13. Information Security Aspects of Business Continuity Management

This category focuses on the integration of information security into the organization's business continuity management (BCM) framework. It ensures that information security continuity is embedded into BCM practices to protect critical business processes and information assets during disruptions.

Controls (A.17):

• A.17.1.1: Planning Information Security Continuity

• A.17.1.2: Implementing Information Security Continuity

• A.17.1.3: Verify, Review, and Evaluate Information Security Continuity

• A.17.2.1: Availability of Information Processing Facilities

Control A.17.1.1: Planning Information Security Continuity

Audit Questions:

• Are there documented plans for information security continuity?

• How are these plans aligned with the organization's overall business continuity plans?

Common Non-Conformities (NC):

• Lack of documented information security continuity plans.

• Poor alignment between information security and business continuity plans.

Control A.17.1.2: Implementing Information Security Continuity

Audit Questions:

• How are information security continuity plans implemented?

• Are there procedures for maintaining information security during disruptions?

Common Non-Conformities (NC):

• Inadequate implementation of continuity plans.

• Lack of procedures for maintaining security during disruptions.

Control A.17.1.3: Verify, Review, and Evaluate Information Security Continuity

Audit Questions:

• How often are information security continuity plans reviewed and tested?

• What processes are in place to evaluate the effectiveness of these plans?

Common Non-Conformities (NC):

• Infrequent reviews and tests of continuity plans.

• Ineffective evaluation of continuity plans.

Control A.17.2.1: Availability of Information Processing Facilities

Audit Questions:

• What measures are in place to ensure the availability of information processing facilities during disruptions?

• How are these measures monitored and maintained?

Common Non-Conformities (NC):

• Lack of measures to ensure facility availability.

• Inadequate monitoring and maintenance of availability measures.