Hi. I am currently working on a project - Implementing Iso27001 for the IT department (Support function- No. of employees is 6) of an organisation. I need clarification regarding the control " Information Security Aspects of Business Continuity". would this be applicable to them ? they are just in the planning phase of DRP and they do not have BCP in Place as of now.
Information Security Aspects of Business Continuity is not a control, is a domain (domain A.17) composed by the controls A.17.1.1, A.17.1.2, A.17.1.3, and A.17.2.1. These controls are basically for implement a Business Continuity Plan or a Disaster Recovery Plan in your business. We recommend you to develop a Disaster Recovery Plan because it is related to the Infrastructure IT, so you can find a template for this here (you can see a free version clicking on Free Demo tab) Disaster Recovery Plan : https://advisera.com/27001academy/documentation/disaster-recovery-plan/
Regarding to the applicability, these controls are applicable to your employees if the Di saster Recovery Plan or the Business Continuity Plan can affect their job, and also if they are in the scope of the ISMS. Here is very important the awareness, because each one need to know what to do in case of activation of the plan (DRP or BCP).