The optimal way to achieve business objectives for information technology (IT) recovery is difficult to define for many firms. Business continuity and IT disaster recovery specialists can use ISO 27031 as guidance on how to plan for IT continuity and recovery as part of a more thorough business continuity management system (BCMS). The standard aids IT employees in determining the needs for Information and Communication Technology (ICT), putting measures into place to lessen disruption risk, and identifying, responding to, and recovering from an ICT disruption.
In order to handle ICT in support of a more comprehensive business continuity management system, as stated in ISO 22301, ISO 27031 proposes a management systems approach. A management system for ICT preparation for business continuity (IRBC) is described in ISO 27031. A management system devoted to IT disaster recovery is known as an IRBC. The Plan-Do-Check-Act (PDCA) paradigm, which is used by IRBC, is the same as the one used by the ISO 22301 business continuity management system. The goal of IRBC is to put procedures into place that will lessen the possibility of an interruption to ICT services as well as respond to and recover from one. IT and business continuity specialists would recognize the PDCA model’s application as quite familiar, but with the essential modifications to enable the recoverability of ICT based on business needs and expectations.
Organizations cannot be accredited to ISO 27031 as a guideline standard, unlike ISO 22301, but the management system adheres to many of the same procedures that seasoned preparedness specialists are accustomed to carrying out with business continuity planning. The IRBC management system is depicted in the following figure according to ISO 27031.
Management Systems IRBC The PDCA management system is the same as in ISO 22301, but ISO 27031 modifies it to match the technological requirements of IRBC. ISO 27031 relies on the Business Impact Analysis (BIA) findings created and accepted as part of the larger BCMS for an organization in addition to the technical modifications to PDCA. The PDCA management system for IRBC is organized as follows:
Plan: The Plan phase establishes and maintains the IRBC management system’s general governance structure. An IRBC policy that effectively addresses continuity of information and communication technology as well as strategy choices that the company may use to satisfy business objectives are the main outcomes of the plan phase.
Do: Activities and solutions that help the company monitor for, respond to, and recover from an interruption of ICT services are the emphasis of the Do phase. Implementing strategies, creating plans, and carrying out training and awareness campaigns to encourage continuity for ICT services are the main outcomes for the Do phase.
Check: The examination and assessment of the IRBC management system’s effectiveness are part of the Check phase. The major outputs of the Check phase include regular inspections of ICT responsiveness and recoverability as well as ongoing monitoring of information and communication technologies for outages and performance levels.
Act: During the Act phase, management has the chance to assess the success of the IRBC effort and guide the execution of remedial measures that will improve management system performance and/or lower the likelihood of recurring ICT service interruptions.
Let’s examine each stage in further detail.
PLAN Some of the “Plan” elements of ISO 27031 may already be carried out by many firms as a part of their information technology disaster recovery (ITDR) strategies. While ITDR is regarded by ISO 27031 as a part of the IRBC, there are really very few distinctions between the two. During the Plan phase, the organization puts a policy in place to control the IRBC’s procedures and requirements. The governance framework for the IRBC management system is established by the policy. The business needs are converted into ICT performance criteria for ICT services by the IRBC using inputs from the organization’s BIA. The generation of IRBC strategy alternatives, which will be put into practice in the Do phase, marks the end of the Plan phase.
The establishment of IT service offers for ICT workers to put in the service catalog or, more generally, as choices for business consideration and selection is the essence of IRBC strategy design. For instance, a company that already has a service catalog entry for a virtual server may add entries to address the recoverability of a virtual server using a number of different techniques to fulfill various recovery goals. To satisfy the business needs determined by the BIA, the company may decide to offer two recovery methodologies for recovering a virtual machine with varied recovery periods. Then, either as new entries or as modifications to already existing service catalog entries, those two recovery techniques are added to the organization’s service catalog.
The requirements of ISO 27031 stipulate that the IRBC strategies described above need to incorporate six components into monitoring for, responding to and recovering from disruptions to information and communication technology. The six components are:
1 Knowledge and Skill: Recovery solutions take into account the particular technical know-how required to run ICT services before, during, and after an interruption. Strategies that take skill and knowledge concerns into account work to ensure that no one person possesses the specific knowledge or skills required to run the organization’s ICT systems.
2 Facilities: Recovery plans involve risk reduction for running ICT systems that are situated in a single facility. ICT systems can be used even if a key facility is rendered dysfunctional thanks to strategies that take facility issues into account.
