- Artificial Intelligence
- Business Operations
- Cloud Computing
- Data Center
- Data Management
- Emerging Technology
- Enterprise Applications
- IT Leadership
- Digital Transformation
- IT Strategy
- IT Management
- Diversity and Inclusion
- IT Operations
- Project Management
- Software Development
- Vendors and Providers
- United States
- Middle East
- Netherlands
- United Kingdom
- New Zealand
- Data Analytics & AI
- Newsletters
- Foundry Careers
- Privacy Policy
- Cookie Policy
- Member Preferences
- About AdChoices
- Your California Privacy Rights
Our Network
- Computerworld
- Network World
Planning for disaster recovery
How do leaders of enterprises plan for outages to minimize the impact on the users of all the individual service providers running their services on the enterprises' platforms?
The cost of downtime to business, company reputation, customer experience and trust has never been higher. Given the constant and connected nature of software driven businesses, customers and users have grown to be less forgiving and more fickle with their attention. An outage in a single service can impact all of its users. An outage in a multi-tenant platform has an exponential impact as it impacts the users of all the individual service providers running their services on the platform.
Balancing preparedness for a black swan event against minor, downtime events
As enterprises look towards designing their disaster recovery solutions, it is easy to get focused on preventing the big disasters and outages. These are the “black swan” events that have an incredibly large, almost decimating impact on service availability. The impact can be wide ranging i.e. it can extend the duration of time the service is out of commission and the amount of data that is lost. As big as these are, the impact of minor but frequent downtime cannot be ignored.
Enterprises need to pay attention to determining, discovering and preventing these smaller outages that can occur more frequently. These small downtimes can add up over the course of a year and completely topple the service availability targets and goals. There are several options available for disaster recovery from on-prem disaster recovery solutions to cloud-based disaster recovery solutions that leverage infrastructure and platform capabilities offered by major cloud operators such as AWS, GCP and Microsoft Azure.
Cost of small downtime events
The cost of such minor downtimes can easily add up. Frequent downtimes increase that likelihood that a larger number of users are impacted by the downtime. In addition, the likelihood of the same user being impacted repeatedly across outages also increases . Such frequent downtimes can erode trust in the service. Even if an immediate abandonment of the service does not occur, the impact of repeated downtimes can be felt at renewal time. Either the customer does not expand the size of the engagement and could even decide to not renew their engagement. SaaS businesses that depend on monthly recurring revenue or annual recurring revenue are extremely susceptible to the impact of frequent, minor downtimes.
Key capabilities for developing resiliency
Enterprises looking to develop a resiliency against both major and minor downtime events should focus on developing and maintaining the following capabilities.
1. Continuous backups
All key systems that serve traffic should be continuously backed up. In addition to being designed in a RESTful manner, the data generated, updated and maintained by these services should be continuously backed up to a local, centralized or cloud-based disaster recovery system. Backups should be as frequent as possible while not impacting the service quality and performance of the system. At the same time, backups should be both incremental and snapshot-based to offer flexibility and ability to recover from any time or size of downtimes. In addition, backups should also be multi-level to ensure that the backup system is not impacted by the same outage that is impacting the primary system.
2. Continuous monitoring
All key systems that serve traffic should also be continuously monitored. This is critical to ensure that outages are detected as soon as possible and disaster recovery is put in motion immediately. Similar to backup, monitoring needs to be implemented on a system that is not impacted by the same outage that has hit the primary service. In parallel, customer feedback systems also need to be monitored for service outage reports. As soon as reports begin arriving or the monitoring systems alerts to an outage, the outage should be confirmed and the disaster recovery should be put in motion.
3. Failover
Once a disaster has been detected, reporting and confirmed, a failover process should be initiated that can spin up new servers with the ability to continue servicing any traffic. This is done by ensuring that the servers take on the roles of the servers impacted by the downtime.
The failover servers should be configured to access the backups that contain the state and information required to serve the traffic.
4. Failback
When the downtime is over and the underlying issues in the primary service environment have been diagnosed, fixed and confirmed fixed, a failback process should revert all services to the primary environment. Once the failback has been confirmed successful, failback servers can be reclaimed and destroyed.
In a recent survey , it was reported that only 37 percent of the respondents met their service availability goals. It was also reported that 71 percent of respondents had experienced a downtime event in the last 12 months with 41 percent reporting having experienced a downtime event in the last 3 months. This shows that downtimes are not only frequent but also expected and thus require careful planning and design to not only mitigate but ensure speedy recovery and restoration of service. Enterprises have several options at their disposal and should carefully evaluate and choose the solution that best fits their needs and guarantee the agility required to detect and recover from unexpected downtimes.
Related content
Key cloud trends for 2018, nobody likes apps that crash, best practices for a secure and trustworthy container platform strategy, from our editors straight to your inbox, show me more, the raci matrix: your blueprint for project success.
What is an SLA? Best practices for service-level agreements
United Airlines gives employees the digital tools to make customers happy
CIO Leadership Live with George Eapen, Group Chief Information Officer at Petrofac
CIO Leadership Live with Marc Hale, Chief Technology Officer, AIA NZ
CIO Leadership live with TAB's Fred Laury
Sponsored Links
- Discover why the worlds most essential organizations rely on NETSCOUTs Visibility Without Borders platform to keep their networks secure, available, and unstoppable.
- dtSearch® - INSTANTLY SEARCH TERABYTES of files, emails, databases, web data. 25+ search types; Win/Lin/Mac SDK; hundreds of reviews; full evaluations
- Lenovo Late Night I.T. - Emmy-nominated host Baratunde Thurston is back at it for Season 2, hanging out after hours with tech titans for an unfiltered, no-BS chat.
What are you looking for?
What to Expect in 2023: Trends and Predictions for Information Security Download you report now!
- (020) 3695 6452
- Login Platform
English – United Kingdom
ISO 27031: IT disaster recovery and business continuity
ISO 27031 is a standard for IT disaster recovery. It's an international standard that specifies how to plan, implement, and maintain disaster recovery systems. The purpose of ISO 27031 is to help organisations ensure that their business continuity plans are able to deal with any type of disaster. The standard also helps companies develop a consistent approach to planning and implementing their disaster recovery plans.
In this article, let’s take a closer look at ISO 27031 and its components, along with why your organisation may need to implement the standard.
In this article
Iso 27031 terms and definitions, what is iso 27031, more on irbc management systems, why do you need iso 27031, what are the core elements of iso 27031.
- What are the benefits of having an IT disaster recovery plan?
Before we dive into the full details of ISO 27031, there are some key terms and definitions that you should be aware of to understand the full extent of ISO 27031.
A management systems approach to ICT in support of a business continuity management system, as stated in ISO 22301, is introduced in ISO 27031. This system is known as a ICT readiness for business continuity (IRBC) management system.
An IRBC is a management system designed for use in the event of an IT disaster. Similar to the business continuity management system outlined in ISO 22301, IRBC employs a Plan-Do-Check-Act (PDCA) cycle. The goal of IRBC is to put into action measures that improve preparedness for, and speed in the aftermath of an interruption in ICT services.
The PDCA paradigm is highly recognisable to those in the business continuity and IT fields, but it requires some minor adjustments to better support the recoverability of ICT in accordance with what businesses need and anticipate.
Although organisations cannot be certified in ISO 27031 like they can in ISO 22301, the management system follows many of the same procedures that experienced preparation experts are used to adopting with business continuity planning.
ISO 27031 is based on the ISO 22301 PDCA management system but is tailored to the more technical aspects of IRBC. ISO 27031 depends on the results of the Business Impact Analysis (BIA) performed and accepted as part of the larger BCMS for an organisation in addition to the technical adjustments to PDCA. The PDCA management system at IRBC is summarised as follows:
- Plan — In the first stage, the IRBC management system's overarching governance structure is established and maintained. As a result of the work conducted in the Plan phase, the company will have an IRBC policy and many potential IT strategy solutions to choose from in order to fulfil the needs of the business.
- Do — In this phase, employees carry out the tasks and put in place the solutions that will allow the company to keep an eye out for, and get back up and running after, an interruption in ICT services. When it comes to ensuring the reliability of ICT services, the Do phase's primary outcomes are the actualisation of said strategies, the development of said plans, and the carrying out of said training and awareness efforts.
- Check — Review and analysis of the IRBC management system's output are part of the Check step. Key deliverables from the Check phase include regular inspections of ICT responsiveness and recoverability and ongoing monitoring of ICT for disruptions and performance levels.
