Requirement for Policy for Business Continuity

Dejan said the [Strategy for business continuity] I can exclude if we don’t want to become compliant with ISO 22301. This means to me it isn’t part of ISO 27001. What about the [policy for business continuity]: is it also just a part of ISO 22301 or is it a part of ISO 27001 too (for example A.17 out of the ISO 27001 standard —but for that Dejan said the emergency management plan is enough and covers chapter A.17). Which part of the standard talks about having a [policy for business continuity]? I can’t find the policy in the toolkit either.

Answer:

ISO 27001 does not require a Policy for Business Continuity. This policy is a requirement only for ISO 22301. Since one of the objectives of the toolkit is to avoid excessive work on documents we did not include such policy in ISO 27001 documentation toolkit (the Disaster Recovery Plan template included in the toolkit is enough to cover the requirements of ISO 27001 A.17.).

This article will provide you furthe r explanation about implementing business continuity in an ISO 27001 ISMS:
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/