3 Technology: When developing recovery plans, organizations should take into account the technological requirements, particularly the Recovery Time Objective (RTO) and Recovery Point Objective (RPO), that are necessary to satisfy their recovery needs. Making sure hardware, applications, and data recovery can be completed in the time frame required by the company are among the technology-related strategies. Support systems including electricity, cooling, manpower, vendor support, and WAN connection must be taken into account.
4 Data: Recovery plans take into account how to safeguard the data needed by the firm. Security, accuracy, and availability of the data required by end users are among the data consideration strategies.
5 Processes: Recovery plans take into account how to maintain the procedures required to keep track of, use, and restore ICT systems in order to satisfy business needs. Process-based strategies identify the ICT procedures required before, during, and after an interruption to ICT systems.
6 uppliers: Recovery strategies take into account the best ways to include and inform the suppliers who are required to restore and run ICT systems. The suppliers involved in the operation and recovery of ICT systems before, during, and after a disruption are identified via strategies that take supplier considerations into account.
Each IRBC strategy choice will take into account the six factors and frequently lead to the construction of tiers to categorize information and communication technology that satisfies the demands of the company. ICT services will be given a tier during the Do phase, enabling strategy choice. The organization’s management should weigh the risk that the approach reduces against the cost of implementation once IT has identified the available solutions. The list of strategies to add to or change in the service catalog is the overall output of the plan phase, and it enables the business to choose the proper level of recoverability.
DO Implementing the strategies determined in the Plan phase, creating recovery plans for ICT services, and other tasks are included in the Do phase of the IRBC management system. and executing training and awareness activities to ensure personnel involved in the IRBC program are qualified and informed. The IRBC program implements the appropriate strategies identified in the Plan phase to improve ICT readiness for in-scope information and communication technology services.
Information and communication technology disruptions are still a possibility even when risk-reduction measures are used. When disruptive occurrences occur, IT workers execute techniques and create plans to reduce residual risk. Documentation of the response and recovery plan is important to make sure that employees are aware of the steps needed to achieve company objectives. Many of the same factors used in ISO 22301 are also utilized in ISO 27031, such as the goal and scope of the plan, the stated roles and duties, backup staff, the plan invocation criteria, and contact details.
Conducting training and awareness efforts to make sure the staff engaged with the IRBC management system (including those with roles in response and recovery plans) are aware of their obligations before, during, and after an incident is the final step of the Do phase. during and after a disruption.
CHECK The IRBC management system’s Check phase contains the usual BCM system Check phase operations, such as management review, testing, and exercising. The Check phase also includes ongoing tasks that track for ICT service interruptions and assess performance in terms of readiness.
ACT The Act phase includes a management assessment of the IRBC program, which covers resource allocation, program performance, and ICT readiness performance. The IRBC program performs corrective measures that were found during other phases of the management system in addition to management review. The purpose of the corrective actions is to establish a continuous improvement culture inside the company and to get management to prioritize continuous improvement.
What if the company doesn’t already have a BCM program in place? In anticipation of a larger BCM program, IT workers are frequently requested to establish mitigation, response, and recovery strategies. In these situations, the company hasn’t carried out a comprehensive business impact study to determine the needs for apps and hardware. Some IT firms will define ICT response and recovery needs, such as RTO and RPO, based on intuition and prior experiences. However, relying solely on intuition and prior knowledge may frequently result in discrepancies between what businesses anticipate will be recoverable and what is actually possible. Consider undertaking a more concentrated application impact analysis (AIA) that focuses on the applications of ICT services as a method to quickly define recovery needs for them. services and measures the impact to the organization of a disruption based on one or a group of related services.
An efficient AIA will note:
the users of information and communication technologies, among others;
the long-term effects of an interruption to ICT, both quantitatively and qualitatively; and
Users can employ manual workarounds to get past an interruption.
The IRBC program described in ISO 27031 enables IT and business continuity specialists to maintain appropriate ICT resilience in conjunction with their program sponsors. IT and business continuity specialists assist their organization in monitoring for, responding to, and recovering from an interruption in ICT by putting in place an IRBC management system. To help lower the risk of disruptions to information and communication technology as well as to the business overall, ISO 27031 utilizes and modifies the BCM ideas outlined in ISO 22301.