ICT security for business continuity - control 5.30 in ISO 27001

CONTENT

• ICT security in the organization and its relevance for today's business processes
• Business continuity management
• Business impact analysis
• ISO 27001:2022 is the backbone of business continuity
• Impact of control 5.30 on certification
• ICT security for business continuity - conclusion
• DQS: Simply leveragingSecurity.

ICT security in the organization and its relevance for today's business processes

Collaboration tools such as Microsoft Teams, cloud applications on the platforms of the major hyperscalers, the use of cloud services and networked production (Industry 4.0) have become part of everyday life in modern companies, and not just since the coronavirus pandemic. Modern information and communication technologies enable fast and efficient workflows and have become irreplaceable tools for maintaining business processes across all industries.

Conversely, this means that the security and availability of ICT is very important - and must be systematically monitored and protected against disruptions by suitable measures and processes in order to guarantee smooth processes and keep potential damage to a minimum. This is becoming increasingly important, especially in times of heightened cyber threats fueled by geopolitical conflicts. Companies have a range of tools at their disposal for this purpose, which are explained in general terms below and then considered in the context of control 5.30 in ISO 27001.

Business continuity management

Business continuity management (BCM), for example in accordance with ISO 22301, is a management process that ensures that critical business functions are not interrupted for long during and after a disruption or can be restarted as quickly as possible by creating, implementing and reviewing (emergency) plans and strategies.

The standard describes preventive precautions in terms of an (emergency) preparedness organization and emergency planning in order to increase the reliability of business processes. In addition, reactive measures (disaster recovery) are planned and taken as part of the (emergency) response organization in order to enable a quick and targeted response in the event of a disruption to IT processes and to reduce downtimes, for example through high ICT security in the company.

BCM as part of strategic planning includes identifying potential risks and vulnerabilities, assessing the criticality of business processes, developing plans to respond to disruptions and testing these plans through regular exercises and simulations. The aim of business continuity management is to ensure that a company can respond quickly and effectively to a disruption and that the confidence of its stakeholders in its ability to deliver and operate is improved.

Business impact analysis

Business impact analysis (BIA) is the method used in business continuity management to record critical processes and business functions within an organization and to identify interdependencies between them and their underlying resources. It is therefore a strategic process that helps to identify and assess the impact of disruptions to business activities. The BIA forms the basis for determining the required restart times.

BIA typically involves assessing the criticality of business processes, identifying the resources required to support these processes and determining the impact of disruptions on these processes and resources. The analysis helps companies understand the potential consequences of disruptions and prioritize their response and recovery efforts accordingly.

The results of a BIA can inform the development of a business continuity plan (BCPs) and other risk management strategies to ensure that the company is better prepared to manage unexpected events and minimize their impact through the high availability of systems and structures.

Further recommendations for conducting a business impact analysis (BIA) can also be found in the guidelines of ISO/TS 22317.

ISO 27001:2022 is the backbone of business continuity

Information and communication technology (ICT) has a significant impact on business continuity within a company. Disruptions can have a significant impact, especially in the area of critical infrastructure (KRITIS), for example. For this reason, control 5.30 " ICT readiness for business continuity" in Annex A of the new ISO/IEC 27001:2022 is of great importance.

The purpose of the measure is to ensure a high level of availability of the critical ICT system on the basis of business continuity objectives and the ICT continuity requirements derived, implemented and verified from them. This includes defining impact types and impact criteria within the BIA process.

Priority operational activities are identified on this basis and assigned a recovery time objective (RTO). The BIA then determines which resources are required for these prioritized activities and also assigns them an RTO. A subset of these resources will include ICT services. In addition, recovery points (RPO = Recovery Point Objective) and their distances should also be defined for the prioritized ICT resources.

Based on the results of all these processes, organizations need to identify and select ICT continuity strategies that consider options for before, during and after a disruption. Based on this, continuity plans (including response and recovery procedures) are developed, implemented and tested to meet the required ICT readiness.

In this context, reference should also be made to the ISO standard ISO/IEC 27031, a guide to ICT readiness for business continuity, which provides companies with recommendations for ensuring the availability of ICT systems.

Impact of control 5.30 on certification

To be certified to the revised ISO 27001:2022 standard, organizations must ...

• have an appropriate organizational structure to prepare for, contain and respond to an incident. This also requires personnel with the necessary responsibility, authority and competence.
• have developed binding ICT continuity plans, including response and recovery procedures, detailing how the organization intends to deal with a disruption of ICT services. These plans must be approved by senior management and regularly evaluated through exercises and testing.
• include the following information in their continuity plans:
  - Performance and capacity specifications to meet the requirements and business continuity objectives defined in the BIA
  - RTO of each prioritized ICT service and the procedures for restoring these components
  - RPO of prioritized ICT resources defined as information and procedures for restoring the information

ICT security for business continuity - conclusion

The prominent example of the administrative hack in Anhalt-Bitterfeld, as a result of which some municipal services were unavailable for weeks or months, demonstrates the high relevance of information and communication technology in today's world. However, the example also shows how important continuity and established emergency plans are.

The security measure control 5.30 "ICT readiness for business continuity" is therefore an important aspect of the revised information security standards ISO/IEC 27001:2022 and ISO/IEC 27002:2022 in order to strengthen the resilience of companies.

However, organizations sometimes find it difficult to assess the criticality of the information and communication technologies used and their risk potential during implementation, which in turn has a direct impact on the prioritization chain. BIA and risk analysis are the backbone of business continuity management, so to speak. In the run-up to certification, it is therefore worthwhile to review and optimize your own efforts for business continuity and the availability of ICT solutions with experienced specialists.

DQS: Simply leveraging Security.

Thanks to the transition periods, companies have sufficient time to adapt their information security management to the new requirements and have it certified. However, the duration and effort of the entire change process should not be underestimated. If you want to be on the safe side, it is better to deal with the new requirements and the transition to the new standard sooner rather than later.

As audit and certification experts with almost 40 years of expertise, we are happy to support you in evaluating your current status, for example as part of a delta audit. Find out from our experts about the most important changes and their relevance for your organization.

Trust and expertise

Our texts are written exclusively by our in-house experts for management systems and long-standing auditors. If you have any questions for the author, please contact us.