- Act — In the Act phase, leadership may assess how effectively the IRBC initiative is working and order remedial measures to be taken that will improve the effectiveness of the management system and/or lessen the likelihood of future interruptions to ICT services.
ICT is widely used among organisations that rely heavily on it to perform critical business functions. Some of the activities that ICT supports are incident management, business continuity, disaster recovery and emergency management. The importance of ISO 27031 is that it sets guidelines to implement these activities as a part of your organisation's continuity plan.
It ensures that your organisation's ICT as well as personnel and processes are ready to handle unforeseeable events that could change the risk environment and endanger the business.
With the implementation of ISO 27031, you also gain the ability to leverage and streamline resources among business continuity, emergency response, security incident handling and disaster recovery.
ISO 27031 specifies that the aforementioned IRBC plans need to have six components to effectively monitor for, respond to, and recover from interruptions to information and communication technologies. These six factors are:
In the event of a disruption, it will be necessary to resume providing ICT services, and therefore recovery plans must take this into account. When planning for the operation of an organisation's information and communication technology (ICT), it is important to account for the fact that no single employee may possess all of the necessary expertise.
Preventing the loss that might occur from running information and communication technology (ICT) systems out of a single location is an important part of any recovery strategy.
Planned facility considerations guarantee that information and communication technology (ICT) systems can continue to function in the event of a primary facility failure.
Technologies
When developing a recovery plan, it is important to take into account the technical specifications necessary to achieve the Recovery Time Objective (RTO) and the Recovery Point Objective set by the company (RPO).
When planning a strategy, it's important to factor in the time and resources needed to restore gear and software to working order. Power, cooling, staffing, vendor support, and wide-area network connection are all essential factors to think about.
When planning for a recovery, it's important to think about how to safeguard the crucial information your company relies on. Strategies that take data into account guarantee that consumers can access, use, and trust the information they need.
Planning for the ongoing activities required to monitor, manage, and recover ICT systems in order to satisfy business needs is an integral part of any effective recovery strategy. Strategies that take processes into account determine the IT operations that must be performed before, during, and after an outage.
Recovering and running ICT systems requires a number of third-party suppliers, all of whom must be kept in the loop during the recovery process. Strategies that take suppliers into account determine whether companies help with maintaining and restoring ICT systems before, during, and after a disruption.
What are the benefits of having an IT disaster recovery plan ?
IT disasters impact organisations the most when no preparations have been made to deal with them. The ensuing chaos has far-reaching consequences for organisations that extend well beyond the time it takes to restore operations. Last-minute repairs may be expensive, data breaches can result in fines, and disasters can damage your company's brand and productivity in a variety of ways.
Therefore, having a solid plan to curb the effect of disaster is essential to every organisation.
Here are a few benefits of implementing an IT disaster recovery plan:
- Builds confidence among your customers — When you implement IT disaster recovery, you're making sure that your business is well-positioned to recover from an outage in a timely and effective manner. This makes it easier for your customers to trust their business with you, which boosts brand loyalty and customer satisfaction.
- Helps mitigate your financial risks — By shortening the time it takes to restore organisation information systems, you may limit losses not only in terms of income but also in other areas, such as the cost of potential harm caused by downtime and the expense of management or technical help.
- Minimise the interruption to critical processes — To ensure the organisation’s survival, there are essential operations that must run continuously. By having a Disaster Recovery solution in place, critical procedures can be safeguarded and interruptions to operations may be kept to a minimum.
- Increased productivity — The danger to your data may be minimised by making sure your staff understand their parts in data security and have a plan in place for dealing with attacks. More than that, it will boost productivity in every area. Since employees know what to do in the event of a crisis, they will be less likely to go into a state of panic, which is one of the many benefits of having a disaster recovery plan. Instead, the crisis can be dealt with in a controlled environment.
ISO 27031 provides guidance for an IRBC programme that helps IT and business continuity experts keep their ICT systems resilient. Organisations would better prepare for, respond to, and recover from an information and communication technology outage. ICT and business continuity are both vulnerable to interruptions, however ISO 27031 utilises and modifies the BCM ideas established in ISO 22301 to help mitigate this risk.
If you are interested in learning more about other information security standards, check out our article on ISO 27001.
Level up your knowledge on Data privacy and Information security with our monthly newsletter. Receive the latest compliance-related business advice, tips, news and events - directly delivered to your inbox every month!
Don't forget to share this post!
About the author.
Don’t miss these topics:
Related articles.
New UK Data Reform Bill: A Game Changer for Businesses?
Changes are expected in the UK privacy landscape as the UK Government announced a new UK Data Reform Bill. Read here what this means for UK businesses.
Data Breaches: How Can You Prevent it in Your Company?
What is a data breach? How do data breaches happen? How can a company prevent them and safeguard their data? Read on to find out.
The NIS2 Directive: A Step by Step Compliance Guide
A comprehensive guide for EU businesses on how to comply with the NIS2 Directive, including practical steps and requirements.
Opt-In and Opt-Out: How to Get, Record, And Manage Customer Consent
Opt-ins and opt-outs are important tools for consent management and can be used to obtain customers’ data in a lawful way. Read on to learn how you can implement them in your company.
The High Street UK Retailer WH Smith Hit by A Cyber Attack
WH Smith, a well-known UK retailer, experienced a cyber-attack. Read on to find out what happened in the cyber-attack and what we can learn from it.
What Every Business in the EU Needs to Know About The NIS2 Directive
As a business operating in the EU, it's important to understand the NIS2 Directive. This step-by-step guide provides a detailed overview of the NIS2 Directive.
We’ve been trusted by over customers worldwide to keep their data safe. Contact us today to find out how you can operationalise data privacy, information security, and compliance – and start to focus on generating trust, mitigating risks, and driving revenue.
- [email protected]
- Schedule a call
Data Privacy
- Privacy-as-a-Service
- Privacy Platform
- Privacy Prices
- Consent & Preference Management
- Consent & Preference Management Prices
INFORMATION Security
- InfoSec-as-a-Service
- InfoSec Platform
- InfoSec Prices
- Compliance-as-a-Service
- Whistleblowing-as-a-Service
- Whistleblowing Platform
- About DataGuard
- Whitepapers & Downloads
- Webinars & Media
- Quizzes & Assessments
- DataGuard Blog
- What to Expect in 2023: Trends and Predictions for Information Security
- What to Expect in 2023: Trends and Predictions for Privacy
- Pocket Guide: ISO 27001 for logistic companies
- Top Cyber Threats in 2023 and the importance of InfoSec
- ISO 27001 and Risk Management - what you need to know
- How Healthcare Companies can benefit from ISO 27001
- ISO 27001 for Small Businesses - A Detailed Guide to Success
- Public Sector: Cyber Threats and Data Breaches
- United Kingdom - English
Sign up to our Newsletter
Get practical tips and invitations to webinars and online Q&A sessions via our monthly emailing
- Privacy Policy
- Terms & Conditions
- Legal Notice
Get to know DataGuard
Arrange a free initial consultation now.
- Exceptional legal support and an all-in-one compliance and security platform
- Continuous support on your journey to certification on ISO 27001 and TISAX ®
- Simplified and digitalized information security management system (ISMS)
- Improved opt-in rates through centralized consent and preference management
- Strengthened customer trust, reduced risks, increased growth
TISAX ® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX ® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.
Bringing complete peace of mind to over customers
Simplify compliance
- External data protection officer
- Audit of your privacy status-quo
- Ongoing GDPR support from a industry experts
- Automate repetitive privacy tasks
- Priority suppor t during breaches and emergencies
- Get a defensible GDPR position - fast!
- Create missing assets, policies and documentation
- Eye-level support from infosec experts
- Staff security and phishing training
- Get answers to your most pressing questions
- Transparent consent collection
- Comply with GDPR, CCPA, LGPD, ePrivacy , and more
- Consolidate consents across multiple touchpoints
- Support from privacy experts
- Integrates with your marketing tools and CRM
- Proactive support
- Create essential documents and policies
- Staff compliance training
- Advice from industry experts
- Comply with the EU Whistleblowing Directive
- Centralised digital whistleblowing system
- Fast implementation
- Guidance from compliance experts
- Transparent reporting
Using ISO 27031 to Guide IT Disaster Recovery Alignment with ISO 22301
Many organizations struggle to define the best method to meet business expectations regarding information technology (IT) recovery. ISO 27031 provides guidance to business continuity and IT disaster recovery professionals on how to plan for IT continuity and recovery as part of a more comprehensive business continuity management system (BCMS). The standard helps IT personnel identify the requirements for Information and Communication Technology (ICT) and implement strategies to reduce the risk of disruption, as well as recognize, respond to and recover from a disruption to ICT.
