ISO 27001 controls: What is Annex A:17?

Ensure your organisation's resilience with ISO 27001 Annex A:17, which focuses on business continuity and information security. Learn how to plan, implement, and verify controls to safeguard your operations during disruptions. Dive into expert insights from Citation Certification to fortify your information security management system.
ISO 27001 controls: What is Annex A:17?

ISO 27001:2013 provides a best-practice method for implementing an Information Security Management System (ISMS) to keep your organisation secure and protect customer data. As we move further into the 21st century, maintaining robust information security policies is essential to safeguarding your organisation and its stakeholders.

An ISO 27001 (ISMS) system includes policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures used to protect information security. The ISO 27001 standard encompasses all elements organisations use to manage and control information security risks. Implementing ISMS 27001 can help you win government tenders by showcasing your certification and information security.

Annex A:17 – Information Security Aspects of Business Continuity Management

Annex A:17 defines the information security aspects of business continuity management. This section focuses on how you can continue operating after a threat has been identified and eliminated, covering the recovery and continuity phase of planning ahead to protect your business. Let’s explore this control in more depth.


Annex A:17.1 Information Security Continuity

The main objective of this clause is to ensure the continuity of information security within the organisation’s systems. It includes three main controls.


Annex A:17.1.1 – Planning Information Security Continuity:

Organisations must prepare a recovery plan to avoid uncertainties. To achieve ISO 27001 certification, determine the requirements for information security. Capture security aspects and plan to protect information security.


Annex A:17.1.2 – Implementing Information Security Continuity:

Management needs to implement policies to maintain processes and procedures confidentially. Establish, document, implement, and maintain processes, procedures, and controls to ensure information security continuity during disruptions.


Annex A:17.1.3 – Verify, Review, and Evaluate Information Security Continuity:

Ensure the controls implemented for information security continuity are tested, reviewed, and evaluated. These policies and procedures are necessary when:

  • There are substantial threats to individuals’ safety or the institution’s fabric or reputation.
  • The incident is likely or has the potential to lead to the suspension of normal operations.

Control these threats by managing emergency access, changing passwords, testing systems, etc.


“It is far better to foresee without certainty than not to foresee at all”
– Henri Poincare


Annex A:17.2 Redundancies

Network redundancy is introduced to improve reliability and ensure availability. The purpose of redundancy is to prevent system operation disruption in case of technical failure or disaster by maintaining service continuity. Ensuring data and internet connectivity redundancy is crucial to guarantee IT environment uptime.

Certification made simple

To ensure your organisation is prepared to handle disruptions, master ISO 27001 Annex A:17. Citation Certification provides expert guidance to help you implement these controls and achieve compliance. Contact us today to strengthen your information security management system.

Take your business to the next level

What are you interested in?
Your data will be processed inline with our Privacy Policy.
This field is for validation purposes and should be left unchanged.