ISO/IEC 27031:2011 Information technology — Security techniques — Guidelines for information and communications technology readiness for business continuity
ISO/IEC 27031 provides guidance on the concepts and principles behind the role of information and communications technology in ensuring business continuity.
Suggests a structure or framework (actually a set of methods and processes) for any organization – private, governmental, and non-governmental
Identifies and specifies all relevant aspects including performance criteria, design, and implementation details, for improving ICT readiness as part of the organization’s ISMS, helping to ensure business continuity.
Enables an organization to measure its ICT continuity, security and hence readiness to survive a disaster in a consistent and recognized manner.
Scope and purpose
The standard encompasses all events and incidents (not just information security related) that could have an impact on ICT infrastructure and systems. It therefore extends the practices of information security incident handling and management, ICT readiness planning and services.
ICT Readiness for Business Continuity (IRBC) [a general term for the processes described in the standard] supports Business Continuity Management (BCM) “by ensuring that the ICT services are as resilient as appropriate and can be recovered to pre-determined levels within timescales required and agreed by the organization.”
ICT readiness is important for business continuity purposes because:
ICT is prevalent and many organizations are highly dependent on ICT supporting critical business processes;
ICT also supports incident, business continuity, disaster and emergency response, and related management processes;
Business continuity planning is incomplete without adequately considering and protecting ICT availability and continuity.
ICT readiness encompasses:
Preparing organization’s ICT (i.e. the IT infrastructure, operation and applications), plus the associated processes and people, against unforeseeable events that could change the risk environment and impact ICT and business continuity;
Leveraging and streamlining resources among business continuity, disaster recovery, emergency response and ICT security incident response and management activities.
ICT readiness should of course reduce the impact (meaning the extent, duration and/or consequences) of information security incidents on the organization.
The standard incorporates the Deming cyclical PDCA approach beloved of ISO 9000, extending the conventional business continuity planning process to take greater account of ICT. It incorporates ‘failure scenario assessment methods’ such as FMEA (Failure Modes and Effects Analysis), with a focus on identifying ‘triggering events’ that could precipitate more or less serious incidents.
The SC 27 team responsible for ISO/IEC 27031 liaised with ISO Technical Committee 233 on business continuity, to ensure alignment and avoid overlap or conflict. The FCD advised: “If an organization is using ISO/IEC 27001 to establish Information Security Management System (ISMS), and/or using ISO 2239PAS or ISO 23301 to establish Business Continuity Management System (BCMS), the establishment of IRBC should preferably take into consideration existing or intended processes linked to these standards. This linkage may support the establishment of IRBC and also avoid any dual processes for the organization.”
Status of the standard
ISO/IEC 27031 was originally intended to be a multi-part standard but this was changed to two parts (a formal specification plus a guideline) and finally reduced to a single part (just the guideline) which was published in March 2011.
It is available for CHF140 from the ISO/IEC webstore.
An ISO/IEC standard on ICT Disaster Recovery has been released as ISO/IEC 24762:2008, outside the ISO27k family. For more information, see the other standards page.
ISO TC233 is working on other business continuity standards including ISO 22301.
I am relieved that this standard mentions resilience to as well as recovery from disastrous situations: these are complementary approaches. ICT disaster recovery has been a major focus for years but resilience is finally achieving the wider recognition it deserves.
Many information security controls concern preventing, avoiding or at least reducing the probability of incidents affecting information assets. They are mostly intended to work prior to incidents. They are well served by the ISO27k and other standards.
Incident and crisis management controls cover the para-incident period. They too are fairly well covered by ISO27k and other standards. Resilience controls work in this timeframe too, ensuring that vital business operations are not materially degraded or halted by incidents, but until this standard was released, they have not been well covered by ISO27k. Personally, I think there is a lot more to be said about resilience! This standard doesn’t go nearly far enough on that score. I’m not sure if ISO 22301 even mentions the word, resilience.
Disaster Recovery controls come into effect after incidents, usually some time later, when failed or seriously degraded ICT systems, services, business processes etc. are bootstrapped. The period between disaster and recovery can cause serious issues for the organizations concerned: in the worst case, they may not survive. DR has been flogged to death by previous standards to the extent that DR, rather than avoidance/prevention and resilience, is often considered the primary control for disasters. That’s plain wrong to me. As far as I’m concerned, DR is about discontinuity management!