ISO 27031 introduces a management systems approach to address ICT in support of a broader business continuity management system, as described in ISO 22301. ISO 27031 describes a management system for ICT readiness for business continuity (IRBC). An IRBC is a management system focused on IT disaster recovery. IRBC uses the same Plan-Do-Check-Act (PDCA) model as the business continuity management system described in ISO 22301. The objective of IRBC is to implement strategies that will reduce the risk of disruption to ICT services as well as respond to and recover from a disruption. Business continuity and IT professionals will find the use of the PDCA model very familiar but with necessary changes to support recoverability of ICT based on business requirements and expectations.
As a guidance standard, organizations cannot be certified in ISO 27031 like ISO 22301, but the management system follows many of the same steps that experienced preparedness professionals are used to implementing with business continuity planning. The following diagram displays IRBC management system detailed in ISO 27031.
IRBC Management Systems ISO 27031 uses the same basic PDCA management system used in ISO 22301 but adapts it to fit the technical nature of IRBC. In addition to technical changes to PDCA, ISO 27031 also relies on the Business Impact Analysis (BIA) conclusions developed and approved as part of the broader BCMS for an organization. For IRBC, the PDCA management system is broken down the following way:
- Plan: the Plan phase creates and updates the governance structure for the overall IRBC management system. The key outputs of the Plan phase are an IRBC policy that adequately addresses continuity of information and communication technology and strategy options that the organization can deploy to meet business requirements.
- Do: the Do phase focuses on performing activities and implementing solutions that enable the organization to monitor for, respond to and recover from a disruption to ICT services. The key outputs for the Do phase are the implementation of strategies, generation of plans and execution of training and awareness activities to promote continuity for ICT services.
- Check: the Check phase includes the review and evaluation of the performance of the IRBC management system. The key outputs of the Check phase include continuous monitoring of information and communication technologies for disruptions and performance levels as well as periodic reviews of ICT responsiveness and recoverability.
- Act: the Act phase provides management with the opportunity to review the performance of the IRBC effort as well as direct the implementation of corrective actions which will enhance management system performance and/or reduce the risk of future disruptions to ICT services.
Let’s take a more in-depth look at each phase.
PLAN Many organizations may already perform some of the “Plan” components of ISO 27031 as part of their Information Technology Disaster Recovery (ITDR) programs. ISO 27031 considers ITDR as a component of the IRBC, but in reality, very few differences exist. In the Plan phase, the organization implements a policy to govern processes and requirements for the IRBC. The policy establishes the governance structure for the IRBC management system. The IRBC uses inputs from the organization’s BIA to translate the business requirements into ICT performance requirements for ICT services. The Plan phase concludes with generating IRBC strategy options, which will be implemented in the Do phase.
IRBC strategy formulation essentially means the creation of IT service offerings that ICT staff will include in the service catalog or, more generically, as options for business consideration and selection. For example, an organization with a service catalog entry for a virtual server would add entries to address recoverability of a virtual server through a variety of means to address a range of recovery objectives. The organization may choose to provide two recovery strategies for recovery of a virtual machine with different recovery times to meet business requirements identified through the BIA. Those two recovery strategies are then incorporated into the organization’s service catalog either as separate entries or incorporated into existing service catalog entries.
In order to be effective, ISO 27031 states that the IRBC strategies described above need to incorporate six components into monitoring for, responding to and recovering from disruptions to information and communication technology. The six components are:
- Skill and Knowledge: Recovery strategies include consideration regarding the specialized technical skills and knowledge needed to operate ICT services before, during and after a disruption. Strategies that include skill and knowledge considerations focus on ensuring no single individual holds specialized skills or knowledge that would be needed to operate the organization’s ICT systems.
- Facilities: Recovery strategies include mitigating risk associated with operating ICT systems based in a single facility. Strategies that include facility considerations ensure ICT systems can be operated even if a primary facility is rendered inoperable.
- Technology: Recovery strategies include consideration of the technical requirements needed to meet the organization’s recovery requirements, specifically Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Strategies that include technology considerations involve ensuring hardware and applications are able to be recovered within the time and data recovery required by the organization. These considerations must include support systems such as power, cooling, staffing, vendor support and WAN connectivity.
- Data: Recovery strategies include consideration of how to protect the data required by the organization. Strategies that include data considerations include security, validity and availability of the data required by end users.
- Processes: Recovery strategies include consideration of how to sustain the processes necessary to monitor, operate and recover ICT systems in order to meet business requirements. Strategies that consider processes identify the ICT processes necessary prior to, during and after a disruption to ICT systems.
- Suppliers: Recovery strategies include consideration of how to inform and engage suppliers who are needed to recover and operate ICT systems. Strategies that include supplier considerations identify what suppliers are engaged in the operation and recovery of ICT systems before, during and after a disruption has occurred.
Each IRBC strategy option will consider the six components and often result in the creation of tiers to classify information and communication technology that meets the organization’s needs. During the Do phase, ICT services will be assigned to a tier, which enables strategy selection. Once IT identifies the strategy options, the organization’s management should consider the amount of risk reduced by the strategy against the cost of implementing the strategy. Overall, the result of the Plan phase is a list of strategies to add or update in the service catalog, which allows the organization to select the appropriate level of recoverability.
DO The Do phase of the IRBC management system includes implementing the strategies identified in the Plan phase, writing recovery plans for ICT services and executing training and awareness activities to ensure personnel involved in the IRBC program are qualified and informed. The IRBC program implements the appropriate strategies identified in the Plan phase to improve ICT readiness for in-scope information and communication technology services.
Strategies that reduce the risk of a disruption will not fully eliminate the possibility of a disruption to information and communication technology. IT staff implement strategies and draft plans to overcome residual risk when disruptive incidents become reality. Response and recovery plan documentation is required to ensure personnel understand the activities necessary to meet business expectations. ISO 27031 includes many of the same considerations that are used in ISO 22301, including plan purpose and scope, defined roles and responsibilities, alternate personnel, plan invocation criteria, and contact information.
The final part of the Do phase is conducting training and awareness activities to ensure the personnel involved with the IRBC management system (including those with roles in response and recovery plans) are aware of their responsibilities before, during and after a disruption.
CHECK The Check phase of the IRBC management system includes the typical activities associated with BCM system’s Check phase, including management review and testing and exercising. The Check phase also adds in continuous activities which monitor for a disruption to ICT services and measure ICT readiness-related performance.
ACT The Act phase incorporates management review of the IRBC program, including program performance, ICT readiness performance and resource allocation. In addition to management review, the IRBC program implements corrective actions that were identified during other phases of the management system. The goal of the corrective actions is to ingrain a culture of continuous improvement in the organization and engage management with the prioritization of continual improvement.
So what if the organization doesn’t have a BCM program in place already? Often IT professionals are asked to implement mitigation, response and recovery measures in advance of a broader BCM program. In these instances, the organization hasn’t conducted a holistic business impact analysis to identify the business requirements for applications and hardware. Some IT organizations will use intuition and past experiences to establish ICT response and recovery requirements, such as RTO and RPO. However, using intuition and past experiences will often lead to gaps between business expectations for recovery of information and communication technology and actual recoverability. An easy way to develop recovery requirements for ICT services is to consider conducting a more focused application impact analysis (AIA) that focuses on the uses of ICT services and measures the impact to the organization of a disruption based on one or a group of related services.
An effective AIA will identify:
- The stakeholders (including users) of information and communication technology;
- The impact (quantitative and qualitative) of a disruption to ICT over time; and
- Manual work-arounds which users can implement during a disruption.
The IRBC program detailed in ISO 27031 assists IT and business continuity professionals, together with their program sponsors, in maintaining effective ICT resiliency. By implementing an IRBC management system, IT and business continuity professionals help their organization to monitor for, respond to and recover from a disruption to ICT. ISO 27031 applies and adapts the BCM concepts described in ISO 22301 to assist with reducing the risk of disruptions to information and communication technologies, as well as to the business as a whole.
Share This, Choose Your Platform!
Related posts.
What is Business Continuity – and What Could It Do for You?
Business Continuity Meet ESG: Why It’s Time to Work Together
Managing Reputational Risks: 7 Tips to Live By
Review our cookie policy
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.
