ISO IEC 27031:2011 download.Information technology Security techniques Guidelines for information and communication technology readiness for business continuity.
I Scope
ISO IEC 27031 describes the concepts and principles of information and commLa*ation technology (ICT) readiness for business continuity, and provides a framework of methods and processes to klenbfy and specify all aspects (such as performance criteria. design, and riamentation) for nproving an organization’s ICT readiness to ensure business conbnLaty It applies 10 any organization (private. governmental, and non.govemmental. irrespective of size) developing its ICT readiness for business continuity (IRBC) program, and requiring its ICT servica&infrastruct,es to be ready to support business operations in the event of emerging events and incidents, end related disruptions, that could affect continuity (including seamnty) of critical business functions, It also enables an organization to measure performance parameters Ihat correlate to Its IRBC in a consistent and recognized manner,
The scope of ISO IEC 27031 encompasses al events and incidents (lncding security related) that could have an impact on ICT Infrastructure and systems It includes and extends the practices of information security incident handteig and management and ICT readiness planning and services
2 Normative references
The folling referenced documents are indispensable for the application of this document For dated references, onty the edition ated applies. For imdated references, the latest edition of the referenced document (includwig any amendments) applies
ISO1IEC TR 18044:20041), infomiallor, technology — Securi4 techniques — Intom,etion secwffy incIdent management
ISO1IEC 27000, lnfotmat,on technology — Secw#y Wchnilques — Information security management syst ems — OvinIew and vocabulary
ISO1IEC 27001, Intotmarion teclinoingy — Security technqLres — information security management systems — R.qu#ements
ISOIIEC 27002, t,itormatlon technology — Security techniques — Code of pracIice for mformetlon security management
ISO1IEC 27005, lvi omiabon technology — SecurIty techniques — InformatIon security risk management.
5.4 Outcomes and benefits of IRBC
The benefits of effective IRBC for the organization are that It:
a) understands the nsks to continurty of ICT servces and their vulnerablhties;
b) identifies the potential impacts of disruption to ICT services;
c) encourages improved collaboration between its business managers and its ICT service providers (internal and external);
d) develops and enhances competence in its ICT staff by demonstrating credible responses through exercising ICT continurty plans and testing IRBC arrangements;
e) provides assurance to top management that it can depend upon predetermined levels of ICT services and receive adequate support and communications in the event of a disruption;
f) provides assurance to tap management that information security (confidentiality, integrity and availability) is property preserved, ensuring adherence to information security policies;
g) provides additional confidence in the business continuity strategy through linking investment in IT solutions to business needs and ensuring that ICT services are protected at an appropriate level given their Importance to the orgarizatlon;
it) has ICT services that era cost-effective and not under- or over-invested through an understanding of the level of Its dependence on those ICT services; and the nature, location, interdependence and usage of components that make up the ICT services;
I) can enhance Iti reputation for prudence and efficiency;
j) potentially gains competitive advantage through the demonstrated ability to deliver budness continuity end maintain product and service delivery in limes of disruption; and
it) understands and documents stakeholders’ expectations and their relationships with, and use of, ICT services.
Thus IRBC provides a meaningful way to determine the status of an organization’s ICT services in supporting its business continuity objectives by addressing the question is our ICT capable of responding rather than is our ICT seoure.
5.5 EstablishIng IRBC
IRBC is likely to be more efficient and cost effective when designed and built Into ICT services from their inception as part of an IRBC strategy which supports the organization’s BC obectives. This ensure5 that ICT services are better built, better understood and more resilient. Retrofitting IRBC can be complex, disruptive and expensive.
The organization should develop, implement, maintain and continually improve a set of documented processes whid will supped IRBC.
These processes should ensure that the IRBC obecfives are clearly stated, understood and communicated. and lop management’s comewtment to IRBC is demonstrated.
Figure 5 presents graphically the activities in the different stages of IRBC.
e) coobng reqisrements;
q power requirements;
g) the use of un.staffed (dark) sites as opposed to staffed sites;
h) telecoms connectivity and redundant routing;
I) the nature of failbaclC (whether manual intervention is required to activale alternative ICT provision or whether this needs to occur automaticaly);
j) level of automaton required;
It) technology obsolescence; and
I) oulsourced service provider’s connectivity and other external tinks.
6.4.2.4 Data
Additionally, critical business activities may depend on the provision of up-to-date or near-up-to-date data. Data continuity solutions should be designed to meet the Recovery Point Objectives (RPO) of each oritical business activity of the organization as they relate to the oritical business activities
The selected IRBC options should ensw’e the ongoing confidentiality, integrity and availablety of cntical data that support critical activities (see lSlEC 27001 and ISOI1EC 27002)
Data storage and IRBC strategies should meet the organaatioWs business continuity requirements, end should take account of:
a) RPO requirements;
b) how data are securely stored, e.g disk, tape or optical media; appropriate backup and restoration mechanisms should be en place to ensse the data are secure end in a sate environment;
c) where information s stored, transported or transmitted, distance, location, network links, etc. (onsite, offsiie or third party) and expected timescales for the retneval of backup media; and
d) restore timescales, driven by the volume of data, how they are stored and the complexity of the technical restore process, along with the requirements of the service user and the needs of organizational continuity
An understanding of the end-lo-encf use of data throughout the organization e aibcal. This may include information feeds to and from third parties.
It should be rementered that the nature, cunency antI value of data will vary enormously within an organization
6.42.5 Processes
In selecting its IRBC strategy, the organization should consider the processes necessary to ensure the viability of that strategy. including those necessary in the incident prevention, incident detection, incident response and disaster recovery. The organization should also identify any factors necessary for the effective implementation of those individual processes, e.g., key skal sets. cntecal data, key enabling technologies, or critical equipment I facilities.
8.4 Measurem.nt of ICT Readiness Performance Criterta
84,1 MonItoring and measurement of )CT Readiness
The organization should monitor and measure Its ICT readiness through the Implementation of measurement
process 04 the defined ICT Readiness Performance Critena (refer to 6.7).
8.42 QuantitatIve and Qualitative Performance CrIteria
Performance criteria for IRBC may be quahtallve or quantitative
Quantitative aiterta may include:
a) over a given peflod time, the number of incidents that have not been detected prior to disruption (this can provide an in&ation of the completeness of detection and alert mechanisms);
b) detection time for incidents;
C) nuner of lnadents that cannot be effectively contained to reduce Impact,
d) availabilIty of data sources to Indicate emergence of Incidents through trend monltonng of events; and
e) time to react and respond to detected emerging rncidents.
Qualitative cnteria are subjective when used to determine the performance at IRBC but usually require less resource in the measurement process (which may be appropriate fore small or medium size organization which Is subject to resource constraint). It may Inducle determining the efficiency of the processes used in planning, preparmg, and executing the activities of IRBC and can be measured through:
a) survey using structured or iristhictured questionnaire;
b) feectiack from participants and stakeholders;
c) conduct of feedback workshops: and
d) other focused oup meeting.
9 IRBC improvement
9.1 Continual Improvement
The organization should continually improve IRBC through the appication of preventive and corrective actions which are appropriate to the potential impacts deterTvlned by the organization’s business mpad analysis (BIA) and Its nsk appetite.
9.2 CorrectIve action
The organization should take action to correct any actual failure of ICT service and elements of IRBC The documented procedure for corrective action should deliria requirements for
a) identifying the tures;
b) delemwilng the causes of failures;
c) evaluating the need lot actions to ensure that nonconformities do not recur.