Taking the ISO 27001 certification exam?
Get a bundle with FREE Live Virtual Training
(regular price US$ 199)
LIMITED-TIME OFFER – EXPIRES ON MAY 17, 2022

Expert Advice Community

Guest

Implementing information security continuity

  Quote
Guest
Guest user Created:   Jun 11, 2020 Last commented:   Jun 11, 2020

Implementing information security continuity

I have two questions. First, about SoA and selection of control A.17.1.2 Implementing information security continuity. 1. In ‘06 Statement of Applicability’ > ‘Implementation method’ is [Business Continuity Plan] while In the ‘List of Documents ISO 27001 ISO 22301’ there is marked that ’Appendix 6 – Disaster Recovery Plan’ is mandatory document for A.17.1.2. I may have understood this wrong, but I am confused what one should choose to document if A.17.1.2 is seemed applicable? 2. Second, if one should seem that Disaster recovery should be in place in the Company but A.17 Information security aspects of business continuity management are not applicable, should one use only ’Appendix 6 – Disaster Recovery Plan’ to document recovery?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 11, 2020

1. In ‘06 Statement of Applicability’ > ‘Implementation method’ is [Business Continuity Plan] while In the ‘List of Documents ISO 27001 ISO 22301’ there is marked that
’Appendix 6 – Disaster Recovery Plan’ is mandatory document for A.17.1.2.

The document choice will depend on the ISO standards implemented.

If you are implementing only ISO 27001, the Disaster recovery document is sufficient to cover the standard requirements. In case you are implementing ISO 22301, of ISO 22301 and ISO 27001 at the same time, you need to use the business continuity plan (please note that the disaster recovery plan is an annex of the BCP).

For further information, see:

2. Second, if one should seem that Disaster recovery should be in place in the Company but A.17 Information security aspects of business continuity management are not applicable, should one use only ’Appendix 6 – Disaster Recovery Plan’ to document recovery?

The purpose of Disaster Recovery Plan is to document how your IT infrastructure is to be recovered, it does not have the purpose of recovery of business parts of the organization. By the way, from our experience, a large majority of companies find controls from section A.17 applicable.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Jun 11, 2020

Jun 11, 2020

Suggested Topics