When it comes to business continuity, we think of A.17.1 information security continuity in the old ISO27001:2013. In fact, in the new ISO27001:2022, information security continues to be included in A.5.29 information security during service interruption. The emphasis is to ensure the continuity of the three aspects of information security (confidentiality, integrity, availability).
The new control item A.5.30 ICT readiness for business continuity is to introduce the spirit of ISO27031 ICT readiness for business continuity. It is hoped that organizations will use ICT when conducting business impact analysis (BIA). The RTO and steps required to restore services are taken into account and a set of ICT continuity plans are developed to ensure the availability of ICT service/infrastructure information and related assets in the event of any disruption of key operational items.
For example, when we build an ISMS, we often design a situation: if the local data is accidentally deleted, a backup file is evoked from the cloud for remediation. In this scenario, we have to make assumptions: what conditions might cause a "cloud-local" two-way network outage, how much RTO is needed, what steps need to be taken...
These contents must have complete planning, implementation, maintenance, and testing procedures to meet the new requirements of A.5.30 Information and Communication Preparation for Operational Continuity.
Comentarios