Table of contents
- Introduction
- What is the ISO 27001 Business Continuity Policy?
- What is the purpose of the ISO 27001 Business Continuity Policy?
- What is the definition of the ISO 27001 Business Continuity Policy?
- What are the ISO 27001:2022 Changes to the Business Continuity Policy?
- What is the requirement of ISO 27001 Business Continuity Policy?
- ISO 27001 Business Continuity Policy Template
- How to write an ISO 27001 business continuity policy
- How do I comply with the ISO 27001 business continuity policy?
- How do I pass an audit of the ISO 27001 business continuity policy?
- What will the audit check?
- Top 3 Mistakes People Make for the ISO 27001 business continuity policy
- Why is the ISO 27001 Business Continuity Policy Important?
- Who is responsible for the Business Continuity Policy?
- What are the benefits of an ISO 27001 business continuity policy?
- ISO 27001 Business Continuity Policy FAQ
Introduction
In this guide you will learn about the ISO 27001 Business Continuity Policy.
Using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I am going to show you what’s new, give you templates, show you examples and do a walkthrough.
In this ISO 27001 certification guide I show you exactly what changed in the ISO 27001:2022 update.
I am Stuart Barker the ISO 27001 Ninja and this is the ISO 27001 Business Continuity Policy.
What is the ISO 27001 Business Continuity Policy?
The ISO 27001 Business Continuity Policy is an ISO 27001:2022 topic specific policy that documents the guidelines an organisation follows in the event of a disaster or serious incident.
What is the purpose of the ISO 27001 Business Continuity Policy?
The purpose of the ISO 27001 Business Continuity Policy is business continuity management and information security continuity. It addresses threats, risks and incidents that impact the continuity of operations.
What is the definition of the ISO 27001 Business Continuity Policy?
In the context of the ISO 27001 standard the definition of the ISO 27001 Business Continuity Policy is:
The policy sets out what the organisation will do in the event of a disaster or significant event. It is a statement of what is to be done but not how to do it. How to do it is covered in the business continuity plan.
ISO 27001:2022 Business Continuity Policy
DO IT YOURSELF
ISO 27001
What are the ISO 27001:2022 Changes to the Business Continuity Policy?
There are minor changes to business continuity and the business continuity policy in the 2022 update.
Business continuity is now covered in
- ISO 27001:2022 Annex A 5.29 Information Security During Disruption
- and ISO 27001:2022 Annex A 5.30 ICT Readiness for Business Continuity
What is the requirement of ISO 27001 Business Continuity Policy?
The requirement of ISO 27001 Business Continuity policy is to understand your requirements for continuity in the event of a disaster and set out what you are going to do to ensure your business can still operate.
ISO 27001 Business Continuity Policy Template
ISO 27001 templates are a great way to fast track any implementation and benefit from best practice. The ISO 27001 Toolkit has all the required templates but standalone this is the ISO 27001 business continuity template.
How to write an ISO 27001 business continuity policy
It is quicker to leverage best practice and download the business continuity template but to write it yourself follow this guide
Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
Write the policy purpose
Write the purpose of the Business Continuity Policy. The purpose of this policy is business continuity management and information security continuity. It addresses threats, risks and incidents that impact the continuity of operations.
Write the scope of the policy
Consider the scope of the business continuity policy. It should really apply to all employees and third party staff working for your company.
Write the principle on which the policy is based
The principle of the business continuity policy is that the safety of people always comes first.
Define business continuity
Provide a definition for business continuity and the terms used.
Describe your business continuity plans
Set out what your business continuity plans cover, what they contain, how they are structured.
Set out recovery
Set out that you have procedures in place to recover from a business continuity event back to normal operations
Describe business continuity testing
Set out if, when and how often you do business continuity testing
Describe the link to incident management
Set out that this links to incident management for escalation and management.
Disaster recovery plans
Document that you have disaster recovery plans in place.
How do I comply with the ISO 27001 business continuity policy?
To comply with the business continuity policy you are going the write the how you do business continuity that implements the what you say you do in the policy. Take the policy, that says what you do, and implement it.
How do I pass an audit of the ISO 27001 business continuity policy?
To pass an audit of the ISO 27001 business continuity policy you are going to ensure that you have one.
You are then going to conduct an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.
What will the audit check?
The audit is going to check a number of areas for compliance with the business continuity policy. Lets go through them
1. That you have documented your business continuity plans and disaster recovery plans
Putting to one side that it goes without saying that you will have the policy, they are going to check that you have documented plans in place for business continuity and disaster recovery.
2. That you have tested your plans
They are going to check that you have tested your documented plans, followed those plans and can evidence that you have.
3. That you have considered information security
The whole purpose is to address what is your approach to information security in a disaster and how do you maintain it. They will ask and check what you have considered and what is different, if anything, to normal business operations. In addition they will check how you put it back to normal if you have changed it during an event.
Top 3 Mistakes People Make for the ISO 27001 business continuity policy
In my experience, the top 3 mistakes people make for ISO business continuity policy are
1. You have no evidence that anything actually happened
You need to keep records and minutes and documented evidence. Recording tests and evidencing tests can be a low priority but they will check. The extent of the test is what is right for you, but some level of testing has to have been done in the last 12 months.
2. You did not cover the basics
Having a policy that does not cover the basics is like having no policy at all. Make sure that the policy covers the basic requirements of business continuity.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Why is the ISO 27001 Business Continuity Policy Important?
The business continuity policy is important because it sets out what you will in the event of a disaster. It allows you to pre plan for if the worst happens and to set in place guidelines for what to do. Of course each event is different but the guidelines and approach will be the same and consistent. The last thing you want in a disaster is to wonder what you should be doing or to do something that makes things worse. Combined with the plans and the tests, this is the best approach for surviving a disaster or significant event with the least amount of disruption and impact.
Who is responsible for the Business Continuity Policy?
Senior management are accountable for ensuring the ISO 27001 business continuity policy. Responsibility of operation is often delegated to the information security manager or dedicated business continuity manager.
What are the benefits of an ISO 27001 business continuity policy?
Other than your ISO 27001 certification requiring it, the following are benefits of implementing a business continuity policy:
- Improved security: You will have an effective business continuity policy that addresses security during a disaster or significant event and that maintains a level of security approved by the organisation
- Reduced risk: You will reduce the risk to your organisation in the event of a disaster having preplanned and set in place guidelines
- Improved compliance: Standards and regulations require business continuity to be in place
- Reputation Protection: In the event of a breach having effectively managed a disaster will reduce the potential for fines and reduce the PR impact of an event
ISO 27001 Business Continuity Policy FAQ
You can get a free example business continuity policy pdf here.
You can get an ISO 27001 business continuity toolkit here.
It is not very hard. If you use the ISO 27001 business continuity policy template the work has been done for you.
There are several that apply but the main ones are:
ISO 27001:2022 Annex A 5.29 Information Security During Disruption
and ISO 27001:2022 Annex A 5.30 ICT Readiness for Business Continuity
It will take about a day to write a business continuity policy that meets ISO 27001 from scratch. With the ISO 27001 business continuity policy template it should take you about 15 minutes.
The cost of business continuity policy will depend how you go about it. If you do it yourself it will be free but will take you about 1 day so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download the ISO 27001 business continuity policy template you are looking at less than ten pounds / dollars.
Business continuity is based on the ISO 22301 standard for business continuity.