This rule is about ICT Readiness for Business Continuity, which means the IT team having business continuity planned, implemented and tested.
Table of contents
What is ISO 27001 Annex A 5.30?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “ICT Readiness For Business Continuity”.
What is the ISO 27001 Annex A 5.30 control objective?
The formal definition and control objective in the standard is: “ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.“
What is the purpose of ISO 27001 Annex A 5.30?
The purpose of ISO 27001 Annex A 5.30 is “To ensure ensure the availability of the organisations information and other associated assets during disruption.“
Is ISO 27001 Annex A 5.30 Mandatory?
ISO 27001 Annex A control 5.30 (ICT Readiness For Business Continuity in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.30 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
The best way to put ISO 27001 Annex A 5.30 (IT Readiness for Business Continuity) into action is to follow the guidelines of the business continuity standard, ISO 22301.
This control asks you to understand what you need and then put plans in place to prepare your computer systems. This means having a good setup with the right people and teams. These people must have the power, skill, and duty to prepare for, handle, and reduce problems when things go wrong.
Key Steps You Must Take
- Do a Business Impact Assessment (BIA): You will need to complete a BIA. This study helps you understand how a disruption would hurt your business.
- Create and Test Plans: You must write plans for how your IT systems will keep working, how you will react to an event, and how you will fix things. You must test these plans often to check that they work well, and your managers must approve them.
- Include Technical Details in Plans: For those plans, you will include details about how well your systems must perform to meet the goals you set in your BIA. Your plans must include:
- Recovery Time Objectives (RTO): These are the goals for how fast you need to fix or get back specific IT parts.
- Recovery Point Objectives (RPO): You will define this goal for how current your restored data must be. You must also have steps for getting information back.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
1. Your Written Plans
The auditor will check that you have written down your plans for business continuity (keeping things running) and disaster recovery (recovering after a crisis). They will check that you have reviewed and approved these documents. The most important thing is that your documents show what you actually do, not just what you think sounds good.
2. Proof That the Process Works
You need to show the auditor proof that your process works. They will ask you for evidence of how you handled information security during a problem or break in service. For this example, you will walk them through the steps. This is your chance to show that you followed the process and that the process was successful.
3. Learning From Mistakes
The auditor will check that you write down what you learned from any problems. They will see if you used these lessons to make continual improvements to your system. They will also check your records of incidents and the corrective steps you took to fix them.