Privacy Overview
- Skip to right header navigation
- Skip to main content
- Skip to secondary navigation
- Skip to footer
Business Continuity and Crisis Management Consultants
ISO 27031: Looking at ISO’s Disaster Recovery Standard
March 21, 2019 By // by Bryan Strawser
As a business professional, executive, or business leader, you are always thinking of ways to connect with your team and improve your business or organization. If you’re not already, you should be concerned about business continuity and disaster recovery before disastrous events occur. As Bill Gates said, “Treatment without prevention is simply unsustainable,” and the same goes for your organization.
In the case of disaster recovery, prevention is more than half the battle toward ensuring a safe workplace that can continue to function well in the face of an emergency.
Let’s take a look at some of the most common workplace emergencies and disasters your business and personnel should be prepared for, and then we’ll talk about how to address them, what disaster recovery is, who defines it, how to create your disaster recovery plan (DRP), and how to get help if you need it.
We’ll also cover ISO 27031 and what’s required to make sure your business is compliant.
Most Common Types of Workplace Disasters
If you want specific numbers on the number of injuries and accidents that occur in the workplace, the Occupational and Safety and Health Administration ( OSHA ) in the United States and the World Health Organization ( WHO ) are great places to start. Everyone wants their businesses or organizations to be safe and healthy places to work, but as an executive or business owner, it can be hard to find time to focus on disaster recovery plans ( DRPs ) along with running a business daily. A strategic business partner specializing in crisis management, business continuity, and intelligence and global strategies and risks can be invaluable as your business continues to grow and risks change and increase — Bryghtpath LLC can keep your business on track and secure.
OSHA lists some of the most common workplace emergencies or disasters, including:
- Hurricanes and tornadoes
- Fires and explosions
- Toxic gas or chemical releases
- Radiological accidents
- Civil disturbances or workplace violence leading to bodily harm or trauma
Workplace disasters are not always the result of your business policies, but may just happen — still, you and your employees need to be as prepared as possible when they occur. The best way to do this is to create, update, and follow a disaster recovery plan (DRP)
What is Disaster Recovery?
Disaster recovery is a standard set of policies and procedures that a business or organization puts in place and follows to protect itself and its personnel in the face of a disaster. Disaster recovery plans ( DRPs ) can help the business ensure personal and employee safety, hardware, and systems restoration, and take other steps to encourage business continuity. DRPs may include preventative measures, corrective measures, and detective measures to prevent disasters from affecting business as much as possible while mitigating the disaster outcome as reliably as possible.
Who Creates the Disaster Recovery Guidelines for Businesses?
The International Organization for Standardization ( ISO ) is the international organization that monitors and develops business standards and regulations, and businesses like yours depend on it for guidance on difficult topics like disaster recovery. In collaboration with organizations like OSHA, WHO, and the International Labour Standards on Occupational Safety and Health (ILO), the ISO helps prevent disasters from escalating or occurring in the first place and establishes rules and regulations that help businesses and organizations comply with its standards. Now that you know what disaster recovery is, though, how will you design a DRP for your business? Let’s define the plan and then find out how to create and adapt it your particular business or organizational niche.
How to Design a Disaster Recovery Plan
A disaster recovery plan (DRP) details all the actions you, your management team, and your personnel must take to make sure your employees and your business are safe. Depending on the size and complexity of your business or organization, you may want to have a DRP for each department which the managers retain copies of at all times. The managers may be responsible for adapting and revising these plans regularly or when necessary to stay abreast of current ISO standards like ISO 27031 and other business and safety standards.
What is ISO’s Disaster Recovery Standard 27031?
To truly understand what disaster recovery standards require, let’s take a closer look at ISO Standard 27031. This standard is focused on the information and communication technology (ITC) requirements for business continuity and disaster preparedness.
ISO 27031 includes both crucial data security and enterprise operations of an organization or business.
The four areas of ISO 27031 are:
ISO 27031 Planning
The first step in creating a DRP is to plan and establish a disaster recovery business continuity set of policies that contains the following necessary components:
- Risk management processes
These components should increase the IT and communications departments’ ability to be ready for disaster and implement recovery in an organized and successful manner.
ISO 27031 Doing
The second step is to implement the established policies in the correct order so they are most effective. In the event of a disaster or emergency, this step must happen quickly and smoothly to prevent further disastrous consequences in your organization or business. This step cannot occur unless the business disaster actually occurs, but it can be prepared for through training and exercises involving management and personnel.
ISO 27031 Checking
The third step to enacting a DRP is to check back and ensure the procedures are having the desired effect. This means that you or your personnel must constantly monitor and assess the recovery following the disaster, ensuring that the projected objectives and metrics are hit consistently throughout the risk management process. In other words, is your DRP working? You can also ask yourself or your team what policies or procedures are not working, and improve them once the recovery is complete.
Some methods of checking on your DRP include the following:
- Plan testing
- Plan execution and post-disaster evaluation
ISO 27031 Acting
Finally, based on the results of the audit, test, or actual event occurrence and DRP execution, your organization or business must adapt and revise the DRP to improve the DRP functioning should the disaster occur again in the future.
The ISO 27031 Disaster Recovery Requirements
The ISO provides in-depth guidance on how to design a DRP, and is a great resource if you’re trying to design your own. If you need help, Bryghtpath can guide you through the process and help direct our personnel on gathering the information you’ll need. To be compliant with ISO 27031, here are a few things you will need before putting together your DRP:
- An organizational/staffing chart
- A personnel location list
- DRP management job descriptions
- A key customer contact list
- Facility maps and descriptions
- Hardware, network, software, and off-site materials locations and inventories
- A list of critical resources needed in case of emergency
In addition, ISO 27031 requires the following processes be defined and included in your DRP: a website disaster planning form, a work plan, an audit plan, preventative measures, an incident communication plan, a social networking checklist, and a pandemic checklist.
Creating a DRP, or several of them can be intimidating, even for a business magnate with decades of experience. The time-consuming but necessary team and department collaboration risk brainstorming can seem insurmountable while you’re running your business. You know you need a DRP (or several), but you may need additional planning tools or expertise to guide your organization and management team in the right direction. Bryghtpath can effectively and simply help your business design and implement an ISO-compliant disaster recovery plan and teach your team to keep it current. We offer the following services to ensure ISO business compliance and the safety of your organization and team.
Want to work with us or learn more about Business Continuity & Disaster Recovery?
- Our proprietary Resiliency Diagnosis process is the perfect way to advance your business continuity, disaster recovery, & crisis management program. Our thorough standards-based review culminates in a full report, maturity model scoring, and a clear set of recommendations for improvement.
- Our Business Continuity (including IT Disaster Recovery) & Crisis Management services help you rapidly grow and mature your program to ensure your organization is prepared for the storms that lie ahead.
- Our Ultimate Guide to Business Continuity contains everything you need to know about Business Continuity
- Our free Business Continuity 101 Introductory Course may help you with an introduction to the world of business continuity – and help prepare your organization for your next disruption. Our paid 5-Day Business Continuity Accelerator might just be the thing you need to jumpstart your business continuity program.
- Learn about our Free Resources , including articles, a resource library , white papers, reports, free introductory courses , webinars, and more.
- Set up an initial call with us to chat further about how we might be able to work together.
About Bryan Strawser
Bryan Strawser is Founder, Principal, and Chief Executive at Bryghtpath LLC, a strategic advisory firm he founded in 2014. He has more than twenty-five years of experience in the areas of, business continuity, disaster recovery, crisis management, enterprise risk, intelligence, and crisis communications.
At Bryghtpath, Bryan leads a team of experts that offer strategic counsel and support to the world’s leading brands, public sector agencies, and nonprofit organizations to strategically navigate uncertainty and disruption.
Learn more about Bryan at this link .
PO Box 131416 Saint Paul, MN 55113 USA
[email protected]
Our Capabilities
- Active Shooter Programs
- Business Continuity as a Service (BCaaS)
- Resiliency Diagnosis
- Crisis Communications
- Global Security Operations Center (GSOC)
- Emergency Planning & Exercises
- Intelligence & Global Security Consulting
- Workplace Violence & Threat Management
Our Free Courses
Active Shooter 101
Business Continuity 101
Crisis Communications 101
Crisis Management 101
Workplace Violence 101
Our Premium Courses
5-Day Business Continuity Accelerator
Communicating in the Critical Moment
Crisis Management Academy
Managing Threats Workshop
Our Products
Active Shooter 101 eBook
Communications & Awareness Collateral Packages
Business Continuity 101 eBook
Crisis Communications 101 eBook
Crisis Management 101 eBook
Crisis Playbook
Exercise in a Box
Ready-Made Crisis Plans
Pre-made Processes & Templates
- Advisera Home
Knowledgebase
ISO 27001 Documentation Toolkits
Iso 27001 training.
