To develop the disaster recovery plan, we set up a crisis committee and establish the actions to be taken starting from the alarm. In the business continuity plan, on the other hand, in emergency conditions, the company activates the alternative site
Do you want to develop the disaster recovery plan and business continuity procedures for the information security management system? Focus on the following steps and you will be able to create effective documentation compliant with ISO/IEC 27001 and its Annex A
The disaster recovery plan. What to consider?
The crisis committee
First you need to set up a crisis committee. From the moment the disaster unfolds, the company must take steps to \ “save what can be saved \” and reacquire the availability of the lost information. In this restoration activity, the responsibilities relating to the management of accidents must be entrusted to people who, within the company, play an important role in this sense. These people make up the crisis committee.
The roles that could be identified are the following:
- High management
- RGSI
- System administrator
- IT Manager
- Information system manager
- RDP (production
The RDP (production) should also be identified as responsible for the business continuity of the company. In a more general context with respect to “disaster recovery” which aims to restore operations from an IT point of view, the RDP (production) should also deal with operational continuity and that is the possibility of making all business processes work in critical conditions.
Actions to be taken
Control 16.1.3 Reporting of weaknesses relating to information security requires establishing the actions to be taken in the event of an emergency.
How to preserve business continuity in the information security management system according to ISO/IEC 27001:2017
Identify the critical processes on which business continuity is based
The critical processes for business continuity, already governed by the system management procedures, are those governed by the following management procedures (inspired by the ISO 9001: 2015 quality management system) of the type:
- PROC-812 – Requirements
- PROC-813 – Design
- PROC-814 – Outsourcing
- PROC-815 – Production
- PROC-816 – Preservation
- PROC-817 – Control of non-conforming outputs
Establish the resources necessary for business continuity
The resources necessary for business continuity could be, for example:
- An alternative office
- Resources capable of running critical processes
- Hardware equipment
- Dedicated staff
In order to provide immediately applicable content, we suggest that you establish the requirements for each resource (asset / support) identified.
Determine the actions to be taken to implement business continuity
According to control 17.1.2 Implementation of the information security continuity of Annex A of ISO/IEC 27001: 2017.
With regard to the alternative site, for the purposes of information security, the company must establish the following information security measures which generally characterize the operational activity and which are illustrated within the security procedure and in the management procedures :
- Activate the antivirus
- Employ tracking through log management
- Provide backup
- Implement access control
- Secure encryption operations
- Review the permissions of the database operations
All the services made available thanks to the possibility of using an alternative location in case of emergency periods must be governed by the contract signed with the supplier, who is qualified by the organization and periodically \ “audited \” in order to monitor its compliance with the safety requirements expressed by the organization and signed by them in the relative level service agreements (service levels expressed in the contract).
The business continuity plan
After planning the organizational, operational and technological structure to be achieved to ensure operational continuity in information security, the company must determine the steps to be taken and the timescales to be respected to restore the functioning of critical processes. The following diagram represents an example of a business continuity plan.
