The bus factor test checks whether critical knowledge or capabilities within an organization depend on a single person. The name provocatively asks: what happens if that person gets hit by a bus — i.e., becomes unavailable?
In an ISMS, the bus factor is relevant to ISO 27001 Annex A controls A.5.2 (Roles and Responsibilities), A.5.3 (Segregation of Duties), and the overarching aspect of availability (Clause 6.1.2). When only one person can administer certain systems, knows specific passwords, or can execute key processes, a significant availability risk arises. Countermeasures include knowledge distribution (documentation, cross-training), deputy arrangements, shared password managers, and break-glass procedures for emergency access.