- Documentation Toolkits
- White Papers
- Templates & Tools
By Standard
- ISO in General
- Live Consultations
- Consultant Directory
- For Partners
Dejan Kosutic
- Get Started
ISO 27001 & ISO 22301 Blog
Understanding it disaster recovery according to iso 27031.
Last updated on March 11, 2022.
Disaster recovery is the ability of an organization to respond to and recover from an event that negatively impacts its operations. Disaster recovery methods enable an organization to quickly regain access to critical systems and infrastructure after a disaster. An organization prepares for this by performing an in-depth analysis of its systems and creating a formal document to follow in times of crisis. This document is known as an IT disaster recovery plan. In this article, learn more about how to create both the plan and the IT disaster recovery solutions.
- Key competencies and knowledge
What constitutes a disaster?
IT disaster recovery revolves around events that are serious in nature. These events are often thought of in terms of natural disasters, but they can also be caused by systems or technical failure or by humans carrying out an intentional attack. They are important events that can disrupt or even stop critical business operations. Typical events can include:
- Cyberattacks such as malware, DDoS, and ransomware attacks
- Power outages
- Equipment failure
- Epidemics or pandemics, such as COVID-19
- Terrorist attacks or threats
- Industrial accidents
- Earthquakes
IT disaster recovery planning
An organization can write an IT disaster recovery plan once it has thoroughly reviewed its risk factors, recovery goals, and technology environment. IT disaster recovery plans define these elements and outline how an organization responds to disruptions or disasters. The IT disaster recovery solutions outline recovery goals including Recovery Time Objective (RTO) and Recovery Point Objective (RPO), as well as steps the company will take to minimize the effects of the disaster.
IT disaster recovery solutions
The IT disaster recovery solutions should include:
- The IT disaster recovery plan overview and main objectives of the plan
- Critical key personnel and disaster recovery team contact details
- Detailed plan for the IT disaster and recovery solutions
- A detailed step-by-step plan for disaster response actions following an incident
- A network diagram of the recovery site
- Directions for how to reach and access the recovery site
- Communication that covers internal and external contacts, as well as templates for dealing with the external media
- Insurance coverage, information, and contact details
Disaster recovery in the ISO27K series
Section A.17.1 of Annex A of ISO 27001 has as its objective that an organization needs to embed information security continuity in its business continuity management systems. To support that, this section provides controls related to business continuity procedures (BCPs), recovery plans and redundancies.
However, like all management system standards, ISO 27001 describes only what must be accomplished, not how to do it. ISO 27002, the collection of best practices that supports ISO 27001, does not help much either.
Fortunately, the ISO 27k series has additional standards that target specific areas, and one of them is ISO 27031, which covers Information and Communication Technology (ICT) Readiness for Business Continuity (IRBC), and guides us on what to consider when developing business continuity for ICT – usually this is called “disaster recovery.”
ISO 27031 – prepare your ICT for recovery
Because over the years more and more activities have become dependent upon information and communication technologies (ICT), and ICT failures are becoming more critical, it is natural to expect the spread of literature dealing specifically with this issue.
In this context, the ISO 27031 standard approaches how to use the PDCA (Plan-Do-Check-Act) cycle to put into place a systematic process to prevent, predict, and manage ICT disruption incidents that have the potential to disrupt ICT services. By doing so, this standard helps to support both Business Continuity Management (BCM) and Information Security Management (ISM). By its nature, ISO 27031 is a perfect standard to resolve the control A.17.2.1 from ISO 27001 (Availability of information processing facilities).
It is true that the term disaster recovery is not an official ISO term, and consequently, its meaning is not universally accepted. However, most of the IT professionals identify this term with the ability to recover the IT infrastructure in case of a disruption. Therefore, ISO 27031 is the best fit amongst the ISO standards exactly for this purpose. (See also: Disaster recovery vs. Business continuity .)
Differences between ISO 27031 and ISO 22301
ISO 22301 covers the continuity of business as a whole, considering any type of incident as a potential disruption source (e.g., pandemic disease, economic crisis, natural disaster, etc.), and using plans, policies, and procedures to prevent, react, and recover from disruptions caused by them. These plans, policies, and procedures can be classified as two main types: those to continue operations if the business is affected by a disruption event, and those to recover the information and communication infrastructure if the ICT is disrupted.
Therefore, you can think of ISO 27031 as a tool to implement the technical part of ISO 22301, providing detailed guidance on how to deal with the continuity of ICT elements to ensure that the organization’s processes will deliver the expected results to its clients.
Elements for developing business continuity for ICT
ISO 27031 recommends six main categories for consideration while thinking about business continuity involving ICT:
- Key competencies and knowledge: What information is necessary to run critical ICT services, and who possess it? How can this information be incorporated into organizational knowledge and made easily available? How can your organization make it available in case of a disaster?
- Facilities: What conditions should installations and infrastructure have to minimize disruption risks or time recovery? Where should such facilities be located?
- Technology: Which technologies are most important to the organization’s business? Which are their recovery requirements, e.g., RTO (Recovery Time Objective), RPO (Recovery Point Objective), dependency of other technologies, etc.?
- Data: Which data are required to restore business activities, and in what amount of time (remember that RTO and RPO for ICT services are different from RPO and RTO data)? Which security controls (e.g., access control) must be in place during all times to secure the data?
- Processes: At this point, you have to consider which processes you have in place to deal with an incident or disaster, and how the processes needed to make the elements from categories 1 to 4 (competencies and knowledge, facilities, technology, and data) work together to deliver the business services needed (e.g., communications, applications, user accesses, etc.).
- Suppliers: Which suppliers and supplies (e.g., software copies and hardware spare parts) are critical to ICT continuity, and how can your suppliers ensure they can support your organization’s business continuity requirements?
Improving business through ICT resilience
Business continuity and disaster recovery are more essential than ever to any organization, and companies are responding to this necessity by adopting management good practices like ISO 27001 and ISO 22301. However, these standards only tell what to do (e.g., identify risks, plan your recovery, etc.) – not how to do it. This is where ISO 27031 is the most useful: it provides the industry best practice and the know-how to IT professionals in a concise way.
To handle IT disaster recovery according to ISO 27001 properly , sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.
Conformio all-in-one ISO 27001 compliance software
Automate the implementation of ISO 27001 in the most cost-efficient way
You may unsubscribe at any time. For more information, please see our privacy notice .
- Compliance & Audit
- Infrastructure & Policies
- HR & Career
- Management Tools
- KPI, Metrics, Quality, & Cost Control
- eReader - ePub
- Update Service & Other
- IT Salary Survey
- IT Job Descriptions
- IT Hiring Kit
- IT Job Description Bundles
- IT Job Classification Pay Grades
- IT Job Market
- 2014 - 2013
- 2011 - 2010
- 2009 - 2005
- 2004 - 1997
- Newsletters
- PSR Newsletters Archive
- CIO Roundtable
- Downloading
- Our Customers
- Testimonials
- Payment Options
- Terms & Conditions
- GDPR Compliance
Meeting ISO 27031 Requirements
Meeting ISO 27031 Requirements a prioity in meeting GDPR compliance requirements for the EU.
Order DRP BCP Template Sample DRP BCP Template History
The ISO Standard defines the Information and Communication Technology (ITC) Requirements for Business Continuity (IRBC) program that supports the mandate for an infrastructure that supports business operations when an event or incident with its related disruptions affects the continuity of critical business functions. This includes security of crucial data as well as enterprise operations. The ISO standard centers around fours areas; Plan, Do, Check, and Act.
- Plan - Establish a Disaster Recovery Business Continuity policy with objectives, metrics, and processes relevant to managing risk and improving the enterprise's Information and Communication Technology ability and readiness to operate at the level defined within the parameters of the enterprise's overall disaster recovery and business continuity objectives.
- Do - Implement and operate the Disaster Recovery and Business Continuity policies, procedures, controls, and processes.
- Check - Assess and monitor the performance metrics as defined within the Disaster Recovery and Business Continuity policy metrics and communicate the results to the management of the enterprise. This process can be done via an audit, a test of the plan, or an actual execution of the plan via a post event analysis session.
