This is one of the new controls within ISO27001 that you need to pay careful attention to.  Of course, it should not be reviewed in isolation, but it should be reviewed as part of a series of controls all related to Incident Response and Business Continuity. These controls are;

• A5.24 - Information security incident management planning and preparation.

• A5.25 - Assessment and decision on information security events.

• A5.26 - Response to information security incidents.

• A5.27 - Learning from information security incidents.

• A5.28  - Collection of evidence.

• A5.29 - Information security during disruption.
  

What does the standard require?

The standard states that “ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.” (A5.30 – ICT Readiness for Business Continuity).

Note again that there are several aspects to this control, where it states that Information and Communication Technology readiness shall be;

• Planned – You should know what ICT is critical to your business

• Implemented – Contingency controls and resilience needs to be in place

• Maintained – It needs to be reviewed regularly for its suitability

• Tested – the ICT readiness needs to be tested to see if it works

Why is this required?

It is pretty obvious, but it most businesses today rely heavily on ICT to conduct their business. If you’re looking at ISO27001, it is undoubtedly because you are concerned about the amount of data, and systems you are using may lead to a security breach of some kind. 

If there is a disruption to the way you process your information, for example because of a network outage, this could severely affect your business and your reputation.

What the auditor is looking for

Let’s look at each of the requirements of the control and consider what the auditor will expect to see.

ICT readiness shall be planned

The auditor will expect to see some form of Business Impact Analysis (BIA) conducted, whereby you have identified critical resources, including ICT, and analysed the impact on your business, should these be lost for any period of time.  We discussed the BIA process in Annex A control, “A5.24 – Information security incident management planning and preparation.” 

ICT readiness shall be implemented

The auditor will want to see that you have implemented some form of resilience in your ICT infrastructure. So be prepared to talk about back-up systems or components that can be used if an incident occurs.

If you have documented Disaster Recovery Plans (DRP) then now is the time to show how these have been developed and implemented (i.e. communicated) to your business.

ICT readiness shall be maintained

If you have back-up devices and systems, then you’ll need to demonstrate how you maintain these and keep them up to date. For example, if you have a router or laptop stored securely, so that it can be used in an emergency, how are you ensuing that it has the latest software updates on it? Do you turn it on, on a monthly basis and update it?

How about your DRP? Are these updated when there is an infrastructure change?  You’ll need to demonstrate that you have DRPs and resilience in place which is being pro-actively maintained.

ICT readiness shall be tested

Finally, all of this is great, but the auditor will want to see that you are testing these back-up services. For example, if you have two data centres, on a private cloud environment, have you tested to see what happens if you shut one of them down? Does the other data centre pick up the load? Does it work as expected? 

The auditor wants to see that all this planning and implementation will work when required, and let’s be honest, so do you! Don’t leave it to chance – test your DRP and technical resilience.

What do you need to do?

We already discussed how you conduct a BIA, in Annex A Control A5.24 - Information security incident management planning and preparation.  So this is where you need to start.

Conduct a BIA and identify your Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for the business, and then establish how ICT can help achieve this.  For example, if your Finance team state that they can’t function for longer than 24hrs without their finance systems, then the ICT that gives them access to their finance systems has an RTO of less than 24hrs.

You should then work with your ICT function to document how they would recovery these systems, which then becomes your DRP. The DRP will need to be communicated to those who will use the plans, and signed off by them. 

While you’re speaking to your ICT function, ask them about the resilience in the infrastructure and the systems used.   Typically, conversations will lead to discussing the Cloud environment and the levels of resilience in this service. This is a great place to begin the conversation, but go further. Ask about other critical components, like routers, and other hard ware.

Finally, you need to ensure that your resilience and DRPs are tested.  How do you know they’ll work when needed? Only by putting them under some form of technical recovery test can you be completely confident that they’ll operate as expected.

Q & A

What should we include in the DRP?

Your DRP is different from your Incident Response Plans and Business Continuity Plans, because they tend to be more detailed.  But keep in mind that they will be used by technical people, so get the technical team to help you draft the plan. 

Typically plans include details of the following;

• List of critical systems

• Network diagrams

• Configuration settings for key components (e.g. networks, servers etc)

• Processes for restoring back-up data

• Processes recovery of critical aspects of the infrastructure

• Key contract details of critical vendors

Difficulty rating

We rate this a 3 out of 5 difficulty rating. This control requires some technical skills as you will be discussing aspects of ICT, that may be quite technical in nature. For example, discussing the resilience in Cloud services may require detailed discussions and decisions on the levels of resilience or recovery capabilities required.

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our ISO27001 FAQs to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.