Understanding IT disaster recovery according to ISO 27031

Last updated on March 11, 2022.

Disaster recovery is the ability of an organization to respond to and recover from an event that negatively impacts its operations. Disaster recovery methods enable an organization to quickly regain access to critical systems and infrastructure after a disaster. An organization prepares for this by performing an in-depth analysis of its systems and creating a formal document to follow in times of crisis. This document is known as an IT disaster recovery plan. In this article, learn more about how to create both the plan and the IT disaster recovery solutions.

Understanding IT disaster recovery: Elements for developing business continuity for ICT
  1. Key competencies and knowledge
  2. Facilities
  3. Technology
  4. Data
  5. Processes
  6. Suppliers

What constitutes a disaster?

IT disaster recovery revolves around events that are serious in nature. These events are often thought of in terms of natural disasters, but they can also be caused by systems or technical failure or by humans carrying out an intentional attack. They are important events that can disrupt or even stop critical business operations. Typical events can include:

  • Cyberattacks such as malware, DDoS, and ransomware attacks
  • Sabotage
  • Power outages
  • Equipment failure
  • Epidemics or pandemics, such as COVID-19
  • Terrorist attacks or threats
  • Industrial accidents
  • Hurricanes
  • Tornadoes
  • Earthquakes
  • Floods
  • Fires

IT disaster recovery planning

An organization can write an IT disaster recovery plan once it has thoroughly reviewed its risk factors, recovery goals, and technology environment. IT disaster recovery plans define these elements and outline how an organization responds to disruptions or disasters. The IT disaster recovery solutions outline recovery goals including Recovery Time Objective (RTO) and Recovery Point Objective (RPO), as well as steps the company will take to minimize the effects of the disaster.

IT disaster recovery solutions

The IT disaster recovery solutions should include:

  • The IT disaster recovery plan overview and main objectives of the plan
  • Critical key personnel and disaster recovery team contact details
  • Detailed plan for the IT disaster and recovery solutions
  • A detailed step-by-step plan for disaster response actions following an incident
  • A network diagram of the recovery site
  • Directions for how to reach and access the recovery site
  • Communication that covers internal and external contacts, as well as templates for dealing with the external media
  • Insurance coverage, information, and contact details

Disaster recovery in the ISO27K series

Section A.17.1 of Annex A of ISO 27001 has as its objective that an organization needs to embed information security continuity in its business continuity management systems. To support that, this section provides controls related to business continuity procedures (BCPs), recovery plans and redundancies.

However, like all management system standards, ISO 27001 describes only what must be accomplished, not how to do it. ISO 27002, the collection of best practices that supports ISO 27001, does not help much either.

Fortunately, the ISO 27k series has additional standards that target specific areas, and one of them is ISO 27031, which covers Information and Communication Technology (ICT) Readiness for Business Continuity (IRBC), and guides us on what to consider when developing business continuity for ICT – usually this is called “disaster recovery.”

ISO 27031 – prepare your ICT for recovery

Because over the years more and more activities have become dependent upon information and communication technologies (ICT), and ICT failures are becoming more critical, it is natural to expect the spread of literature dealing specifically with this issue.

In this context, the ISO 27031 standard approaches how to use the PDCA (Plan-Do-Check-Act) cycle to put into place a systematic process to prevent, predict, and manage ICT disruption incidents that have the potential to disrupt ICT services. By doing so, this standard helps to support both Business Continuity Management (BCM) and Information Security Management (ISM). By its nature, ISO 27031 is a perfect standard to resolve the control A.17.2.1 from ISO 27001 (Availability of information processing facilities).

It is true that the term disaster recovery is not an official ISO term, and consequently, its meaning is not universally accepted. However, most of the IT professionals identify this term with the ability to recover the IT infrastructure in case of a disruption. Therefore, ISO 27031 is the best fit amongst the ISO standards exactly for this purpose. (See also: Disaster recovery vs. Business continuity.)

Differences between ISO 27031 and ISO 22301

ISO 22301 covers the continuity of business as a whole, considering any type of incident as a potential disruption source (e.g., pandemic disease, economic crisis, natural disaster, etc.), and using plans, policies, and procedures to prevent, react, and recover from disruptions caused by them. These plans, policies, and procedures can be classified as two main types: those to continue operations if the business is affected by a disruption event, and those to recover the information and communication infrastructure if the ICT is disrupted.

Therefore, you can think of ISO 27031 as a tool to implement the technical part of ISO 22301, providing detailed guidance on how to deal with the continuity of ICT elements to ensure that the organization’s processes will deliver the expected results to its clients.

Elements for developing business continuity for ICT

ISO 27031 recommends six main categories for consideration while thinking about business continuity involving ICT:

  1. Key competencies and knowledge: What information is necessary to run critical ICT services, and who possess it? How can this information be incorporated into organizational knowledge and made easily available? How can your organization make it available in case of a disaster?
  2. Facilities: What conditions should installations and infrastructure have to minimize disruption risks or time recovery? Where should such facilities be located?
  3. Technology: Which technologies are most important to the organization’s business? Which are their recovery requirements, e.g., RTO (Recovery Time Objective), RPO (Recovery Point Objective), dependency of other technologies, etc.?
  4. Data: Which data are required to restore business activities, and in what amount of time (remember that RTO and RPO for ICT services are different from RPO and RTO data)? Which security controls (e.g., access control) must be in place during all times to secure the data?
  5. Processes: At this point, you have to consider which processes you have in place to deal with an incident or disaster, and how the processes needed to make the elements from categories 1 to 4 (competencies and knowledge, facilities, technology, and data) work together to deliver the business services needed (e.g., communications, applications, user accesses, etc.).
  6. Suppliers: Which suppliers and supplies (e.g., software copies and hardware spare parts) are critical to ICT continuity, and how can your suppliers ensure they can support your organization’s business continuity requirements?

IT disaster recovery | How to use ISO 27031 for IT disaster recovery

Improving business through ICT resilience

Business continuity and disaster recovery are more essential than ever to any organization, and companies are responding to this necessity by adopting management good practices like ISO 27001 and ISO 22301. However, these standards only tell what to do (e.g., identify risks, plan your recovery, etc.) – not how to do it. This is where ISO 27031 is the most useful: it provides the industry best practice and the know-how to IT professionals in a concise way.

To handle IT disaster recovery according to ISO 27001 properly, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Rashpal Singh
Rashpal Singh
An expert in governance risk and compliance, Rashpal has a number of qualifications in ISO and PCI-DSS. As an expert, he has managed to certify many organizations to ISO 27001 across the US, Europe, and Australia. He has managed PCI-DSS programs across Europe and Australia to ensure yearly compliance on e-commerce platforms. He was also involved in the first wave of organizations certifying to ISO 27701 Privacy Information Management Systems in 2019. Rashpal works closely with financial institutions around the world, ensuring compliance of their security programs designed for web application platforms in the payment sector. For the last six years, he has been employed by one of the largest gift card processing companies in the world that has a turnover of more than $20bn annually.