ICT Security for Business Continuity - Control 5.30 in ISO 27001

CONTENT

• ICT security in the enterprise: Relevance for today's business processes
• Business Continuity Management
• Business-Impact-Analysis
• ISO 27001:2022 as the backbone of business continuity
• Impact of control 5.30 on certification
• ICT Security for Business Continuity - Conclusion
• DQS: Your reliable partner

ICT security in the enterprise: Relevance for today's business processes

Collaboration tools such as Microsoft Teams, cloud applications on the platforms of the major hyperscalers, the use of cloud services or networked production (Industry 4.0) have frequently become part of everyday life in modern companies, and not just since the Corona pandemic. Contemporary information and communication technologies enable fast and efficient workflows and have become irreplaceable tools for maintaining business processes across all industries.

Conversely, this means that the security and availability of ICT has a very high priority - and must be systematically monitored and protected against disruptions through appropriate measures and processes in order to guarantee smooth processes and keep potential damage to a minimum. This is becoming increasingly important, especially in times of heightened cyber threats fueled by geopolitical conflicts. A number of tools are available to companies for this purpose, which are explained in general terms below and then considered in the context of Control 5.30 in ISO 27001.

Business Continuity Management

Business continuity management (BCM), for example in accordance with ISO 22301, is a management process that ensures that critical business functions are not interrupted for long during and after a disruption, or can be restarted as quickly as possible, by creating, implementing and testing (emergency) plans and strategies.

The standard describes preventive measures in terms of an (emergency) preparedness organization and emergency planning to increase the reliability of business processes. In addition, reactive measures (disaster recovery) are planned and taken as part of the (emergency) management organization to enable a rapid and targeted response in the event of a disruption to IT processes and to reduce downtime, for example through high ICT security in the company.

BCM as a component of strategic planning involves identifying potential risks and vulnerabilities, assessing the criticality of business processes, developing plans for responding to disruptions, and testing these plans through regular exercises and simulations. The goal of business continuity management is to ensure that a company can respond quickly and effectively to a disruption and to improve the confidence of its stakeholders in its ability to deliver and operate.

Business-Impact-Analysis

In business continuity management, business impact analysis (BIA) is the method used to capture critical processes and business functions within an organization and identify interdependencies between them and their underlying resources. As such, it is a strategic process that helps identify and assess the impact of disruptions to business activities. The BIA forms the basis for determining the required restart times.

BIA typically involves assessing the criticality of business processes, identifying the resources required to support those processes, and determining the impact of disruptions on those processes and resources. The analysis helps organizations understand the potential impact of disruptions and prioritize their response and recovery efforts accordingly.

The results of a BIA can inform the development of a business continuity plan (BCP) and other risk management strategies to ensure that the organization is better prepared to manage unexpected events and minimize their impact through the high availability of systems and structures.

Further recommendations for conducting a business impact analysis (BIA) can also be found in the ISO/TS 22317 guide.

ISO 27001:2022 as the backbone of business continuity

Information and communications technology (ICT) has a significant impact on business continuity in the enterprise. Disruptions can cause significant effects, especially in the area of Critical Infrastructures (CRITIS), for example. For this reason, Control 5.30 "ICT readiness for business continuity" in Annex A of the new ISO/IEC 27001:2022 is of great importance.

The purpose of the measure is to ensure the high availability of the critical ICT system based on business continuity objectives and ICT continuity requirements derived, implemented and reviewed from these. This involves defining impact types and impact criteria within the BIA process.

On this basis, priority operating activities are identified to which a recovery time objective (RTO) is assigned. The BIA then determines which resources are required for these prioritized activities and assigns them an RTO as well. A subset of these resources will include ICT services. In addition, recovery points (RPO = Recovery Point Objective) and their intervals should also be defined for the prioritized ICT resources.

Based on the results of all these processes, companies must identify and select ICT continuity strategies that take into account options for the time before, during and after a disruption. Based on this, continuity plans (including response and recovery procedures) are developed, implemented and tested to meet the required ICT readiness.

In this context, reference should also be made to the ISO standard ISO/IEC 27031, a guide to ICT readiness for business continuity, which provides companies with recommendations for ensuring the availability of ICT systems.

Impact of Control 5.30 on certification

To be certified to the revised ISO 27001:2022 standard, organizations must ...

• Have an adequate organizational structure to prepare for, contain, and respond to an incident. This also requires personnel with the necessary responsibility, authority and competence.
• Have developed binding ICT continuity plans, including response and recovery procedures, detailing how the organization intends to deal with a disruption of ICT services. These plans must be approved by senior management and regularly assessed through exercises and audits.
• Record the following information in their continuity plans:
  - Performance and capacity specifications to meet the requirements and sustainment objectives established in the BIA.
  - RTO of each prioritized ICT service and the procedures for restoring those components
  - RPO of prioritized ICT resources defined as information and procedures for recovering the information

ICT Security for Business Continuity - Conclusion

The prominent example of the administrative hack in Anhalt-Bitterfeld, as a result of which municipal citizen services were unavailable for weeks or months in some cases, demonstrates the high relevance of information and communications technology in today's world. However, the example also shows how important continuity and established emergency plans are.

The security measure Control 5.30 "ICT readiness for business continuity" is therefore an important aspect in the revised information security standards ISO/IEC 27001:2022 and ISO/IEC 27002:2022 to strengthen the resilience of companies.

However, organizations sometimes struggle to assess the criticality of deployed information and communication technologies and their risk potential during implementation, which in turn directly impacts the prioritization chain. BIA and risk analysis are, so to speak, the backbone of business continuity management. In the run-up to certification, it is therefore worthwhile working with experienced specialists to put your own efforts for business continuity and the availability of ICT solutions to the test and optimize them.

DQS: Your reliable partner

Thanks to the transition periods, companies have enough time to adapt their information security management according to the new requirements and to have it certified. However, the duration and effort of the entire change process should not be underestimated. If you want to be on the safe side, it is better to deal with the new requirements and the transition to the new standard sooner rather than later.