Implementing information security continuity

1. In ‘06 Statement of Applicability’ > ‘Implementation method’ is [Business Continuity Plan] while In the ‘List of Documents ISO 27001 ISO 22301’ there is marked that
’Appendix 6 – Disaster Recovery Plan’ is mandatory document for A.17.1.2.

The document choice will depend on the ISO standards implemented.

If you are implementing only ISO 27001, the Disaster recovery document is sufficient to cover the standard requirements. In case you are implementing ISO 22301, of ISO 22301 and ISO 27001 at the same time, you need to use the business continuity plan (please note that the disaster recovery plan is an annex of the BCP).

For further information, see:

• Business Continuity Management vs. Information Security vs. IT Disaster Recovery https://advisera.com/27001academy/blog/2017/02/27/business-continuity-management-vs-information-security-vs-it-disaster-recovery/ 

2. Second, if one should seem that Disaster recovery should be in place in the Company but A.17 Information security aspects of business continuity management are not applicable, should one use only ’Appendix 6 – Disaster Recovery Plan’ to document recovery?

The purpose of Disaster Recovery Plan is to document how your IT infrastructure is to be recovered, it does not have the purpose of recovery of business parts of the organization. By the way, from our experience, a large majority of companies find controls from section A.17 applicable.