BCM & ICT Continuity Standards: What are their purposes and how can they work together?

Ron Miller Principal Consultant

www.sungard.co.uk

What Ill be covering

ISO 27031 and ISO 24762 why?
ICT continuity standards key content and guidance
Principles Elements

The relationships and integration with the GPG, BS 25999

and ISO 22301 ICT recovery versus resilience, addressing common issues

2010 SunGard. | www.sungard.co.uk

It was all about IT DR

2010 SunGard. | www.sungard.co.uk

BCM growth
Medium Business

IT
Sectors

Public Sector

Big Business

1970s

1980s
TIME

1990s

2000s

2010 SunGard. | www.sungard.co.uk

BS 25999 British Standard for Business Continuity Management

Provided guidance for

organizations:
Of all sizes In all sectors

What they should do to:

Enhance resilience Provide restoration of key products and services Deliver proven capability to manage disruption (but not how they do it!)

2010 SunGard. | www.sungard.co.uk

BCM Lifecycle (BS 25999)

Widely adopted UK and beyond Used as basis for ISO 22301

and ISO 22313 Used as the basis for other continuity and resilience standards
TC223 ISO standards US BCM standard

2010 SunGard. | www.sungard.co.uk

But what about ICT?

2010 SunGard. | www.sungard.co.uk

ISO 27000

ISO 27001 5 controls (out of 133)

ISO 27002 Four and a half pages of high-level guidance (out of 130 pages)

2010 SunGard. | www.sungard.co.uk

BS 25777

2010 SunGard. | www.sungard.co.uk

How BS 25777 integrated with BS 25999

2010 SunGard. | www.sungard.co.uk

The need for ISO 27031

Increasing dependency on information and

communications technology Comprehensive guidance established for business continuity management - BS 25999 and others
Supported by ICT continuity guidance BS 25777

No detailed guidance directly related to ISO 27001 Significant gaps continue to be present between business

and supporting ICT continuity and resilience in many organisations

2010 SunGard. | www.sungard.co.uk

11

BS 25777 evolved into.

ISO 27031
Guidelines for information and communication technology readiness for business continuity

Takes the core elements of BS 25777 Links them to an information security anchor Provides guidance which expands upon ISO 27002 Helps in the implementation of controls contained within

ISO 27001

2010 SunGard. | www.sungard.co.uk

12

ISO 27031
Continues to integrate with

BC Supports the PDCA process

Planning Implementing and operating Assessing, measuring and reviewing Corrective and preventive actions

Supports ISMS

2010 SunGard. | www.sungard.co.uk

13

ISO 24762 what is it?

Guidelines for information

and communications technology disaster recovery services

provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management applicable to both in-house and outsourced ICT DR service providers of physical facilities and services.

2010 SunGard. | www.sungard.co.uk

14

ISO 24762 is it any good?

No!
Based on Singapore standard

ISO consultation process failed BCM community unaware of its existence until too late Service-providers unaware of its existence until too late.

Does not integrate with BCM

standards Does not integrate with ISO 27031 Shining example of how-notto-develop-a-standard
Now at beginning of revision process.
2010 SunGard. | www.sungard.co.uk

15

ISO 24762 who uses it?

Good question!

2010 SunGard. | www.sungard.co.uk

16

ISO 24762 - who uses it?

BSi sells it!!

Some dubious claims by

vendors Experts offering advice

2010 SunGard. | www.sungard.co.uk

17

Concepts and Principles

2010 SunGard. | www.sungard.co.uk

18

Concepts and Principles of ISO 27031

ICT Readiness for BC
IRBC

Complements and supports BCM and/or ISMS

Improving the incident detection capabilities Preventing a sudden or drastic failure Enabling an acceptable degradation of operational status should the failure be unstoppable; Further shorten recovery time; and Minimising impact upon eventual occurrence of the incident.

2010 SunGard. | www.sungard.co.uk

19

The relationship between IRBC and BCM

2010 SunGard. | www.sungard.co.uk

20

The relationship between IRBC and BCM

2010 SunGard. | www.sungard.co.uk

21

ICT Readiness Principles

2010 SunGard. | www.sungard.co.uk

22

Key principles

Incident prevention
Incident detection Response

Recovery
Improvement

2010 SunGard. | www.sungard.co.uk

23

 2010 SunGard. | www.sungard.co.uk

24

Incident prevention

Iterative process ICT Readiness promotes resilience

Facilitates identification of critical components in each of the elements which make up the ICT environment Relates ICT criticality to wider business criticalities Priorities also driven by BC requirements

2010 SunGard. | www.sungard.co.uk

25

Incident prevention

Iterative process

Justifies resource and budget for appropriate resilience measures Monitors the performance of resilience measures Review and improvement following exercises, tests and incidents

2010 SunGard. | www.sungard.co.uk

26

Incident prevention

People

2010 SunGard. | www.sungard.co.uk

27

Incident prevention

People
Facilities

2010 SunGard. | www.sungard.co.uk

28

Incident prevention

People
Facilities Technology

2010 SunGard. | www.sungard.co.uk

29

Incident prevention

People
Facilities Technology

Data

2010 SunGard. | www.sungard.co.uk

30

Incident prevention

People
Facilities Technology

Data
Processes

2010 SunGard. | www.sungard.co.uk

31

Incident prevention

People
Facilities Technology

Data
Processes

Suppliers

2010 SunGard. | www.sungard.co.uk

32

Incident detection
IRBC promotes
Response BEFORE an incident occurs, upon detection of one or a series of related events that become incidents Detecting incidents at the earliest opportunity minimizes impact to services, reduces recovery effort, and preserves quality of service Investment in detection should be linked to the business continuity needs

2010 SunGard. | www.sungard.co.uk

33

Incident detection

People
Facilities Technology

Hardware failures Malfunctions in racks, servers, storage arrays, tape devices Network Data connectivity interruptions, intrusion detection etc. Software Upgrade issues, unauthorised software, malware etc.

