Continuity of information security management in adverse situations
ISO27001 vs ISO22301
The relationships between the ISO27001:2013 controls A.17.1.1 – A.17.1.3 and ISO22301:2019 is often the subject of some confusion even amongst the most seasoned practitioners of business continuity and information security management. The below commentary seeks to provide some simple clarification.
Control Objective, A.17.1.1: The organisation shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.
If we look to the various definitions to provide clarity.
- Information security – preservation of confidentiality (2.12), integrity (2.40) and availability (2.9) of information (Ref: ISO27000:2018)
- Business continuity – capability of an organisation (3.21) to continue the delivery of products and services (3.27) within acceptable time frames at predefined capacity during a disruption (3.10) (Ref: ISO22301:2019)
So we could interpret the requirement below from the above:
- The organisation shall determine its requirements for information security and the continued preservation of confidentiality (2.12), integrity (2.40) and availability (2.9) of information management in adverse situations, e.g. during a crisis or disaster.
The primary assets of any business are business processes/activities and information (ISO27005:2019), which combined with supporting assets in turn allow the organisation to deliver its products and services.
In this aspect we therefore need to preserve the availability of information (within acceptable time frames at predefined capacity) during a disruption while still preserving the confidentiality and integrity at the same time.
By doing this we can ensure that the organisation’s processes and activities can still operate within acceptable time frames at predefined capacity to deliver its products and services even during a disruption.
Preservation of the information security also therefore requires preservation of the underlying information assets (or containers) including: hardware, software, networks, personnel, site/s and organisational structures.
Thus in turn assuring business continuity.
Therefore the adoption of ISO22301:2019 standard for this section is valid however we must also ensure we pay particular attention to the preservation of the confidentiality and integrity aspects at the same time as these are not explicitly covered in ISO22301:2019
Note: If an organisation can produce it’s products and services comprehensively, completely and on time it can assure revenue. If this can be performed effectively and efficiently it can ensure profitability. If this can be undertaken within the bounds of the legal, regulatory and contractual environment it is operating it can assure compliance. If this can meet the needs and values of the interested parties then true value can be created.