ISO 27001 Information Security Management Standard

Part 36 - A17 Information Security Aspects of Business Continuity Management

Business continuity management (BCM) is a hot topic at the moment.

From Wikipedia: “Business continuity planning (or business continuity and resiliency planning) is the process of creating systems of prevention and recovery to deal with potential threats to a company. In addition to prevention, the goal is to permit ongoing operation, before and during execution of disaster recovery.”

The clause starts with information security continuity.

business-continuity-concept-image

A.17.1 Information Security Continuity

So the objective here is to ensure information security continuity is embedded in your organisation’s business continuity planning systems.

Here at Mango we have a detailed business continuity planning system. We have created a Business Continuity Plan (BCP). We involved a wide range of employees and contractors to get the plan together.

The Mango BCP is quite comprehensive and covers the following topics:

Company Employees
Disaster Recovery Team
Office Infrastructure
Applications, Hardware and Data
Customers
Post emergency process
Servers and PC Details

Once in place we tested sections of the plan to ensure the details were correct and that people were prepared. With our Head Office in a major earthquake zone, business continuity is something we plan for with knowledge that things out of your control can happen at any time.

The Mango BCP is reviewed and tested annually. An event in Mango reminds us to conduct the review and the testing of the plan.

A.17.2 Redundancies

The objective here is to ensure the continued availability of information processing facilities. So you need to build in sufficient redundancy to meet your requirements if things go wrong.

Here at Mango we worked hard with our IT suppliers to build sufficient redundancy into our processing facilities. This redundancy was documented too in our BCP.

Takeaways

Create a BCP.
Involve as many people and contractors as you can to get the BCP in place.
Test each area of the plan with your employees and contractors to ensure everyone is prepared.
Work with your IT suppliers to ensure there is plenty of redundancy in your processing facilities.

View previous blogs in this series "ISO 27001 Information Security Management Standard":

Part 1 - Reasons why you need to meet this standard

Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Part 3 - Principle 2 - Awareness of the Need for Information Security

Part 4 - Principle 3 - Assignment of Responsibility for Information Security

Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

Part 6 - Principle 5 - Enhancing Societal Values

Part 7 - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

Part 8 - Principle 7 - Security incorporated as an essential element of information networks and systems

Part 9 - Principle 8 - Active prevention and detection of information security incidents

Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management

Part 11 - Principle 10 - Continual reassessment of information security and making of modifications as appropriate