ISO 27701, Clause 6.14 – Information Security Aspects of Business Continuity Management

ISO 27701 Controls and Clauses Explained

Book a demo

young,female,entrepreneur,freelancer,working,using,a,laptop,in,coworking

Continuity planning, in a nutshell, means ensuring that an organisation is able to carry on doing business when problems arise and privacy information – or entire information processing facilities – becomes compromised or unavailable.

Business continuity is closely linked to backup and disaster recovery (BUDR) – a technical ICT concept that encompasses redundancy layers, backups, asset duplication and alerting.

What’s Covered in ISO 27701 Clause 6.14

ISO 27701 focuses on two key areas of continuity management, privacy information security and redundancy, across 4 sub-clauses:

  • ISO 27701 6.14.1.1 – Planning information security continuity (ISO 27002 Control 5.29)
  • ISO 27701 6.14.1.2 – Implementing information security continuity (ISO 27002 Control 5.29)
  • ISO 27701 6.14.1.3 – Verify, renew and evaluate information security continuity (ISO 27002 Control 5.29)
  • ISO 27701 6.14.2.1 – Availability of information processing facilities (ISO 27002 Control 8.14)

Each sub-clause contains guidance information from ISO 27002, applied within the context of privacy information security.

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.14.1.1 – Planning Information Security Continuity

References ISO 27002 Control 5.29

Organisations should consider privacy information security as an integral part of broader business continuity management procedure.

ISO asks organisation to focus on two key areas when formulating business continuity plans:

  1. Loss of confidentiality
  2. The integrity of information

Privacy information security integrity should be maintained at all times. Should PII or privacy-related assets become compromised in any way, organisations should do as much as they can to restore them in a timely and efficient manner, and to the same pre-disruption levels.

Organisations should:

  • Operate with generalised privacy information security controls that work in harmony with business continuity plans.
  • Adhere to processes that maintain privacy information security controls throughout periods of disruption or loss of business.

If it’s not possible to sustain privacy information security controls at any given time (especially during periods of disruption), organisations should enact ‘compensating’ controls that strive to achieve as high a level of information security as is possible.

ISO 27701 Clause 6.14.1.2 – Implementing Information Security Continuity

References ISO 27002 Control 5.29

See ISO 27701 Clause 6.14.1.1

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

ISO 27701 Clause 6.14.1.3 – Verify, Renew and Evaluate Information Security

References ISO 27002 Control 5.29

See ISO 27701 Clause 6.14.1.1

ISO 27701 Clause 6.14.2.1 – Availability of Information Processing Facilities

References ISO 27002 Control 8.14

Organisations should strive to ensure that business services and privacy information systems are operable at all times.

ISO recommends duplication as a redundancy mechanism – organisations should keep an inventory of spare parts, duplicate hardware and software components, spare network devices and peripherals that are able to be swapped out for malfunctioning assets across the network.

Alerts should be setup to first identify failed privacy information processing facilities, and for alternate systems to be brought as quickly as possible.

Organisations should:

  • Ensure an ongoing relationship with two separate service providers, reducing the risk of downtime.
  • Consider redundancy measures when designing and implementing networks, such as multiple domain controllers and BUDR plans.
  • Use geographically separate locations for backups and associated data services.
  • Utilise well-known industry techniques such as load balancing and automatic failover between two identical redundant software components or systems.
  • Regularly test redundancy measures to ensure they’re able to meet business requirements when called upon.
  • Operate with duplicate storage components (RAID arrays, CPUs), and network devices with congruous firmware versions.

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.14.1.1Planning Information Security Continuity5.29 – Information Security During Disruption for ISO 27002None
6.14.1.2Implementing Information Security Continuity5.29 – Information Security During Disruption for ISO 27002None
6.14.1.3Verify, Renew and Evaluate Information Security Continuity5.29 – Information Security During Disruption for ISO 27002None
6.14.2.1Availability of Information Processing Facilities8.14 – Redundancy of Information Processing Facilities for ISO 27002None

How ISMS.online Helps

Our ISMS.online solutions make it easy for organisations to achieve project oversight, ensuring that the data controller and processor policies and procedures are in line with the ISO standard.

Our online system also ensures that system implementers have a single place for reference and collaboration. Our Assured Results Method (ARM) enables you to be confident that you are ticking all the boxes you need to comply with the standard.

Find out more by booking a hands on demo.

See how we can help you

Book a tailored hands-on session
based on your needs and goals
Book your demo

Unsure whether to build or buy?

Discover the best way to achieve ISMS success

Get your free guide

Streamline your workflow with our new Jira integration! Learn more here.