1. Framework FAQs

ISO 27001: 2022 A.5.30 ICT readiness for business continuity

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.30 ICT readiness for business continuity.

ISO 27001: 2022 Control Description

ICT readiness shall be planned, implemented, maintained and tested  based on business continuity objectives and ICT continuity requirements.

Purpose

To ensure the availability of the organisation’s information and other associated assets during disruption.

Guidance

ICT readiness for business continuity is a crucial component in business continuity management and information security management to ensure that the organisation’s objectives can continue to be met during disruption.

The ICT continuity requirements are the outcome of the business impact analysis (BIA). The BIA process should use impact types and criteria to assess the impacts over time resulting from the disruption of business activities that deliver products and services (see also). The magnitude and duration of the resulting impact should be used to identify prioritised activities, which should be assigned a recovery time objective (RTO). The BIA should then determine which resources are needed to support prioritised activities. An RTO should also be specified for these resources, which should include ICT services.

The BIA involving ICT services can be expanded to define performance and capacity requirements of ICT systems and recovery point objectives (RPO) of information needed to support activities during disruption.

Based on the outputs from the BIA and risk assessment involving ICT services, the organisation should identify and select ICT continuity strategies that consider options for before, during, and after disruption. The business continuity strategies may comprise one or more solutions. Based on these strategies, a BCP Plan should be developed, implemented, and tested to meet the required availability level of ICT services within the necessary timeframes following an interruption to, or failure of, critical processes.

The organisation should ensure that:

a) an adequate organisational structure is in place to prepare for, mitigate, and respond to a disruption, supported by personnel with the necessary responsibility, authority, and competence;

b) ICT continuity plans, including response and recovery procedures detailing how the organisation plans to manage an ICT service disruption, are:

  1. regularly evaluated through exercises and tests;
  2. approved by management; 
c) ICT continuity plans include the following ICT continuity information:
  1. performance and capacity specifications to meet the business continuity requirements and objectives as specified in the BIA;
  2. RTO of each prioritised ICT service and the procedures for restoring those components;
  3. RPO of the prioritised ICT resources defined as information, and the procedures for restoring this information.

Other Information

Managing ICT continuity forms a key part of business continuity requirements concerning availability, to:

a) respond to and recover from disruption to ICT services, regardless of the cause; 

b) ensure the continuity of prioritised activities supported by the required ICT services; 

c) respond before a disruption to ICT services occurs and upon detection of at least one incident that could result in a disruption to ICT services.