ISO 27001A.5.30

Annex A.5.30: ICT readiness for business continuity

The new 27001:2022 control that tripped half the certified companies. What it really takes to clear it.

1 min read

TL;DR

A.5.30 is the new ISO 27001:2022 control that tripped half the certified organisations. It demands planning, implementing and verifying the ICT capability to sustain business continuity after an interruption. Three mandatory pieces of evidence: DR plan, drill, drill report.

What A.5.30 says exactly

"ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements."

In practice: your DR plan must exist, cover critical systems, be tested and the tests must be documented.

The three pieces of evidence auditors want

1. Written DR plan

Document approved by management with:

  • RTO/RPO objectives per process;
  • list of protected systems;
  • failover runbooks;
  • roles and responsibilities.

2. Executed drill

Report of the last drill (max 12 months) with:

  • date and duration;
  • tested scenario;
  • measured times;
  • issues found;
  • corrective actions.

3. Plan update

Evidence that the plan has been updated within the last 12 months (review, changes for new systems, change log).

Most common mistakes

  • generic DR plan copied from a template without adaptation;
  • "tabletop" drill not considered enough by strict auditors;
  • missing mapping between business processes and ICT systems;
  • runbooks referring to decommissioned systems.

How to get there with little effort

For starting from near-zero:

  1. Weeks 1-2: lightweight BIA, identify critical systems, target RTO/RPO.
  2. Weeks 3-4: draft DR plan.
  3. Weeks 5-8: deploy DR solution, runbooks.
  4. Week 9: first documented partial drill.

Eight weeks of work usually suffice.

Sefthy and A.5.30

Sefthy provides the artifacts A.5.30 demands:

  • DR plan template generated by the console;
  • per-customer custom runbook;
  • quarterly drill with exportable report;
  • change log.

FAQ

Is a tabletop drill enough?

For ISO 27001 yes, if documented. For NIS2 a real drill at least annually is recommended.

Can I skip A.5.30 declaring "not applicable"?

Only for organisations that do not run critical ICT systems. Practically never.

For the pillar guide, ISO 27001:2022 and business continuity. For policy template, Business continuity policy template.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo