Implementing ISO 22301: The Business Continuity Management System Standard
Using ISO 27031 to Guide IT Disaster Recovery Alignment with ISO 22301
Many organizations struggle to define the best method to meet business expectations regarding information technology (IT) recovery. ISO 27031 provides guidance to business continuity and IT disaster recovery professionals on how to plan for IT continuity and recovery as part of a more comprehensive business continuity management system (BCMS). The standard helps IT personnel identify the requirements for Information and Communication Technology (ICT) and implement strategies to reduce the risk of disruption, as well as recognize, respond to and recover from a disruption to ICT.
ISO 27031 introduces a management systems approach to address ICT in support of a broader business continuity management system, as described in ISO 22301. ISO 27031 describes a management system for ICT readiness for business continuity (IRBC). An IRBC is a management system focused on IT disaster recovery. IRBC uses the same Plan-Do-Check-Act (PDCA) model as the business continuity management system described in ISO 22301. The objective of IRBC is to implement strategies that will reduce the risk of disruption to ICT services as well as respond to and recover from a disruption. Business continuity and IT professionals will find the use of the PDCA model very familiar but with necessary changes to support recoverability of ICT based on business requirements and expectations.
As a guidance standard, organizations cannot be certified in ISO 27031 like ISO 22301, but the management system follows many of the same steps that experienced preparedness professionals are used to implementing with business continuity planning. The following diagram displays IRBC management system detailed in ISO 27031.
IRBC Management Systems
ISO 27031 uses the same basic PDCA management system used in ISO 22301 but adapts it to fit the technical nature of IRBC. In addition to technical changes to PDCA, ISO 27031 also relies on the Business Impact Analysis (BIA) conclusions developed and approved as part of the broader BCMS for an organization. For IRBC, the PDCA management system is broken down the following way:
- Plan: the Plan phase creates and updates the governance structure for the overall IRBC management system. The key outputs of the Plan phase are an IRBC policy that adequately addresses continuity of information and communication technology and strategy options that the organization can deploy to meet business requirements.
- Do: the Do phase focuses on performing activities and implementing solutions that enable the organization to monitor for, respond to and recover from a disruption to ICT services. The key outputs for the Do phase are the implementation of strategies, generation of plans and execution of training and awareness activities to promote continuity for ICT services.
- Check: the Check phase includes the review and evaluation of the performance of the IRBC management system. The key outputs of the Check phase include continuous monitoring of information and communication technologies for disruptions and performance levels as well as periodic reviews of ICT responsiveness and recoverability.
- Act: the Act phase provides management with the opportunity to review the performance of the IRBC effort as well as direct the implementation of corrective actions which will enhance management system performance and/or reduce the risk of future disruptions to ICT services.
Let’s take a more in-depth look at each phase.
Many organizations may already perform some of the “Plan” components of ISO 27031 as part of their Information Technology Disaster Recovery (ITDR) programs. ISO 27031 considers ITDR as a component of the IRBC, but in reality, very few differences exist. In the Plan phase, the organization implements a policy to govern processes and requirements for the IRBC. The policy establishes the governance structure for the IRBC management system. The IRBC uses inputs from the organization’s BIA to translate the business requirements into ICT performance requirements for ICT services. The Plan phase concludes with generating IRBC strategy options, which will be implemented in the Do phase.
IRBC strategy formulation essentially means the creation of IT service offerings that ICT staff will include in the service catalog or, more generically, as options for business consideration and selection. For example, an organization with a service catalog entry for a virtual server would add entries to address recoverability of a virtual server through a variety of means to address a range of recovery objectives. The organization may choose to provide two recovery strategies for recovery of a virtual machine with different recovery times to meet business requirements identified through the BIA. Those two recovery strategies are then incorporated into the organization’s service catalog either as separate entries or incorporated into existing service catalog entries.
In order to be effective, ISO 27031 states that the IRBC strategies described above need to incorporate six components into monitoring for, responding to and recovering from disruptions to information and communication technology. The six components are:
- Skill and Knowledge: Recovery strategies include consideration regarding the specialized technical skills and knowledge needed to operate ICT services before, during and after a disruption. Strategies that include skill and knowledge considerations focus on ensuring no single individual holds specialized skills or knowledge that would be needed to operate the organization’s ICT systems.