- Act - Modify the Disaster Recovery and Business Continuity policies, procedures, and metrics based on the "Check" (audit, test, or execution of the plan) in order to improve the Disaster Recovery and Business Continuity Policy.
Disaster Recovery Business Continuity Template is ISO 22301 & 27031 compliant
In order to be compliant with ISO 22301 & 27031 there are a number of elements that that are required and this template meets all of those requirements.
- Staffing with appropriate skills, knowledge, and execution ability
- Organization Chart (Section 5)
- Plan Distribution (Appendix)
- DRP Management Job Descriptions (Appendix)
- Disaster Recovery Team List (Appendix)
- Key Customer Contact List (Appendix)
- Personnel Location List (Appendix)
- Detail Job Descriptions for 15 key team members (Premium Edition of the template)
- Facilities for both the existing and recovery operation
- Operational Facilities (Section 3 and Appendix)
- Recovery Facilities (Appendix - Sample Contract)
- Off-Inventory (Appendix)
- Technology definition
- Hardware - Hardware Inventory (Section 3 and Appendix)
- Network - Network Inventory (Section 3 and Appendix)
- Software - Software Inventory (Section 3 and Appendix)
- Resources required for continuity process (Appendix)
- Business Continuity off-site materials (Appendix)
- Critical Resources to be retrieved (Appendix)
- Data Identification
- Application Inventory and Business Impact Questionnaire (Appendix)
- Application data (Appendix)
- Voice data (Appendix)
- Other (Appendix)
- DRP and Activation Workbook (Appendix)
- General Distribution Materials (Appendix)
- Web Site Disaster Planning Form (Appendix)
- Work Plan (Appendix)
- Incident Communication Plan (Appendix)
- Social Networking checklist (Appendix)
- Pandemic Checklist (Appendix)
- Preventative Measures (Appendix)
- Audit Plan Process (Appendix)
- Vendor and Supplier Disaster Recovery Questionnaire (Appendix)
- Disaster Recovery Sample Contract (Appendix)
Options for ordering the DRP Template include
- DRP Standard
- DRP/Security Standard
Disaster Recovery Business Continuity Standard Edition
- Fully editable Disaster Recovery Business Continuit template
- Disaster Recovery Business Continuity Audit Program - Compliant with ISO 27031, ISO 22301, and ISO 28000
- Disaster Recovery Manager Job Description
- Manager Disaster Recovery & Business Continuity Job Description
- Application Inventory and Business Impact Analysis Questionnaire
- News Conferences
- Media Relations
- Social Network Checklist
- LAN Inventory, Location Contact Numbers, Off-Site Inventory, Pandemic Planning Checklist; Personnel Locations, Plan Distribution, Remote Location Contact Information, Server Registration, Team Call List, Vendor Contact Information, and Vendor/Partner Questionnaire
- Added Bonus - Safety Program Electronic Forms -- Area Safety Inspection, Employee Job Hazard Analysis, First Report of Injury, Inspection Checklist - Alternative Locations, Inspection Checklist - Office Locations, New Employee Safety Checklist, Safety Program Contact List, and Training Record
Disaster Recovery Business Continuity Premium Edition
- Disaster Recovery Business Continuity Template
Chief Information Officer - CIO, Chief Security Officer - CSO, Chief Compliance Officer - CCO, Chief Mobility Officer, VP Strategy and Architecture, Director Disaster Recovery and Business Continuity, Director e-Commerce, Director Media Communications, Manager Disaster Recovery, Manager Disaster Recovery and Business Continuity, Disaster Recovery Coordinator, Disaster Recovery - Special Projects Supervisor, Manager Database, Capacity Planning Supervisor, Manager Media Library Support, Manager Record Administrator, Manager Site Management, and Pandemic Coordinator
Disaster Recovery Business Continuity Gold Edition
- Disaster Recovery Business Continuity Template - Full template with all of its attachments.
- 324 IT Job Descriptions including all of the job descriptions contained in the Premium edition.
With this offer you save almost 50% from the base price of these two very popular products
Disaster Recovery Business Continuity & Security Manual Templates Standard Edition Includes
- Security Manual Template
Disaster Recovery Business Continuity & Security Manual Templates Premium
- Disaster Recovery Business Continuity Template - Standard Edition
- Security Manual Template - Standard Edition
CIO; CCO; Chief Digital Officer, Chief Experience Officer, Chief Movility Officer, CSO; VP Strategy and Architecture; Data Protection Officer, Director e-Commerce; Database Administrator; Data Security Administrator; Manager Data Security; Manager Database; Manager Disaster Recovery; Manager Disaster Recovery and Business Continuity; Pandemic Coordinator; Manager Facilities and Equipment; Manager Media Library Support; Manager Network and Computing Services; Manager Network Services; Manager Site Management; Manager Training and Documentation; Manager Voice and Data Communication; Manager Wireless Systems;Capacity Planning Supervisor; Disaster Recovery Coordinator; Disaster Recovery - Special Projects Supervisor; Network Security Analyst; System Administrator - Unix; System Administrator - Windows
Disaster Recovery Business Continuity & Security Manual Templates Gold
- 324 Job Descriptions which includes all of the job descriptions in the premium edition
"Best of Breed - Best Practices Disaster Recovery Planning / Business Continuity Planning, Security Policies, IT Job Descriptions" according to the IT Productivity Center
Order DRP BCP Template DRP BCP Sample
Business Disruption Management
Table of Contents
- Introduction
- Business Impact
Backup Strategy
Recovery strategy.
- Organization
- Administration
- Appendix & Forms
Plan Introduction
- Mission and Objectives
- Disaster Recovery / Business Continuity Scope
- Authorization
- Responsibility
- Key Plan Assumptions
- Disaster Definition
- Disaster Recovery / Business Continuity and Security Basics
Business Impact Analysis
- Critical Time Frame
- Application System Impact Statements
- Information Reporting
- Best Data Practices
- Site Strategy
- Data Capture and Backups
- Backup and Backup Retention Policy
- Communication Strategy and Policy
- ENTERPRISE Data Center Systems
- Departmental File Servers
- Wireless Network File Servers
- Data at Outsourced Sites (including ISP's)
- Branch Offices (Remote Offices & Retail Locations)
- Desktop Workstations (In Office)
- Desktop Workstations (Off site including at home users)
- PDA's and Smartphones
- Escalation Plans
- Decision Points
Disaster Recovery Organization
- Recovery Team Organization Chart
- Disaster Recovery Team
- Recovery Team Responsibilities
Disaster Recovery Emergency Procedures
- Recovery Management
- Damage Assessment and Salvage
- Physical Security
- Hardware Installation
- Systems, Applications & Network Software
- Communications
Plan Administration
- Disaster Recovery Manager
- Distribution of the Disaster Recovery Plan
- Maintenance of the Business Impact Analysis
- Training of the Disaster Recovery Team
- Testing of the Disaster Recovery Plan
- Evaluation of the Disaster Recovery Plan Tests
- Maintenance of the Disaster Recovery Plan
Appendix and Forms
- Plan Distribution
- ENTERPRISE Sales Offices
- Disaster Recovery Team Call List
- Vendor Phone/Address List
- Off-Site Inventory
- Personnel Location Form
- Hardware/Software Inventory
- People Interviewed
- Preventative Measures
- Sample Application Systems Impact Statement
- Manager Disaster Recovery and Business
- Pandemic Coordinator
- Key Customer Notification List
- Resources Required for Business Continuity
- Critical Resources to Be Retrieved
- Business Continuity Off-Site Materials
- Audit Disaster Recovery Plan Process
- Vendor Disaster Recovery Planning Questionnaire
- Departmental DRP and BCP Activation Workbook
- Web Site Disaster Recovery Planning Form
- General Distribution Information
- Business Pandemic Planning Checklist
- Social Network checklist
Read on. . .
United States
ISO 27031 IT Disaster Recovery & Business Continuity Management
Iso 27031 it disaster recovery & business continuity management course overview.
Enroll for the 5-days ISO 27031 IT Disaster Recovery & Business Continuity Management training and certification course from Koenig solutions accredited by Beingcert.
ISO 27031 defines the Information and Communication Technology (ITC) requirements for Business Continuity (BC) program that supports the mandate for an infrastructure that supports business operations when an event or incident with its related disruptions affects the continuity of critical business functions. This includes security of crucial data as well as enterprise operations. This course focuses on the technical and procedural issues surrounding ICT Service Continuity & Disaster Recovery (DR).
