Checklist of ISO/IEC 27001-A.17.1.3 Verify, review and evaluate information security continuity


Business continuity is a crucial aspect of information security management. 

It ensures that an organization can maintain critical business functions and recover from disruptions in case of unforeseen events such as natural disasters, cyber-attacks, or any other incidents that can disrupt normal business operations. 

ISO 27001 A.17.1.3 provides guidelines for verifying, reviewing, and evaluating information security continuity measures. 

This article will discuss the importance of verifying, reviewing, and evaluating information security continuity measures and provide a checklist to ensure that organizations meet the requirements.

Sample Checklist:

  • Verify that business continuity policies and procedures are in place, which includes testing methods and frequency and evidence of actual testing and their results.
  • Check if the business continuity plan (BCP) includes a comprehensive approach for identifying and responding to risks and threats.
  • Review the BCP to ensure that it aligns with the organization’s information security objectives.
  • Verify that business continuity measures have been reviewed during BC & DR execution, and any shortcomings have been identified and remediated.
  • Ensure that the BCP is regularly reviewed and updated to incorporate changes in the organization’s operations or environment.
  • Check if the testing methods used are sufficient to validate the effectiveness of the BCP.
  • Verify that the testing frequency of the BCP is adequate to maintain its effectiveness.
  • Ensure that the testing results are documented and reviewed to identify areas that need improvement.
  • Verify that the BCP is reviewed and evaluated after an incident to identify opportunities for improvement.


ISO 27001 A.17.1.3 emphasizes the importance of verifying, reviewing, and evaluating information security continuity measures to ensure that they remain effective in case of a disruption. 

See also  Checklist of ISO/IEC 27001-A.16.1.5 Response to information security incidents

By following the checklist above, organizations can ensure that their business continuity plans are up-to-date, tested, and effective in responding to potential disruptions. 

By maintaining an effective BCP, organizations can minimize the impact of disruptions and resume normal business operations in a timely and efficient manner.

Leave a comment

Your email address will not be published. Required fields are marked *