Blog Post

How good are your disaster recovery plans? Is it just a “DR plan” or does it cover what your business actually does?

As an ISO27001 implementer and auditor I have always been very keen on seeing good BCP/DR plans as (should the control be selected) it is a requirement of ISO27001. The controls say that plans should be drawn up and need to ensure continuity of security during a disaster. These plans should also be tested at regular intervals to ensure security and that information processing facilities should have “sufficient redundancy” to meet availability requirement.

If you have ISO27001 you probably have a DR (Disaster Recovery) or BCP (Business Continuity Plan) (Yes, they are different things!) that addresses the points above but is that enough?

There is another ISO standard “ISO22301” that organisations can certify to, but several organisations tend to fall down. The biggest problem I encounter as a consultant is

“Yes, we have a DR plan. Basically, we go work from home/Starbucks/MD house”

If its documented well and you have considered security, tested and verified this might get you through ISO27001, but not ISO22301.

ISO22301 takes a much more in depth look at your business continuity plans. Think about what your business does and how would activities continue in the event of a problem. Think about being able to continue business activities rather than just recovering your systems. That is the fundamental difference between DR and BCP.

ISO22301 follows the same format of all other standards (called Annex SL) so you still have the “Plan, Do Check Act” when looking at implementing a BCP management System. The standard also requires many documents, one of which is a “Business Impact Assessment” (BIA). List the types of activities your business does. It’s probably more than you think, for example

  • Accounts
  • Sales
  • Marketing
  • HR
  • Logistics
  • Suppliers
  • Business Activities (This may be many departments)
  • IT Systems (May be many systems, which need to be recovered first to support the above)
  • Telecoms (as above)

How long before not doing the above does it start to have an impact on your business? 3 Hours? 1 Day? 1 Week? 1 Month? This will give us a metric called “RTO” – Recovery time objective. This is not a document to be produced on the fly but really needs to understand how the business works and what needs to be returned to normal, and in what order. Understanding the BIA is a very important step in ISO22301 but let’s not forget;  

“Yes, we have a DR plan. Basically, we go work from home/Starbucks/MD house”

Ok, so how is this done? Do staff know the policy? How do they get there? Who tells them? When should they be told? What if they can’t do that? Is this appropriate? Is there enough space, technology and time? Who is in charge and who does what?

It’s not as simple as going to a coffee shop with WIFI and saying “yes I can work from here”. What about your suppliers, how do they deal with an emergency? If your IT supplier is in the vicinity and you have a city-wide power cut how will they get you back up and running? The agreement with the office “across the road” to use their space is great. But what if your building burns down and they must be evacuated too?

Its important to follow the Plan Do Check Act cycle, as ever if you need help, please contact me!


More Blog Posts