ISO27001 Annex A.17 control, "Information Security Aspects of Business Continuity Management," is a standard that helps businesses ensure their data and operations are protected in the event of an unexpected interruption. By implementing this control, businesses can benefit from improved protection of their information and operations, increased confidence in their ability to recover from disruptive events, and enhanced overall business resilience. This control is easy to understand and helps businesses meet their information security obligations, reduce risk, and maintain business continuity.

What are the controls, and a simple step by step guide to meet them:

Business Continuity Management Policy

• This control establishes the organisation's commitment to business continuity and sets the overall direction for business continuity planning and management.

How to meet this:

Develop a Business Continuity Management Policy:

• Define the purpose, scope, and objectives of your business continuity management program.
• Communicate the policy to all stakeholders, including employees, customers, and suppliers.

Business Impact Analysis

• This control helps the organisation understand the impact of disruptions to its operations and prioritize its recovery efforts.

How to meet this:

Conduct a Business Impact Analysis:

• Identify the critical functions and services of your business.
• Assess the impact of disruptions to these functions and services.
• Prioritize the recovery of critical functions and services.

Risk Assessment

• This control helps the organisation identify, assess and prioritize the risks to its operations and information.

How to meet this:

Conduct a Risk Assessment:

• Identify the potential risks to your operations and information.
• Assess the likelihood and impact of these risks.
• Prioritize the risks and determine a risk mitigation strategy.

Business Continuity Strategy

• This control outlines the organisation's approach to continuity planning, including the development of plans and procedures to support the recovery of critical functions.

How to meet this:

Develop a Business Continuity Strategy:

• Identify the key components of your business continuity management program, such as incident response, business continuity planning, and testing and exercising.
• Define the roles and responsibilities of key personnel involved in the program.

Business Continuity Plans

• This control details the specific steps that the organisation will take to recover its operations following a disruptive event.

How to meet this:

Create Business Continuity Plans:

• Develop detailed plans for the recovery of critical functions and services following a disruptive event.
• Include procedures for communication, backup and recovery, and incident response.

Testing and Exercising

• This control ensures that the organisation's business continuity plans and procedures are tested and validated on a regular basis.

How to meet this:

Test and Exercise the Plans:

• Test and validate your business continuity plans and procedures on a regular basis.
• Conduct tabletop exercises and simulation tests to assess the effectiveness of your plans.

Maintenance

• This control ensures that the organisation's business continuity plans and procedures are kept up-to-date and relevant to its operations.

How to meet this:

Maintain the Plans:

• Regularly review and update your business continuity plans and procedures to reflect changes to your operations and risks.
• Ensure that your plans and procedures are accessible to all stakeholders and can be implemented quickly in the event of a disruption.

Review

• This control ensures that the organisation's business continuity management program is regularly reviewed and updated to reflect changes to its operations and risks.

How to meet this:

Review the Program:

• Regularly review your business continuity management program to ensure its effectiveness and identify areas for improvement.
• Evaluate the results of testing and exercising and incorporate lessons learned into future planning.

These controls work together to help organisations protect their information and operations in the event of an unexpected disruption, improve their overall resilience, and reduce risk.
‍

By following these steps, most businesses can meet ISO 27001 Annex A.17 and improve their overall resilience to disruptive events.

Documents, Evidence and the Audit

The following documents and evidence can be useful in demonstrating compliance with the control and to demonstrate compliance you can present the following evidence to an auditor:

Business Continuity Management Policy

• A written policy that outlines the organization's commitment to business continuity and sets the overall direction for business continuity planning and management.

Demonstrate compliance:

• Provide a copy of the policy and demonstrate how it has been communicated to all stakeholders.

Business Impact Analysis

• A document that outlines the critical functions and services of the organization and the impact of disruptions to these functions and services.

Demonstrate compliance:

• Provide a copy of the analysis and demonstrate how it was used to prioritize the recovery of critical functions and services.

Risk Assessment

• A document that outlines the potential risks to the organization's operations and information and the risk mitigation strategy.

Demonstrate compliance:

• Provide a copy of the assessment and demonstrate how it was used to prioritize risks and determine a risk mitigation strategy.

Business Continuity Strategy

• A document that outlines the key components of the organization's business continuity management program and the roles and responsibilities of key personnel.

Demonstrate compliance:

• Provide a copy of the strategy and demonstrate how it informs the organization's overall approach to business continuity management.

Business Continuity Plans

• Detailed plans for the recovery of critical functions and services following a disruptive event.

Demonstrate compliance:

Testing and Exercising Reports

• Reports that detail the results of testing and exercising the organization's business continuity plans and procedures.

Demonstrate compliance:

• Provide copies of the plans and demonstrate how they are accessible to all stakeholders and can be quickly implemented in the event of a disruptive event.

Maintenance Logs

• Logs that track the updates and revisions to the organization's business continuity plans and procedures.

Demonstrate compliance:

• Provide copies of the logs and demonstrate how the organization regularly reviews and updates its business continuity plans and procedures.

Review Reports

• Reports that summarize the results of regular reviews of the organization's business continuity management program.

Demonstrate compliance:

• Provide copies of the reports and demonstrate how the organization regularly evaluates its business continuity management program and incorporates lessons learned into future planning.
  

Having this evidence readily available and presenting it in a clear and organized manner can help demonstrate compliance with ISO27001 Annex A.17 and provide a clear understanding of the organization's business continuity planning and management activities.

How can Periculo help?

Periculo can help organisations meet the requirements of ISO 27001 Annex A.17, "Information Security Aspects of Business Continuity Management." This can be achieved through a comprehensive assessment of the organisation's current business continuity management practices and the identification of areas for improvement.

Periculo can then assist in the development of a business continuity management policy, business impact analysis, risk assessment, business continuity strategy, and business continuity plans. Testing and exercising programs can be implemented to validate the organization's business continuity plans and procedures, and Periculo can provide ongoing maintenance and review to ensure the program remains effective and up-to-date. With our experience and expertise in business continuity planning and management, Periculo can provide ongoing support and help organisations achieve the benefits of a robust and effective business continuity management program.

‍

Heard of Harpe?

Harpe is a security management system that helps businesses streamline their security process and automate tasks related to ISO 27001 compliance. It helps reduce the overhead cost of manual processes, allowing businesses to focus resources on more pressing needs. With Harpe, businesses can quickly identify risks, manage vulnerabilities and achieve compliance without having to redesign systems or hire experts. In addition, it provides detailed reporting capabilities which help businesses stay up-to-date with the changing regulations and guidelines. By automating complex processes, Harpe makes it easier for businesses to comply with ISO 27001 standards while ensuring the safety of their valuable data.