not just electronic data), that mean sit could be your servers, or your cloud system but it could equally be your document library, your computers and laptops or any other areas where you process your information. You need to consider how you ensure you have sufficient redundancies built into your systems that can kick in should an unexpected event happen.
As always when thinking about Information Security management it's not just about handing it over to your IT team or supplier and say solve this. Your IT infrastructure is only part of it, information is also physical, and you should consider this as well.
© Many Caps Consulting | All Rights Reserved
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.