ISO 27001:2022 - A.5 Organisational Controls (Business Continuity)

In a previous blog on ISO 27001:2022 - A.5 Organisational Controls (Incident Management), we looked at how incident management plays an integral role in helping organisations to effectively manage and prioritise information security incidents.  This prioritisation is important because, whilst incidents do occur all the time, not all incidents have the same level of impact.  When incidents are relatively benign, they can often be resolved quickly and with little impact.  However, some incidents are so severe that they can seriously impact an organisation’s ability to deliver its products and services.  To prepare for this possibility, organisations need to determine what types of incidents could cause an unplanned disruption to their business, how they will continue their core operations if these disruptions occur, and what steps are required to recover from those disruptions.

Whilst every organisation is different, some of the most common disruptions organisations prepare for include:

• Loss of a member of the senior management team or individual critical to operations
• Loss or destruction of physical premises
• Loss of critical IT systems
• A cyber attack
• A supply chain attack
• Loss of staff due to a pandemic.

When organisations are determining which disruptions they need to prepare for, they also need to consider the impact a disruption could have on the security (i.e., the CIA) of their business data, and what they need to do to restore these three properties to a desirable level.  The purpose of Annex A controls 5.29 and 5.30 is to help you achieve this by protecting your organisation’s information and related assets, and ensure their availability during a disruption.

According to ISO 27002:2022, A.5.29 is categorised as both a preventive control and a corrective control. A.5.30 is categorised as a corrective control.

• Preventive controls are intended to stop an information security incident from occurring or at least reduce the likelihood of an incident.
• Corrective controls are intended to close off or resolve a security incident or issue that has already occurred.

‍

A.5.29 – Information security during disruption

During a business disruption, it is highly likely that the confidentiality, integrity, and particularly the availability of your organisation’s data will be significantly diminished or even lost.  This control requires you to prepare for this possibility by planning how you will maintain a minimal level or restore the security of your data whilst the disruption is still ongoing.  This includes considering how your security measures will be affected, and any additional security risks or measures that will need to be identified or put in place to mitigate that risk.  These additional measures should also be documented in your business continuity plan (BCP).  To take an example – if your physical premises is destroyed due to a natural disaster:

• Will your staff have a secure internet connection they can use to work from home?
• Will they all have a suitable environment in which to work?
• How will your onsite assets and operations be affected (e.g., equipment, documents, work activities)? Will you have redundancy available if these are destroyed or damaged?

Another important requirement is to define how your information security management system (ISMS) processes and regular activities will be carried out during a disruption.  Can they be executed in the same way as before, or will they need to be adjusted during the disruption?  For example, if you are onboarding new employees whilst awaiting a new premises, you should refer to your onboarding process and define whether inductions will be conducted remotely or at another location.  Whatever your requirements are, it is recommended that you incorporate these into your BCP.

A.5.30 – ICT readiness for business continuity

As an extension to A.5.29, this control requires you to ensure in advance that the ICT resources you need to continue during (and recover from) a major disruption are available and well-tested on a regular basis.

Once your business impact assessment (BIA) has been completed and a BCP created, your ICT function needs to determine how your required ICT resources will be maintained or recovered if a disruption occurs.  Following this, you need to ensure they are appropriately implemented in your organisation and that each resource has a defined recovery time objective (RTO).  This is often documented in a disaster recovery plan (DRP), which should complement your BCP.  The BCP scenarios (including those that are ICT-related) should also be tested regularly, to ensure that the ICT and information security requirements of your ICT resources are being upheld.

Business continuity is an essential business practice; it determines whether or not an organisation can continue to operate during a disruption and recover from that disruption.  Furthermore, when a business disruption occurs, regardless of the scenario, the security of your information will be at stake.

By preparing for serious disruption and considering the information security implications it could have, your organisation can reduce the impact of such disruption on its data.  In doing so, you will be much better placed to maintain and restore the CIA of your organisation’s critical data, and ensure as seamless and controlled a recovery as possible.