• (0)

    ISO 27001 & ISO 22301 Blog

    Understanding IT disaster recovery according to ISO 27031

    Section A.17.1 of Annex A of ISO 27001 has as its objective that an organization shall embed information security continuity in its business continuity management systems. To support that, this section provides controls related to business continuity procedures (BCPs), recovery plans and redundancies.

    However, like all management system standards, ISO 27001 describes only what must be accomplished, not how to do it. ISO 27002, the collection of best practices that supports ISO 27001, does not help much either.

    Fortunately, the ISO 27k series has additional standards that target specific areas, and one of them is ISO 27031, which covers Information and Communication Technology (ICT) Readiness for Business Continuity (IRBC), and guides us on what to consider when developing business continuity for ICT – usually this is called “disaster recovery.”

    ISO 27031 – prepare your ICT for recovery

    Because over the years more and more activities have become dependent upon information and communication technologies (ICT), and ICT failures are becoming more critical, it is natural to expect the spread of literature dealing specifically with this issue.

    In this context, the ISO 27031 standard approaches how to use the PDCA (Plan-Do-Check-Act) cycle to put into place a systematic process to prevent, predict, and manage ICT disruption incidents that have the potential to disrupt ICT services. By doing so, this standard helps to support both Business Continuity Management (BCM) and Information Security Management (ISM). By its nature, ISO 27031 is a perfect standard to resolve the control A.17.2.1 from ISO 27001 (Availability of information processing facilities).

    It is true that the term disaster recovery is not an official ISO term, and consequently, its meaning is not universally accepted. However, most of the IT professionals identify this term with the ability to recover the IT infrastructure in case of a disruption. Therefore, ISO 27031 is the best fit amongst the ISO standards exactly for this purpose. (See also: Disaster recovery vs. Business continuity.)

    Differences between ISO 27031 and ISO 22301

    ISO 22301 covers the continuity of business as a whole, considering any type of incident as a potential disruption source (e.g., pandemic disease, economic crisis, natural disaster, etc.), and using plans, policies, and procedures to prevent, react, and recover from disruptions caused by them. These plans, policies, and procedures can be classified as two main types: those to continue operations if the business is affected by a disruption event, and those to recover the information and communication infrastructure if the ICT is disrupted.

    Therefore, you can think of ISO 27031 as a tool to implement the technical part of ISO 22301, providing detailed guidance on how to deal with the continuity of ICT elements to ensure that the organization’s processes will deliver the expected results to its clients.

    Elements for developing business continuity for ICT

    ISO 27031 recommends six main categories for consideration while thinking about business continuity involving ICT:

    1. Key competencies and knowledge: What information is necessary to run critical ICT services, and who possess it? How can this information be incorporated into organizational knowledge and made easily available? How can your organization make it available in case of a disaster?
    2. Facilities: What conditions should installations and infrastructure have to minimize disruption risks or time recovery? Where should such facilities be located?
    3. Technology: Which technologies are most important to the organization’s business? Which are their recovery requirements, e.g., RTO (Recovery Time Objective), RPO (Recovery Point Objective), dependency of other technologies, etc.?
    4. Data: Which data are required to restore business activities, and in what amount of time (remember that RTO and RPO for ICT services are different from RPO and RTO data)? Which security controls (e.g., access control) must be in place during all times to secure the data?
    5. Processes: At this point, you have to consider which processes you have in place to deal with an incident or disaster, and how the processes needed to make the elements from categories 1 to 4 (competencies and knowledge, facilities, technology, and data) work together to deliver the business services needed (e.g., communications, applications, user accesses, etc.).
    6. Suppliers: Which suppliers and supplies (e.g., software copies and hardware spare parts) are critical to ICT continuity, and how can your suppliers ensure they can support your organization’s business continuity requirements?

    Understanding IT disaster recovery according to ISO 27031

    Improving business through ICT resilience

    Business continuity and disaster recovery are more essential than ever to any organization, and companies are responding to this necessity by adopting management good practices like ISO 27001 and ISO 22301. However, these standards only tell what to do (e.g., identify risks, plan you recovery, etc.) – not how to do it. This is where ISO 27031 is the most useful: it provides the industry best practice and the know-how to IT professionals in a concise way.

    Click here to see a free preview of the Disaster Recovery Plan to learn how to structure such a document.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.