We’re still working on the Statement of Applicability. How do we need to handle the implementation method of control A.17.2.1? The template says: recovery-strategy for IT-infrastructure. No comment from your side and no template about it. Can you explain a bit more?
Reference to Recovery strategy for IT infrastructure in the Statement of Applicability is needed only for companies that want to be compliant with ISO 22301 together with ISO 27001. If you are going for ISO 27001 only, we do not recommend you to do the Recovery strategy for IT infrastructure because it will complicate the whole process - instead, for the control A.17.2.1 we recommend that you refer to Disaster Recovery Plan - you can find it in your toolkit in the folder 08 Annex A - A.17 Business continuity..