ISO 27001 Business Continuity Policy
In this guide, you will learn what an ISO 27001 Business Continuity Policy is, how to write it yourself and I give you a template you can download and use right away.
Table of contents
What is an ISO 27001 Business Continuity Policy?
The ISO 27001 Business Continuity Policy is an ISO 27001 topic specific policy that documents the guidelines an organisation follows in the event of a disaster or serious incident.
It is one of theย ISO 27001 policiesย required by theย ISO 27001ย standard forย ISO 27001 certification.
How to write an ISO 27001 Business Continuity Policy
It is quicker to leverage best practice and download the business continuity template but to write it yourself follow this guide.
Time needed: 1 hour and 30 minutes
How to write an ISO 27001 Business Continuity Policy
- Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
- Write the ISO 27001 Business Continuity Policy Contents Page
The contents of the business continuity policy are:
1 Document Version Control
2 Document Contents Page
3 Business Continuity Policy
3.1 Purpose
3.2 Scope
3.3 Principle
3.4 Commitment and Continual Improvement
3.5 Business Impact Analysis
3.6 Business Continuity Plans
3.6.1 Business Continuity Plans Cover
3.6.2 Business Continuity Plans Contain
3.7 Recovery
3.8 Business Continuity Testing
3.9 Incident and Business Continuity Reporting and Escalation
3.10 Disaster Recovery Plans - Write the ISO 27001 Business Continuity Policy Purpose
Write the purpose of the Business Continuity Policy. The purpose of this policyย is business continuity management and information security continuity. It addresses threats, risks and incidents that impact the continuity of operations.
- Write the ISO 27001 Business Continuity Policy Principle
The Business Continuity Policy requires:
ย
Peopleโs safety to be our first priority. Always.
The framework is based on industry best practice and the business continuity standard ISO 22301 Business Continuity Management. - Write the ISO 27001 Business Continuity Policy Scope
Consider the scope of the business continuity policy. An example:
All employees and third-party users.
All devices used to access, process, transmit or store company information. - Explain the commitment to continual improvement
The company is committed to the development and the continual improvement of the business continuity process, plans and system.
- Describe the role of the Business Impact Analysis (BIA)
Business continuity is based on a documented business impact analysis and risk assessment.
- Set out the approach to Business Continuity Plans
The company has documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures address the requirements of those who will use them.
- Explain what business continuity plans cover
Business Continuity plans cover:
Roles and responsibilities
Incident Management processes
Business priority of recovery
Information and system back up processes. - Describe what business continuity plans contain
The business continuity plans collectively contain:
– defined roles and responsibilities for people and teams having authority during and following an incident
– a process for activating the response
– details to manage the immediate consequences of a disruptive incident giving due regard to:
the welfare of individuals
strategic, tactical, and operational options for responding to the disruption, and
prevention of further loss or unavailability of prioritised activities
– details on how and under what circumstances the organization will communicate with employees and their relatives, key interested parties and emergency contacts,
– how the organization will continue or recover its prioritised activities within predetermined timeframes,
– details of the organisationโs media response following an incident, including:
a communications strategy
preferred interface with the media,
guideline or template for drafting a statement for the media, and
appropriate spokespeople.
– a process for standing down once the incident is over.
– Each plan shall define
purpose and scope,
objectives,
activation criteria and procedures,
implementation procedures,
roles, responsibilities, and authorities,
communication requirements and procedures,
internal and external interdependencies and interactions,
resource requirements, and
information flow and documentation processes. - Explain the approach to recovery
The company has documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident.
- Set out when business continuity testing occurs
Business continuity plans are tested at least annually and / or when significant change occurs.
- Describe the relationship between business continuity and incident management
An incident management process is in place followed.
Business continuity incidents are additionally recorded and tracked in a register.
Business continuity incidents are additionally reported to the Management Review Team. - Show commitment to disaster recovery plans
Technical recovery plans for disaster recovery are in place and tested.
ISO 27001 Business Continuity Policy Template
The ISO 27001 business continuity template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in theย ISO 27001 toolkit.
ISO 27001 Business Continuity Policy FAQ
The business continuity policy is important because it sets out what you will in the event of a disaster. It allows you to pre plan for if the worst happens and to set in place guidelines for what to do. Of course each event is different but the guidelines and approach will be the same and consistent. The last thing you want in a disaster is to wonder what you should be doing or to do something that makes things worse. Combined with the plans and the tests, this is the best approach for surviving a disaster or significant event with the least amount of disruption and impact.
Senior management are accountable for ensuring the ISO 27001 business continuity policy. Responsibility of operation is often delegated to the information security manager or dedicated business continuity manager.
The following are benefits of implementing a business continuity policy:
Improved security: You will have an effective business continuity policy that addresses security during a disaster or significant event and that maintains a level of security approved by the organisation
Reduced risk: You will reduce the risk to your organisation in the event of a disaster having preplanned and set in place guidelines
Improved compliance: Standards and regulations require business continuity to be in place
Reputation Protection: In the event of a breach having effectively managed a disaster will reduce the potential for fines and reduce the PR impact of an event
There are several that apply but the main ones are:
ISO 27001 Annex A 5.29 Information Security During Disruption
and ISO 27001 Annex A 5.30 ICT Readiness for Business Continuity
Business continuity is based on the ISO 22301 standard for business continuity.