Security category – 17.1. Information security continuity
17.1.1. Planning information security continuity.
Having comprehensive business continuity and disaster recovery plans can be vital for in organization’s survival should a disaster occur. Such plans should be sure to include security which is still important, if not more so, during a crisis and should be included in any plans created. If there are no such plans then the organization should strive to maintain security at its normal level during a disaster. If possible Business Impact Analysis’ should be carried out to investigate the security needs during different disasters.
17.1.2. Implementing information security continuity.
Ensuring that security controls in any plans are carried out in a disaster is just as important as having the plans themselves. There should be documented processes and procedures in place and easily accessible to staff during such a situation. These documents should be available in both electronic and paper format, with copies stored in geographically separate locations. This should allow us to maintain a command structure that includes security responsibilities, and keeps staff accountable and aware that security is still necessary. In some types of disasters our primary security controls may fail, in this case we should have separate, mitigating controls ready to be implemented.
17.1.3. Verify, review and evaluate information security continuity
This helps us ensure our plans are effective and will work
as intended. In practice, it is carried out through table-top exercises,
structured walkthroughs, simulation tests, parallel tests, and full
The plan should be updated to reflect changes in the organization, frequently
tested to ensure it works as envisioned and that everyone involved is trained
to know what to do with a disaster strikes.
Security category – 17.2. Redundancies
17.2.1. Availability of information processing facilities.
A key tenet of security is ensuring availability and this
can be better enforced by using redundancy. This is simply having multiple
redundant components so that if one fails operations fail-over to the
remaining, working components. This can be expensive and what applications are
in scope for this redundancy should be in line with the business needs.