Unraveling the Mystery of Annex A.17 in ISO 27001
- Home
- Blog
Categories
Latest Post
ISO 14001 Lead Auditor Course
ISO 14001 Foundations Course
ISO 14001 Internal Auditor Course
ISO 14001 Lead Implementer Course
One of the most puzzling aspects of implementing ISO 27001 is tackling Annex A.17, which addresses business continuity management. How does business continuity relate to information security, and why is it a part of ISO 27001? Unfortunately, ISO 27001 doesn’t provide extensive details on business continuity.
To complicate matters, ISO 27001 refers to “information security aspects of business continuity management.” This essentially means that a company should ensure its information security operations can continue after an incident. However, since information security alone, without core business and IT processes, isn’t effective, companies generally plan their business continuity for all critical operations, both business and IT.
Similarities Between ISO 27001 and ISO 22301
Information security and business continuity share a crucial commonality: they both protect information availability. This is why ISO 27001 includes business continuity controls in its Annex A.
ISO 22301 is the leading international standard for business continuity management. Like all ISO management standards, it follows the Plan-Do-Check-Act cycle, incorporating similar management elements such as document control, internal audits, corrective actions, management review, and training & awareness.
If you have implemented these elements for ISO 27001, you’re already compliant with ISO 22301 in terms of managing the system. Other elements of ISO 27001, like risk management, are also fully compatible with ISO 22301.
Key Differences
ISO 27001 is relatively sparse when it comes to business continuity documentation. Essentially, a Disaster Recovery Plan is sufficient to cover controls A.17.1.2 (continuity procedures) and A.17.2.1 (IT availability and redundancy).
Conversely, ISO 22301 requires more comprehensive documentation, covering core business continuity elements such as:
Business Continuity Policy: Defining the purpose and scope of business continuity.
Business Impact Analysis (BIA): Assessing the impact of disruptions.
Business Continuity Strategy: Developing strategies to maintain operations.
Business Continuity Plans: Structuring detailed plans to resume operations.
Exercising and Testing: Conducting drills and tests to ensure preparedness.
Practical Implementation
While ISO 27001 allows for minimal business continuity documentation, realistically, more thorough preparation is necessary. ISO 22301 provides the know-how for this.
The best approach is to integrate ISO 22301 elements into your ISO 27001 implementation as a sub-project. Implement your ISO 27001 framework, and when addressing section A.17, incorporate the core business continuity elements from ISO 22301.
Since the other elements of ISO 22301 align with ISO 27001, you’ll essentially implement both standards simultaneously. Remarkably, this additional effort constitutes only about 10% more than the full ISO 27001 implementation.
Conclusion
While compliance with section A.17 in ISO 27001 can be achieved with a single Disaster Recovery Plan, ISO 22301 offers a more comprehensive approach. It prepares your company to continue critical operations if a real disaster occurs. Given the minimal extra effort required, the benefits are undeniably worth it.
