The basics
ISO 27001 control A.5.30 ICT readiness for business continuity requires companies to be ready for potential disruptions in operations of their information and communication technology so that required data and assets are available when needed – this includes readiness planning, implementation, maintenance, and testing. This is a completely new control in the 2022 revision of the standard.
Documentation
ISO 27001 control A.5.30 ICT readiness for business continuity can be documented by writing:
- for smaller companies: Disaster Recovery Plan
- for mid-sized and larger companies: Business Continuity Strategy
These documents are not mandatory but are recommended.
Implementation
In order to comply with control A control A.5.30 ICT readiness for business continuity you might implement the following:
- Technology — the technology whose resilience and redundancy need to be ensured could include software (e.g., core applications), hardware (e.g., servers), networks (e.g., firewalls and routers), or communication (external communication links). Companies of all sizes need to plan their continuity, through the introduction of resilience and redundancy solutions, based on risk assessment and how quickly they need their IT infrastructure to be recovered.
- Organization/processes — you should set up a process for planning, maintaining, and recovering your IT infrastructure, as well as for testing your disaster recovery and/or business continuity plans. You can document those processes through a Disaster Recovery Plan or Business Continuity Strategy.
- People — make employees aware of why IT and communication technology readiness for disruption is needed and train them on how to execute plans for recovering those technologies within recovery time objectives.
Audit evidence
During the audit, the auditor might look for the following evidence regarding control A.5.30 ICT readiness for business continuity: if the company’s information and communication technology is ready for potential disruptions.
These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.