Target Audience
This course is ideal for:
- Supervisors
- ICT Managers and technicians tasked with implementing technical continuity capability
- Anyone involved in strategic or operational IT Service Management
Learning Objectives
Upon completion of this course, participants will learn the following:
- Understanding the ICT requirements for business continuity
- Determining ICT continuity strategies
- Learning how to develop and implement ICT strategies
- Learning how to exercise and test the techniques
- Learning how to maintain, review and improve the system
- Learning how to integrate ICT continuity
Certificate Insurance 2 nd Shot Free
- Koenig will pay your 2 nd attempt if you fail 1st attempt
- Cost of 1 st attempt is not included
- Related Qubits questions must be attempted with >80% score
- Can be availed within three months of end of training
- Fee will be 50% of the associated exam
The 1-on-1 Advantage
Flexible Dates
- • Choose Start Date
- • Reschedule After Booking
- • Weekend / Evening Option
4-Hour Sessions
Destination Training (Dubai/London/Sydney New York/Delhi/Goa Singapore)
Flexi (On Demand Videos)
You will learn:
- Why do we need ICT Continuity
- What is ICT Continuity
- Disaster recovery
- Relationship with Business continuity
- The concept of resilience
- The purpose and content of ISO 27031
- What is Business Impact Analysis (BIA)?
- BIA for ICT Continuity
- How to conduct BIA
- The concept of ‘critical’ process
- Presenting BIA summary
- What is information risk?
- Identification of risks
- Risk assessment process
- Quantitative risks assessment
- Determining choices for risk treatment
- Strategies and determining/selection of appropriate ones
- Technical solutions for DR
- Strategies for data protection: backup, restoration and replication
- Telecommunications and networking issues related to DR
- ISO 27031 implementation issues
- How to integrate ISO 27031 with existing BCM
- How to align IT Service Continuity program with ISO 27031
Customers who bought this course also buy
Course prerequisites.
Basic Computer Knowledge
I am interested but not right now, Keep me updated about offers/webinars. Subscribe me to your Newsletter.
Student feedback (check koenig feedback on trustpilot ), trending technologies, request more information.
We offer below courses: Certified Information Systems Security Professional (CISSP) - Certified Information Systems Auditor-CISA - Certified Information Security Manager (CISM) - Certified Cloud Security Professional (CCSP) - Cobit 2019 Foundation - ISO 27001 (ISMS) Lead Auditor - ISO 27001 (ISMS) Lead Implementer - CRISC - Systems Security Certified Practitioner (SSCP ) - ISO 31000 Lead Risk Manager -
Prices & Payments
Travel and visa, food and beverages, webinar registration, flexi enquery for iso 27031 it disaster recovery & business continuity management, ultra-fast track for iso 27031 it disaster recovery & business continuity management, fee on request for iso 27031 it disaster recovery & business continuity management, request classroom fee for iso 27031 it disaster recovery & business continuity management, date on request for iso 27031 it disaster recovery & business continuity management.
- ISO22301 BCMS Audit
- BCM Certification Courses
- BCM Competency Based Courses
- CM Certification Courses
- CM Competency Based Courses
- CC Certification Courses
- CC Competency Based Courses
- IT Disaster Recovery
- Certification
- Examination
CIR Standard ISO 27031
ISO 27031 contains guidelines regarding how an organisation’s Information and Communication Technology (ICT) can ensure business continuity excellence.
ICT is part of the organisation’s ISMS when preparing and responding to cyber security incidents.
Reference: Chapter 16 ISO 27031
CIR Related Standards
1. introduction.
The Standard covers the various types of events/incidents that impact ICT infrastructure and recommended practices (ISO 27031, 2011) on managing these cyber security events/incidents to minimise impact and improve recovery times so CBFs can resume swiftly. The term ICT Readiness for Business Continuity (IRBC) which supports BCM, is introduced. Hence, organisations that choose to adopt this Standard will be able to improve the resiliency of their ICT infrastructures and manage cyber security incidents so that the downtime observed will be minimal.
3. Elements
3.1 key competencies and knowledge.
Before an organisation can respond or prepare against cyber security incidents, it must first identify the information necessary for ICT infrastructures to function and who possesses them. As ICT infrastructures have become an integral component of daily operations, resuming these ICT infrastructures becomes a top priority for organisations. Hence, the availability of the information necessary for ICT infrastructures to function needs to be established.
3.2 Facilities
Having up-to-date facilities minimises vulnerabilities that cybercriminals can use to exploit. The organisation has to develop a schedule for when updates are installed for their ICT infrastructures to ensure that they are on the latest versions so that the patches implemented reduce the risk of a cyber security attack.
3.3 Technology
An organisation must determine which ICT infrastructures are required for CBFs to operate. This is related to the first point. Certain CBFs require ICT infrastructures to be performed so that services/products can continue to be provided to customers. Therefore, organisations must determine which infrastructures are necessary to operate CBFs during peacetimes.
This is not related to the first point. Information refers to knowledge of operating the ICT infrastructure, whereas data refers to customer/employee information, organisational information, etc. Similarly, data required for ICT infrastructures need to be identified for the resumption of business functions. Prevention of exploitation of organisational data can be performed through measures such as access control.
3.5 Processes
Measures and procedures must be developed and implemented to manage cybersecurity incidents. The organisation has to establish how elements from 1 to 4 can work together to perform the organisation’s operations. This includes prevention and response measures.
3.6 Suppliers
Organisations have to constantly engage with their suppliers concerning their ICT infrastructures. An example would be the supplier notifying the organisation of a patch being released so that the organisation can create a schedule for patching their infrastructures that minimise the impact on daily operations.
(See Appendix 21 for details on PDCA Model)
ISO Standards Related to CIR
Do you want to continue bcm training onsite or online, hbspt.cta._relativeurls=true;hbspt.cta.load(3893111, '2a55f179-a251-4490-bd1c-856467aea198', {"usenewloader":"true","region":"na1"});.
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference : Chapter 16 Appendix 6: ISO 27031
Note : This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.
Disaster Recovery Plan (Business Continuity) Template 2022 with Pandemic Planning Checklist and Vendor Partner DR/BC Questionnaire
News provided by
Nov 03, 2022, 08:30 ET
Share this article
DUBLIN , Nov. 3, 2022 /PRNewswire/ -- The "Disaster Recovery Plan (Business Continuity) Template - PREMIUM Edition - 2022 Edition" report has been added to ResearchAndMarkets.com's offering.
ISO 27000, CCPA, GDPR, SOX, PCI-DSS & HIPAA Compliant
The Standard for Disaster Planning and Continuity Planning has just added Pandemic Planning Checklist and Vendor Partner DR/BC Questionnaire
Over 3,000 Companies World Wide have chosen this DRP/BCP Template
In most organizations, Disaster Recovery Planning is the quintessential complex, unfamiliar task. Disasters happen so rarely that recovery operations are the opposite of routine. What's more, the myriad interconnected data, application and other resources that must be recovered after a disaster make recovery an exceptionally difficult and error-prone effort. Even if you have never built a Disaster Recovery plan before, you can achieve great results. Just follow the DR Template and you will have a functioning plan before you know it.
All Business Continuity Disaster Recovery Planning efforts need to encompass how employees will communicate, where they will go and how they will keep doing their jobs. The details can vary greatly, depending on the size and scope of a company and the way it does business. For some businesses, issues such as supply chain logistics are most crucial and are the focus of the plan. For others, information technology may play a more pivotal role, and the Business Continuity Disaster Recovery Plan may have more of a focus on systems recovery.
But the critical point is that neither element can be ignored, and physical, IT and human resources plans cannot be developed in isolation from each other. (In this regard, Business Continuity Planning and Disaster Recovery Planning have much in common with security convergence.) At its heart, Business Continuity Planning and Disaster Recovery Planning processes are about constant communication.
The Disaster Recovery Plan (DRP) is that tool which can be used as a Disaster Planning Template for any size of enterprise. The Disaster Planning Template and supporting material have been updated to be GDPR,CCPA, Sarbanes-Oxley and HIPAA compliant. The template comes as both a Word document, a static fully indexed PDF document, and as an electronic book in .epub format. The Disaster Planning and Business Continuity Planning Template include:
Preparation for Disaster Recovery and Business Continuity in light of mandated requirements has two primary parts. The first is putting systems in place to completely protect all financial and other data required to meet the reporting regulations and to archive the data to meet future requests for clarification of those reports.
