Audio version of the article
Information and Communication Technology (ICT) has become an integral part of many of the activities which are elements of the critical infrastructures in all organisational sectors, whether public, private or voluntary. The proliferation of the Internet and other electronic networking services, and today’s capabilities of systems and applications, has also meant that organisations have become ever more reliant on reliable, safe and secure ICT infrastructures. Meanwhile, the need for business continuity , including incident preparedness, disaster recovery planning, and emergency response and management, has been recognized. Failures of ICT services, including the occurrence of security issues such as systems intrusion and malware infections, will impact the continuity of business operations. Thus managing ICT and related continuity and other security aspects form a key part of business continuity requirements. Furthermore, in the majority of cases, the critical business functions that require business continuity are usually dependent upon ICT. This dependence means that disruptions to ICT can constitute strategic risks to the reputation of the organisation and its ability to operate. ICT readiness is an essential component for many organisations in the implementation of business continuity and Information security. It is critical to develop and implement a readiness plan for ICT services to help ensure business continuity. As a result, effective Business Continuity is frequently dependent upon effective ICT readiness to ensure that the organisation’s objectives can continue to be met in times of disruptions. This is particularly important as the consequences of disruptions to ICT often have the added complication of being invisible and/or difficult to detect. In order for an organisation to achieve ICT Readiness for Business Continuity , it needs to put in place a systematic process to prevent, predict and manage ICT disruption and incidents which have the potential to disrupt ICT services.
ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
To ensure the availability of the organization’s information and other associated assets during disruption.
ISO 27002 Implementation Guidance
ICT readiness for business continuity is an important component in business continuity management and information security management to ensure that the organization’s objectives can continue to be met during disruption. The ICT continuity requirements are the outcome of the business impact analysis (BIA). The BIA process should use impact types and criteria to assess the impacts over time resulting from the disruption of business activities that deliver products and services. The magnitude and duration of the resulting impact should be used to identify prioritized activities which should be assigned a recovery time objective (RTO). The BIA should then determine which resources are needed to support prioritized activities. An RTO should also be specified for these resources. A subset of these resources should include ICT services. The BIA involving ICT services can be expanded to define performance and capacity requirements of ICT systems and recovery point objectives (RPO) of information required to support activities during disruption. Based on the outputs from the BIA and risk assessment involving ICT services, the organization should identify and select ICT continuity strategies that consider options for before, during and after disruption. The business continuity strategies can comprise one or more solutions. Based on the strategies, plans should be developed, implemented and tested to meet the required availability level of ICT services and in the required time frames following interruption to, or failure of, critical processes. The organization should ensure that:
a) an adequate organizational structure is in place to prepare for, mitigate and respond to a disruption supported by personnel with the necessary responsibility, authority and competence.
b) ICT continuity plans, including response and recovery procedures detailing how the organization is planning to manage an ICT service disruption, are:
1) regularly evaluated through exercises and tests.
2) approved by management;
c) ICT continuity plans include the following ICT continuity information:
1) performance and capacity specifications to meet the business continuity requirements and objectives as specified in the BIA.
2) RTO of each prioritized ICT service and the procedures for restoring those components.
3) RPO of the prioritized ICT resources defined as information and the procedures for restoring the information.
Managing ICT continuity forms a key part of business continuity requirements concerning availability to be able to:
a) respond and recover from disruption to ICT services regardless of the cause.
b) ensure continuity of prioritized activities are supported by the required ICT services.
c) respond before a disruption to ICT services occurs, and upon detection of at least one incident that can result in a disruption to ICT services.
Further guidance on ICT readiness for business continuity can be found in ISO/IEC 27031. Further guidance on business continuity management systems can be found in ISO 22301 and ISO 22313. Further guidance on BIA can be found in ISO/TS 22317.
“ICT readiness for business continuity” defines the business continuity management requirements for information security in much more specific terms. The control includes the availability requirements based on the results of the Business Impact Analysis (BIA). Two key elements of disaster recovery are addressed. When assessing the Business Impact Analysis, the following points must be considered:
Recovery Time Objective (RTO) – How long can a business process/system be down? The Recovery Time Objective is the time taken from the moment of damage until business processes are fully restored (recovery of: Infrastructure – Data – Reprocessing of data – Resumption of activities) may elapse. The time period can vary from 0 minutes (systems must be available immediately) to several days (in some cases weeks).
Recovery Point Objective (RPO) – How much data loss can be accepted? The Recovery Point Objective is the time period between two backups, i.e. how much data/transactions can be lost between the last backup and the system failure. If no data loss is acceptable, the RPO is 0 seconds.
Based on the results of the BIA, contingency strategies are to be defined for the ICT resources with contingency options before during and after interruptions. Based on these strategies, contingency plans are to be developed, implemented and tested. In doing so, it is required that the organization
- implement an adequate organizational structure to deal with business interruptions,
- have ICT contingency plans that are regularly tested and approved by management,
- have ICT plans that include performance and capacity specifications to meet the requirements from the BIA, as well as RTOs and RPOs.