Data
Corrupted datasets, incomplete datasets etc.

Processes
System changes, maintenance etc.

Suppliers
Power failure, telecoms outage

2010 SunGard. | www.sungard.co.uk

34

Response
IRBC promotes

existing good practice

Confirm nature and extent of incident Take control of situation Contain the incident Communicate with stakeholders (Not necessarily a chronological order.)

2010 SunGard. | www.sungard.co.uk

35

Response

Confirm nature and

extent of incident
Acquire information Assess How does it affect the elements of the ICT environment?

How might this affect service-users and the critical activities of the organisation?

2010 SunGard. | www.sungard.co.uk

36

Response
Take control of situation
Automatic or manual failover? Determine priorities for mitigating incident

People Facilities Technology Data Processes Suppliers

Determine resource requirements Communicate

2010 SunGard. | www.sungard.co.uk

37

Response

Contain the incident Auto or manual failover? Direct resources to manage situation Communicate

Is there concurrent activation of BC Incident Management? Liaise with rest of organisation

Activate relevant contingency arrangements

2010 SunGard. | www.sungard.co.uk

38

Response

Communicate Communication essential all the way through the response process Integration with overall BC incident management process

2010 SunGard. | www.sungard.co.uk

39

Recovery
Technical recovery plans
In conjunction with organisational business continuity plans Failover of immediately timecritical systems Recovery of less time-sensitive systems

Manage recovery process

Over hours, days, weeks..

2010 SunGard. | www.sungard.co.uk

40

Improvement

IRBC promotes

improvement
Lessons learned from exercises Audits/self assessment Feedback from periodic BIAs and risk assessments Corrective action following incidents Preventive action

2010 SunGard. | www.sungard.co.uk

41

The ICT Resilience Gap

Why do organisations

get it wrong? The consequences of the gap

2010 SunGard. | www.sungard.co.uk

42

Managing Expectations?
ICT Teams plan for this?

2010 SunGard. | www.sungard.co.uk

Managing Expectations?
Service users expect this?

2010 SunGard. | www.sungard.co.uk

Information value is the key

IT departments are

custodians of information They are NOT the owners of the information They do not know its value
Value is not always about money Value can be reputational, service-related etc.

2010 SunGard. | www.sungard.co.uk

45

Managing Expectations?
Mismatch of expectations
IT Youll get what we choose to give you Business What do you mean? Dont you give us

EVERYTHING?????
Constraints
Technological Budgetary Resource

Fundamental misunderstandings about business and role

of technology Fundamental misunderstandings about the holistic nature of ICT

2010 SunGard. | www.sungard.co.uk

The example of email

2010 SunGard. | www.sungard.co.uk

The impact of ICT loss

Impacts are not always

obvious ICT requirements postdisruption can be quite different from business-asusual Criticality of the same data can vary widely across the organisation not all data is born equal! Recovery is frequently not an option

2010 SunGard. | www.sungard.co.uk

48

The consequences
Mismatch of ICT resilience implementation and

organisational requirements
Wasteful of expenditure and resource Provides the WRONG ICT environment in the WRONG timescales IT departments frequently concentrate on DR rather than resilience and continuity

We dont need to bother about uptime because we know we have good DR They dont ask users the right questions

Business departments dont know/share continuity requirements

RTOs RPOs

Each sides knowledge of information availability capabilities and requirements remains unknown to the other

2010 SunGard. | www.sungard.co.uk

49

The consequences
The organisation

implements an information security programme which fails to deliver on information availability

2010 SunGard. | www.sungard.co.uk

50

ICT Resilience
How can the costs be justified?
How can ISO 27031 help?

2010 SunGard. | www.sungard.co.uk

51

Getting value for money

Mechanism for realism in

service-user BCM requirements

Relates RTOs and RPOs to Minimum Business Continuity Objectives

Rationalises IT DR spend
Justifies cost to the business

Resilience versus

Recovery

2010 SunGard. | www.sungard.co.uk

ISO 27031 and BS 25999

Holistic view of ICT and how it fits

within the organisation

People Facilities Technology Data Processes Suppliers

..and how they fit into the

principles of:
Incident prevention Incident detection Response Recovery Improvement

2010 SunGard. | www.sungard.co.uk

 2010 SunGard. | www.sungard.co.uk

Embedding ICT Readiness

Provides a framework for

ensuring ICT Readiness is aligned with business requirements Gets IT and service-users involved in validation Provides budgetary and business rationale for investment in ICT resilience

2010 SunGard. | www.sungard.co.uk

Supports and complements BS 25999 and ISO 27001

Provides the guidance which supports BCM and

information security goals ICT Readiness is driven by business/organizational requirements (not the other way round) ICT Readiness and resilience capabilities feed back into organizational goals Ensures that information availability is tackled as effectively as confidentiality and integrity.

2010 SunGard. | www.sungard.co.uk

 2010 SunGard. | www.sungard.co.uk