ISO 27001:2022 Annex A Control 5.30: ICT Readiness for Business Continuity
Annex A control 5.30 of the 2022 version of the ISO 27001 standard is a new control and therefore cannot be mapped to any control from ISO 27001:2013.
Control 5.20 focuses on the role of ICT services and platforms in business continuity, in the event of a disruption. The Annex defines an organisation’s recovery time objective (RTO) and business impact analysis (BIA), outlining how ICT services interact with them. Information integrity and availability must be maintained before, during and after a business interruption.
Understanding control 5.30
A BIA explores how business continuity is impacted by a disruption of any kind, regardless of impact and the variables involved.
Creating processes and procedures under control 5.30 requires a comprehensive BIA, in order to understand how the organisation should respond to a disruption.
An agreed RTO must set clear goals for the return to normal operation. To achieve this, organisations should consider assessing both the magnitude and the nature of the disruption.
Within their BIA, organisations must be able to identify the services and functions required for recovery, as well as their capacity requirements. Conducting a risk assessment of ICT systems is key to developing an ICT continuity strategy that can be launched before, during, and after an incident.
Processes should be put in place after a strategy has been developed to make sure services can support critical processes both during and after a disruption.
Control 5.30 guidance points
The main guidance points in control 5.30 regarding ICT continuity plans are:
- Senior staff members should make quick IS decisions to expedite the recovery process.
- There should be a strong chain of command in place for business continuity and RTO adherence. It should include competent individuals who can make authoritative decisions.
- Structures must be up to date and communicated widely to encourage adequate communication and fast recovery times.
- Regular testing and evaluation should be part of ICT continuity plans, as well as senior management approval.
- Key metrics should be measured, such as response and resolution times.
- Test runs should take place to measure the effectiveness of systems.
- ICT continuity plans should include the following details:
a. Capacity and performance requirements of any recovery processes.
b. RTOS for all ICT services and plans for how to restore them.
c. Defining a recovery point objective (RPO) for each ICT resource, and creating restoration procedures.
How have things changed since 2013?
As a new control, 5.30 doesn’t feature in ISO 27001:2013 in any capacity.
Ready to Take Control of Your Privacy Compliance?
See how Hicomply can accelerate your path to CAF compliance in a 15-minute demo.