ICT Readiness for Business Continuity can be achieved by
- Protect—Protecting the ICT environment from environmental failures, hardware failures, operations errors, malicious attack and natural disasters is critical to maintaining the desired levels of system availability for an organization.
- Detect—Detecting incidents at the earliest opportunity minimizes the impact to services, reduces the recovery efforts and preserves the quality of service.
- React—Reacting to an incident in the most appropriate manner leads to a more efficient recovery and minimizes any downtime. Reacting poorly can result in a minor incident escalating into something more serious.
- Recover—Identifying and implementing the appropriate recovery strategy will ensure the timely resumption of services and maintain the integrity of data. Understanding the recovery priorities allows the most critical services to be reinstated first. Services of a less-critical nature may be reinstated at a later time or, in some circumstances, not at all.
- Operate—Operating in disaster recovery mode until return to normal is possible may require some time and necessitate “scaling up” disaster recovery operations to support increasing business volumes that need to be serviced over time.
- Return—Devising a strategy for every IT continuity plan allows an organization to migrate back from disaster recovery mode to a position in which it can support normal business.
ICT Readiness for Business Continuity supports Business Continuity Management by ensuring that the ICT services are as resilient as appropriate and can be recovered to pre-determined levels within timescales required and agreed by the organisation. This control enables an organisation to measure its ICT continuity, security and hence readiness to survive a disaster in a consistent and recognized manner. ICT readiness encompasses preparing the organisation’s ICT (i.e. the IT infrastructure, operations and applications), plus the associated processes and people, against unforeseeable events that could change the risk environment and impact ICT and business continuity. It also helps in leveraging and streamlining resources among business continuity, disaster recovery, emergency response and ICT security incident response and management activities. ICT readiness reduces the impact (meaning the extent, duration and/or consequences) of information security incidents on the organisation. ICT readiness is important for business continuity purposes because:
- ICT is prevalent and many organisations are highly dependent on ICT supporting critical business processes;
- ICT also supports incident, business continuity, disaster and emergency response, and related management processes;
- Business continuity planning is incomplete without adequately considering and protecting ICT availability and continuity.
Processes and procedures created through Control should be drafted following a thorough BIA, that considers how an organisation needs to react when experiencing operational disruption. A BIA should make use of differing impact types and organisation-specific variables to gauge how business continuity will be affected, should any or all products and services be rendered unavailable or inoperable, due to any level of disruption. Organisations should use two key variables to formulate an agreed-upon RTO, that sets clear goals for resumption of normal operations:
- the magnitude of the disruption
- the type of disruption experienced
Within their BIA, organisations should be able to specify precisely what ICT services and functions are required to achieve recovery, including individual performance and capacity requirements. Organisations should undergo a risk assessment that evaluates their ICT systems and forms the basis of an ICT continuity strategy (or strategies) that bolsters recovery prior to, during and following a period of disruption. Once a strategy has been agreed, specific processes and plans should be put in place to ensure that ICT services are resilient and adequate enough to contribute towards recovery of critical processes and systems, before, during and after disruption. Within the scope of ICT continuity plans,it outlines three main guidance points:
- ICT incidents often require quick decisions to be made relating to information security by senior members of staff, in order to expedite recovery.
- Organisations need to maintain a robust chain of command that includes competent individuals with the ability to make authoritative decisions on technical matters related to business continuity and RTO adherence.
- Organisational structures need to be up to date and widely communicated, to facilitate adequate communication and speed up recovery times.
ICT continuity plans should be given a great deal of attention, including regular testing and evaluations, and approval by senior management. Organisations should conduct test runs to gauge their effectiveness, and measure key metrics such as response and resolution times. ICT continuity plans should contain the following information:
- performance and capacity requirements of any systems or processes used in recovery efforts
- a clear RTO for each ICT service in question, and how the organisation aims to restore them
- a recovery point objective (RPO) is designated for each ICT resource, and procedures are created that ensure information is able to be restored.
The benefits of ICT readiness for business continuity
- Understands the risks to continuity of ICT services and their vulnerabilities
- Identifies the potential impacts of disruption to ICT services
- Encourages improved collaboration between its business managers and its ICT service providers (internal and external)
- Develops and enhances competence in its ICT staff by demonstrating credible responses through exercising ICT continuity plans and testing IRBC arrangements
- Provides assurance to top management that it can depend upon predetermined levels of ICT services and receive adequate support and communications in the event of a disruption
- Provides assurance to top management that information security (confidentiality, integrity and availability) is properly preserved, ensuring adherence to information security policies
- Provides additional confidence in the business continuity strategy through linking investment in IT solutions to business needs and ensuring that ICT services are protected at an appropriate level given their importance to the organization