Controls A.17.1

1 - How to define the information security controls within the activities of the continuity plan? I do not understand if it is necessary to define in each activity how the security of the information would be ensured or have a general section the continuity plan where I mentioned that the information security controls established in the production environments are applied in all activities.

The easiest way to comply with A.17.1 is to list all security processes within your company, and ensure these processes are covered through the Disaster Recovery Plan. In other words, do not focus on security controls, but focus on security processes.

To see how a Disaster Recovery Plan compliant with ISO 27001 looks like, please take a look at this template: https://advisera.com/27001academy/documentation/disaster-recovery-plan/

For further information, see:
- Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

2 - Additionally, how is it proven that there are information security controls in the continuity plan?

Answer: The easiest way is to include references to controls described in ISO 27001 Annex A into the Disaster Recovery Plan document. For example, in the abovementioned template, you can add a section to include the controls covered by the actions defined in the plan.

For example, in case your plan includes activities for recovery of access control, then you can include the reference “Controls from ISO 27001 Annex A.9”