The second is to clearly and expressly document all these procedures so that in the event of a SOX audit, the auditors clearly see that the Disaster Recovery and Business Continuity Plan exists and appropriately protects the data and assets of the enterprise.
The 2022 Edition of the DR/BC Template Includes:
- Using Cloud for DR/BC
- Work From Home lessons learned
- A Vendor Partner DR/BC Questionnaire as an electronic form
- Full job descriptions for Disaster Recovery Manager, Pandemic Coordinator, and Manager DR/BC
- WFH & Telecommuting Policy
- Backup and Backup Retention Policy
- Incident Communication Plan Policy
- Physical and Virtual Server Security Policy
- Social Networking PolicySix (6) full infrastructure procedures:
- Twenty-Two (22) electronic forms
Security Manual Template
- VP Strategy and Architecture
- Director e-Commerce
- Database Administrator
- Data Security Administrator
- Manager Data Security
- Manager Database
- Manager Disaster Recovery
- Manager Disaster Recovery and Business Continuity
- Pandemic Coordinator
- Manager Facilities and Equipment
- Manager Media Library Support
- Manager Network and Computing Services
- Manager Network Services
- Manager Site Management
- Manager Training and Documentation
- Manager Voice and Data Communication
- Manager Wireless Systems
- Capacity Planning Supervisor
- Disaster Recovery Coordinator
- Disaster Recovery - Special Projects Supervisor
- Network Security Analyst
- System Administrator - Unix
- System Administrator - Windows25 Job Descriptions
Key Topics Covered:
1. Plan Introduction 1.1 Recovery Life Cycle - After a "Major Event" 1.2 Mission and Objectives Compliance Iso Compliance Process Iso 27031 Overview Iso 22301 Iso 28000 1.3 Disaster Recovery/Business Continuity Scope 1.4 Authorization 1.5 Responsibility 1.6 Key Plan Assumptions 1.7 Disaster Definition 1.8 Metrics 1.9 Disaster Recovery/Business Continuity and Security Basics
2. Business Impact Analysis 2.1 Scope 2.2 Objectives 2.3 Analyze Threats 2.4 Critical Time Frame 2.5 Application System Impact Statements 2.6 Information Reporting 2.7 Best Data Practices 2.8 Summary
3. Backup Strategy 3.1 Site Strategy 3.2 Backup Best Practices 3.3 Data Capture and Backups 3.4 Communication Strategy 3.5 Enterprise Data Center Systems - Strategy 3.6 Departmental File Servers - Strategy 3.7 Wireless Network File Servers - Strategy 3.8 Data at Outsourced Sites (Including ISP's) - Strategy 3.9 Branch Offices (Remote Offices & Retail Locations) - Strategy 3.10 Desktop Workstations (In Office) - Strategy 3.11 Desktop Workstations (Off-Site Including At-Home Users) - Strategy 3.12 Laptops - Strategy 3.13 PDA's and Smartphones - Strategy 3.14 Byods - Strategy 3.15 IoT Devices - Strategy
4. Recovery Strategy 4.1 Approach 4.2 Escalation Plans 4.3 Decision Points
5. Disaster Recovery Organization 5.1 Recovery Team Organization Chart 5.2 Disaster Recovery Team 5.3 Recovery Team Responsibilities 5.3.1 Recovery Management 5.3.2 Damage Assessment and Salvage Team 5.3.3 Physical Security 5.3.4 Administration 5.3.5 Hardware Installation 5.3.6 Systems, Applications, and Network Software 5.3.7 Communications 5.3.8 Operations
6. Disaster Recovery Emergency Procedures 6.1 General 6.2 Recovery Management 6.3 Damage Assessment and Salvage 6.4 Physical Security 6.5 Administration 6.6 Hardware Installation 6.7 Systems, Applications & Network Software 6.8 Communications 6.9 Operations
7. Plan Administration 7.1 Disaster Recovery Manager 7.2 Distribution of the Disaster Recovery Plan 7.3 Maintenance of the Business Impact Analysis 7.4 Training of the Disaster Recovery Team 7.5 Testing of the Disaster Recovery Plan 7.6 Evaluation of the Disaster Recovery Plan Tests 7.7 Maintenance of the Disaster Recovery Plan
8. Appendix A - Listing of Attached Materials 8.1 Disaster Recovery Business Continuity - Electronic Forms 8.2 Safety Program Forms - Electronic Forms 8.3 Business Impact Analysis - Electronic Forms. 8.4 Job Descriptions 8.5 Attached Infrastructure Policies 8.6 Other Attachments
9. Appendix B - Reference Materials 9.1 Preventative Measures. 9.2 Sample Application Systems Impact Statement 9.3 Key Customer Notification List 9.4 Resources Required for Business Continuity 9.5 Critical Resources to Be Retrieved 9.6 Business Continuity Off-Site Materials 9.7 Work Plan 9.8 Audit Disaster Recovery Plan Process 9.9 Departmental DRP and BCP Activation Workbook 9.10 Web Site Disaster Recovery Planning Form 9.11 General Distribution Information 9.12 Disaster Recovery Sample Contract 9.13 Ransomware - HIPAA Guidance 9.14 Power Requirement Planning Check List 9.14 Colocation Checklist
10. Change History
For more information about this report visit https://www.researchandmarkets.com/r/fk3ls8
Media Contact:
Research and Markets Laura Wood , Senior Manager [email protected] For E.S.T Office Hours Call +1-917-300-0470 For U.S./CAN Toll Free Call +1-800-526-8630 For GMT Office Hours Call +353-1-416-8900 U.S. Fax: 646-607-1907 Fax (outside U.S.): +353-1-481-1716
Logo: https://mma.prnewswire.com/media/539438/Research_and_Markets_Logo.jpg
SOURCE Research and Markets
Modal title
Also from this source.
Virtual Reality (VR) In Healthcare Global Market Report 2023: Virtual Reality Gains Acceptance in Remote Home Assessments
Consumer Cloud Services Global Market Report 2023: Rise of the On-Demand Economy to Accelerate the Popularity of On-Demand Streaming Services Supported by the Cloud
More news releases in similar topics
- Computer & Electronics
- Publishing & Information Services
We apologize for the inconvenience...
To ensure we keep this website safe, please can you confirm you are a human by ticking the box below.
If you are unable to complete the above request please contact us using the below link, providing a screenshot of your experience.
https://ioppublishing.org/contacts/
Please solve this CAPTCHA to request unblock to the website
IMAGES
VIDEO
COMMENTS
ISO insurance forms are a standardized set of documents that are used in the insurance industry. They provide a uniform way for companies to collect and transmit information about risks. ISO forms are used by insurance companies and agents ...
ISO on a camera stands for International Standards Organization, which is the governing body that sets sensitivity standards for sensors in digital cameras. ISO settings determine how sensitive the camera’s sensor is to light, while taking ...
How do leaders of enterprises plan for outages to minimize the impact on the users of all the individual service providers running their services on the enterprises' platforms? Learn about Insider Help Member Preferences The cost of downtim...
ISO 27031 is a standard for IT disaster recovery. It's an international standard that specifies how to plan, implement, and maintain
In the planning and implementation of IRBC, an organization can refer to ISO/IEC 24762:2008 in its planning and delivery of ICT disaster recovery services
ISO 27031 provides guidance to business continuity and IT disaster recovery professionals on how to plan for IT continuity and recovery as
In addition, ISO 27031 requires the following processes be defined and included in your DRP: a website disaster planning form, a work plan, an
Last updated on March 11, 2022. Disaster recovery is the ability of an organization to respond to and recover from an event that negatively
In order to be compliant with ISO 22301 & 27031 there are a number of elements
ISO/IEC 27031 provides guidance on the concepts and principles behind the role of Information and Communication Technology in ensuring business continuity. The
ISO 27031 defines the Information and Communication Technology (ITC) requirements for Business Continuity (BC) program that supports the mandate for an
ISO 27031 contains guidelines regarding how an organisation's Information and Communication Technology (ICT) can ensure business continuity
ISO 27000, CCPA, GDPR, SOX, PCI-DSS & HIPAA Compliant · The 2022 Edition of the DR/BC Template Includes: · Security Manual Template · Key Topics
The Risk Assessment stages based on ISO 27031 are as follows: 1. Identify the potential failure mode. 2. Determine the potential impact on ICT services; the