A.14 Business continuity management

A.14.1 Information security aspects of business continuity management

Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.

A.14.1.1 Including information security in the business continuity management process

Control

A managed process shall be developed and maintained for business continuity throughout the organization that addresses the information security requirements needed for the organization’s business continuity.

A.14.1.2 Business continuity and risk assessment

Control

Events that can cause interruptions to business processes shall be identified, along with the probability and impact of such interruptions and their consequences for information security.

A.14.1.3 Developing and implementing continuity plans including information security

Control

Plans shall be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes.

A.14.1.4 Business continuity planning framework

Control

A single framework of business continuity plans shall be maintained to ensure all plans are consistent, to consistently address information security requirements, and to identify priorities for testing and maintenance.

A.14.1.5 Testing, maintaining and reassessing business continuity plans

Control

Business continuity plans shall be tested and updated regularly to ensure that they are up to date and effective.