Business Continuity Plan in ISO 27001

Answer: You need to include Business Continuity Plan as an information security control considering ISO 27001 certification only if one of these situations apply:

- There is a law, contract or other legal requirement demanding you to have a business continuity plan for information security
- The Business Continuity Plan for information security is considered as a control to address risks identified as unacceptable in your risk assessments
- Your organization decides to implement Business Continuity Plan for information security as a best practice

If none of these situations happen your organization does not need to implement Business Continuity Plan for information security. In our experience, I could say to you that approximately 90% of the companies are including this control in ISO 27001 implementation.

If your organization decides to select this control, you should use the "Disaster Recovery Plan" from the toolkit to be compliant with ISO 27001.

In the video tutorials that came with your toolkit, you will see information about risk assessment, risk treatment and how identify applicable controls.