ISO 27701 Clause 6.14: Safeguarding Information Security Continuity
Continuity planning, in a nutshell, means ensuring that an organisation is able to carry on doing business when problems arise and privacy information – or entire information processing facilities – becomes compromised or unavailable.
Business continuity is closely linked to backup and disaster recovery (BUDR) – a technical ICT concept that encompasses redundancy layers, backups, asset duplication and alerting.
What’s Covered in ISO 27701 Clause 6.14
ISO 27701 focuses on two key areas of continuity management, privacy information security and redundancy, across 4 sub-clauses:
- ISO 27701 6.14.1.1 – Planning information security continuity (ISO 27002 Control 5.29)
- ISO 27701 6.14.1.2 – Implementing information security continuity (ISO 27002 Control 5.29)
- ISO 27701 6.14.1.3 – Verify, renew and evaluate information security continuity (ISO 27002 Control 5.29)
- ISO 27701 6.14.2.1 – Availability of information processing facilities (ISO 27002 Control 8.14)
Each sub-clause contains guidance information from ISO 27002, applied within the context of privacy information security.
Get an 81% headstart
We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.
ISO 27701 Clause 6.14.1.1 – Planning Information Security Continuity
References ISO 27002 Control 5.29
Organisations should consider privacy information security as an integral part of broader business continuity management procedure.
ISO asks organisation to focus on two key areas when formulating business continuity plans:
- Loss of confidentiality
- The integrity of information
Privacy information security integrity should be maintained at all times. Should PII or privacy-related assets become compromised in any way, organisations should do as much as they can to restore them in a timely and efficient manner, and to the same pre-disruption levels.
Organisations should:
- Operate with generalised privacy information security controls that work in harmony with business continuity plans.
- Adhere to processes that maintain privacy information security controls throughout periods of disruption or loss of business.
If it’s not possible to sustain privacy information security controls at any given time (especially during periods of disruption), organisations should enact ‘compensating’ controls that strive to achieve as high a level of information security as is possible.
ISO 27701 Clause 6.14.1.2 – Implementing Information Security Continuity
References ISO 27002 Control 5.29
See ISO 27701 Clause 6.14.1.1
ISO 27701 Clause 6.14.1.3 – Verify, Renew and Evaluate Information Security
References ISO 27002 Control 5.29
See ISO 27701 Clause 6.14.1.1
Manage all your compliance in one place
ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.
ISO 27701 Clause 6.14.2.1 – Availability of Information Processing Facilities
References ISO 27002 Control 8.14
Organisations should strive to ensure that business services and privacy information systems are operable at all times.
ISO recommends duplication as a redundancy mechanism – organisations should keep an inventory of spare parts, duplicate hardware and software components, spare network devices and peripherals that are able to be swapped out for malfunctioning assets across the network.
Alerts should be setup to first identify failed privacy information processing facilities, and for alternate systems to be brought as quickly as possible.
Organisations should:
- Ensure an ongoing relationship with two separate service providers, reducing the risk of downtime.
- Consider redundancy measures when designing and implementing networks, such as multiple domain controllers and BUDR plans.
- Use geographically separate locations for backups and associated data services.
- Utilise well-known industry techniques such as load balancing and automatic failover between two identical redundant software components or systems.
- Regularly test redundancy measures to ensure they’re able to meet business requirements when called upon.
- Operate with duplicate storage components (RAID arrays, CPUs), and network devices with congruous firmware versions.
Supporting Controls From ISO 27002 and GDPR
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Requirement | Associated GDPR Articles |
|---|---|---|---|
| 6.14.1.1 | Planning Information Security Continuity |
5.29 – Information Security During Disruption for ISO 27002 |
None |
| 6.14.1.2 | Implementing Information Security Continuity |
5.29 – Information Security During Disruption for ISO 27002 |
None |
| 6.14.1.3 | Verify, Renew and Evaluate Information Security Continuity |
5.29 – Information Security During Disruption for ISO 27002 |
None |
| 6.14.2.1 | Availability of Information Processing Facilities |
8.14 – Redundancy of Information Processing Facilities for ISO 27002 |
None |
How ISMS.online Helps
Our ISMS.online solutions make it easy for organisations to achieve project oversight, ensuring that the data controller and processor policies and procedures are in line with the ISO standard.
Our online system also ensures that system implementers have a single place for reference and collaboration. Our Assured Results Method (ARM) enables you to be confident that you are ticking all the boxes you need to comply with the standard.
Find out more by booking a hands on demo.
Jump to topic
