ISO/IEC 27031 Information technology -- Security techniques -- Guidelines for ICT Readiness for Business Continuity (final committee draft)
ISO/IEC 27031 will describe the concepts and principles behind the role of information and communications technology in ensuring business continuity.
The standard will:
-
Provide a framework (methods and processes) for any organization – private, governmental, and non-governmental
-
Identify and specify all relevant aspects including performance criteria, design, and implementation details, for improving ICT readiness as part of the organization’s ISMS, helping to ensure business continuity.
-
Enable an organization to measure its continuity, security and hence readiness to survive a disaster in a consistent and recognized manner.
The scope of this standard encompasses all events and incidents (including security related) that could have an impact on ICT infrastructure and systems. It includes and extends the practices of information security incident handling and management and ICT readiness planning and services.
ICT Readiness for Business Continuity (IRBC) [a general term for the processes described in the standard] supports Business Continuity Management “by ensuring that the ICT services are as resilient as appropriate and can be recovered to pre-determined levels within timescales required and agreed by the organization.”
ICT readiness is important for business continuity purposes because:
-
ICT is prevalent and many organizations are highly dependent on ICT supporting critical business processes;
-
ICT also supports incident, business continuity, disaster, and emergency response and related management processes;
-
Business continuity planning is incomplete without adequately considering and protecting ICT availability and continuity.
ICT readiness encompasses:
-
Preparing organization’s ICT (infrastructure, operation and applications), plus the associated processes and people, against unforeseeable events that could change the risk environment and impact ICT and business continuity;
-
Leveraging and streamlining resources among business continuity, disaster recovery, emergency response and ICT security incident response and management activities.
ICT readiness should reduce the impact (extent and/or duration) of information security incidents on the organization.
The standard will incorporate the cyclical PDCA approach beloved of ISO 9000, extending the conventional business continuity planning process to take greater account of ICT. It will incorporate ‘failure scenario assessment methods’ such as FMEA (Failure Modes and Effects Analysis), with a focus on identifying ‘triggering events’ that could precipitate serious incidents.
The SC27 team responsible for ISO/IEC 27031 has liaised with ISO Technical Committee 233 on business continuity, to ensure alignment and avoid overlap or conflict. The FCD advises: “If an organization is using ISO/IEC 27001 to establish Information Security Management System (ISMS), and/or using ISO 2239PAS or ISO 23301 to establish Business Continuity Management System (BCMS), the establishment of IRBC should preferably take into consideration existing or intended processes linked to these standards. This linkage may support the establishment of IRBC and also avoid any dual processes for the organization. “
 ISO/IEC 27031 was originally going to be a multi-part standard but this was changed to two parts (a formal specification plus a guideline) and finally reduced to a single part (just the guideline). The standard is now at Final Committee Draft stage and seems likely to be published some time soon during 2010. Note the title now indicates this is a guideline not a specification.
Note:
An ISO/IEC standard on ICT Disaster Recovery has been released as ISO/IEC 24762:2008, outside the ISO27k family. For more information, see the other standards page.
|