- Facilities: Recovery strategies include mitigating risk associated with operating ICT systems based in a single facility. Strategies that include facility considerations ensure ICT systems can be operated even if a primary facility is rendered inoperable.
- Technology: Recovery strategies include consideration of the technical requirements needed to meet the organization’s recovery requirements, specifically Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Strategies that include technology considerations involve ensuring hardware and applications are able to be recovered within the time and data recovery required by the organization. These considerations must include support systems such as power, cooling, staffing, vendor support and WAN connectivity.
- Data: Recovery strategies include consideration of how to protect the data required by the organization. Strategies that include data considerations include security, validity and availability of the data required by end users.
- Processes: Recovery strategies include consideration of how to sustain the processes necessary to monitor, operate and recover ICT systems in order to meet business requirements. Strategies that consider processes identify the ICT processes necessary prior to, during and after a disruption to ICT systems.
- Suppliers: Recovery strategies include consideration of how to inform and engage suppliers who are needed to recover and operate ICT systems. Strategies that include supplier considerations identify what suppliers are engaged in the operation and recovery of ICT systems before, during and after a disruption has occurred.
Each IRBC strategy option will consider the six components and often result in the creation of tiers to classify information and communication technology that meets the organization’s needs. During the Do phase, ICT services will be assigned to a tier, which enables strategy selection. Once IT identifies the strategy options, the organization’s management should consider the amount of risk reduced by the strategy against the cost of implementing the strategy. Overall, the result of the Plan phase is a list of strategies to add or update in the service catalog, which allows the organization to select the appropriate level of recoverability.
The Do phase of the IRBC management system includes implementing the strategies identified in the Plan phase, writing recovery plans for ICT services and executing training and awareness activities to ensure personnel involved in the IRBC program are qualified and informed. The IRBC program implements the appropriate strategies identified in the Plan phase to improve ICT readiness for in-scope information and communication technology services.
Strategies that reduce the risk of a disruption will not fully eliminate the possibility of a disruption to information and communication technology. IT staff implement strategies and draft plans to overcome residual risk when disruptive incidents become reality. Response and recovery plan documentation is required to ensure personnel understand the activities necessary to meet business expectations. ISO 27031 includes many of the same considerations that are used in ISO 22301, including plan purpose and scope, defined roles and responsibilities, alternate personnel, plan invocation criteria, and contact information.
The final part of the Do phase is conducting training and awareness activities to ensure the personnel involved with the IRBC management system (including those with roles in response and recovery plans) are aware of their responsibilities before, during and after a disruption.
The Check phase of the IRBC management system includes the typical activities associated with BCM system’s Check phase, including management review and testing and exercising. The Check phase also adds in continuous activities which monitor for a disruption to ICT services and measure ICT readiness-related performance.
The Act phase incorporates management review of the IRBC program, including program performance, ICT readiness performance and resource allocation. In addition to management review, the IRBC program implements corrective actions that were identified during other phases of the management system. The goal of the corrective actions is to ingrain a culture of continuous improvement in the organization and engage management with the prioritization of continual improvement.
So what if the organization doesn’t have a BCM program in place already?
Often IT professionals are asked to implement mitigation, response and recovery measures in advance of a broader BCM program. In these instances, the organization hasn’t conducted a holistic business impact analysis to identify the business requirements for applications and hardware. Some IT organizations will use intuition and past experiences to establish ICT response and recovery requirements, such as RTO and RPO. However, using intuition and past experiences will often lead to gaps between business expectations for recovery of information and communication technology and actual recoverability. An easy way to develop recovery requirements for ICT services is to consider conducting a more focused application impact analysis (AIA) that focuses on the uses of ICT services and measures the impact to the organization of a disruption based on one or a group of related services.
An effective AIA will identify:
- The stakeholders (including users) of information and communication technology;
- The impact (quantitative and qualitative) of a disruption to ICT over time; and
- Manual work-arounds which users can implement during a disruption.
The IRBC program detailed in ISO 27031 assists IT and business continuity professionals, together with their program sponsors, in maintaining effective ICT resiliency. By implementing an IRBC management system, IT and business continuity professionals help their organization to monitor for, respond to and recover from a disruption to ICT. ISO 27031 applies and adapts the BCM concepts described in ISO 22301 to assist with reducing the risk of disruptions to information and communication technologies, as well as to the business as a whole.
Get resilience insights delivered to your inbox.