Home  >  Learning Center  >  Business continuity planning (BCP)  

Article's content

Business continuity planning (bcp), what is business continuity.

In an IT context, business continuity is the capability of your enterprise to stay online and deliver products and services during disruptive events, such as natural disasters, cyberattacks and communication failures.

The core of this concept is the business continuity plan — a defined strategy that includes every facet of your organization and details procedures for maintaining business availability.

Start with a business continuity plan

Business continuity management starts with planning how to maintain your critical functions (e.g., IT, sales and support) during and after a disruption.

A business continuity plan (BCP) should comprise the following element

1. Threat Analysis

The identification of potential disruptions, along with potential damage they can cause to affected resources. Examples include:

2. Role assignment

Every organization needs a well-defined chain of command and substitute plan to deal with absence of staff in a crisis scenario. Employees must be cross-trained on their responsibilities so as to be able to fill in for one another.

Internal departments (e.g., marketing, IT, human resources) should be broken down into teams based on their skills and responsibilities. Team leaders can then assign roles and duties to individuals according to your organization’s threat analysis.

3. Communications

A communications strategy details how information is disseminated immediately following and during a disruptive event, as well as after it has been resolved.

Your strategy should include:

  • Methods of communication (e.g., phone, email, text messages)
  • Established points of contact (e.g., managers, team leaders, human resources) responsible for communicating with employees
  • Means of contacting employee family members, media, government regulators, etc.

From electrical power to communications and data, every critical business component must have an adequate backup plan that includes:

  • Data backups to be stored in different locations. This prevents the destruction of both the original and backup copies at the same time. If necessary, offline copies should be kept as well.
  • Backup power sources, such as generators and inverters that are provisioned to deal with power outages.
  • Backup communications (e.g., mobile phones and text messaging to replace land lines) and backup services (e.g., cloud email services to replace on-premise servers).

Load balancing business continuity

Load balancing  maintains business continuity by distributing incoming requests across multiple backend servers in your data center. This provides redundancy in the event of a server failure, ensuring continuous application uptime.

In contrast to the reactive measures used in failover and  disaster recovery  (described below) load balancing is a preventative measure.  Health monitoring  tracks server availability, ensuring accurate load distribution at all times—including during disruptive events.

Disaster recovery plan (DCP) – Your second line of defense

Even the most carefully thought out business continuity plan is never completely foolproof. Despite your best efforts, some disasters simply cannot be mitigated. A disaster recovery plan (DCP) is a second line of defense that enables you to bounce back from the worst disruptions with minimal damage.

As the name implies, a disaster recovery plan deals with the restoration of operations after a major disruption. It’s defined by two factors: RTO and  RPO .

disaster recovery plan

  • Recovery time objective (RTO)  – The acceptable downtime for critical functions and components, i.e., the maximum time it should take to restore services. A different RTO should be assigned to each of your business components according to their importance (e.g., ten minutes for network servers, an hour for phone systems).
  • Recovery point objective (RPO)  – The point to which your state of operations must be restored following a disruption. In relation to backup data, this is the oldest age and level of staleness it can have. For example, network servers updated hourly should have a maximum RPO of 59 minutes to avoid data loss.

Deciding on specific RTOs and RPOs helps clearly show the technical solutions needed to achieve your recovery goals. In most cases the decision is going to boil down to choosing the right failover solution.

See how Imperva Load Balancer can help you with business continuity planning.

Choosing the right failover solutions

Failover  is the switching between primary and backup systems in the event of failure, outage or downtime. It’s the key component of your disaster recovery and business continuity plans.

A failover system should address both RTO and RPO goals by keeping backup infrastructure and data at the ready. Ideally, your failover solution should seamlessly kick in to insulate end users from any service degradation.

When choosing a solution, the two most important aspects to consider are its technological prowess and its service level agreement (SLA). The latter is often a reflection of the former.

For an IT organization charged with the business continuity of a website or web application, there are three failover options:

  • Hardware solutions  – A separate set of servers, set up and maintained internally, are kept on-premise to come online in the event of failure. However, note that keeping such servers at the same location makes them potentially susceptible to being taken down by the same disaster/disturbance.
  • DNS services  – DNS services are often used in conjunction with hardware solutions to redirect traffic to a backup server(s) at an external data center. A downside of this setup includes  TTL-related delays  that can prevent seamless disaster recovery. Additionally, managing both DNS and internal data center hardware failover solutions is time consuming and complicated.
  • On-edge services  – On-edge failover is a managed solution operating from off-prem (e.g., from the  CDN  layer). Such solutions are more affordable and, most importantly, have no TTL reliance, resulting in near-instant failover that allows you to meet the most aggressive RTO goals.

Latest Blogs

Healthcare Needs Risk Based Cybersecurity for Comprehensive Effective Protection

Lynne Murray

, Paul Steen

Feb 26, 2024 5 min read

Connected World

, Shiri Margel

Dec 1, 2023 5 min read

Mobile phone with a stock exchange app displayed and a finger perusing the trend line

Oct 9, 2023 4 min read

sc

Aug 28, 2023 3 min read

Latest Articles

  • Regulation & Compliance

607.1k Views

191.3k Views

41.7k Views

39.1k Views

37.8k Views

35.5k Views

29.3k Views

25.2k Views

Protect Against Business Logic Abuse

Identify key capabilities to prevent attacks targeting your business logic

The 10th Annual Bad Bot Report

The evolution of malicious automation over the last decade

The State of Security Within eCommerce in 2022

Learn how automated threats and API attacks on retailers are increasing

Prevoty is now part of the Imperva Runtime Protection

Protection against zero-day attacks

No tuning, highly-accurate out-of-the-box

Effective against OWASP top 10 vulnerabilities

An Imperva security specialist will contact you shortly.

Top 3 US Retailer

U.S. flag

An official website of the United States government

Here’s how you know

world globe

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

ict business continuity and disaster recovery plan

IT Disaster Recovery Plan

world globe

IT Recovery

Data backup.

Data Backup Plan

Businesses large and small create and manage large volumes of electronic information or data. Much of that data is important. Some data is vital to the survival and continued operation of the business. The impact of data loss or corruption from hardware failure, human error, hacking or malware could be significant. A plan for data backup and restoration of electronic information is essential.

An information technology disaster recovery plan (IT DRP) should be developed in conjunction with the business continuity plan . Priorities and recovery time objectives for information technology should be developed during the business impact analysis . Technology recovery strategies should be developed to restore hardware, applications and data in time to meet the needs of the business recovery.

Priorities for IT recovery should be consistent with the priorities for recovery of business functions and processes that were developed during the business impact analysis . IT resources required to support time-sensitive business functions and processes should also be identified. The recovery time for an IT resource should match the recovery time objective for the business function or process that depends on the IT resource.

Recovery strategies should be developed to anticipate the loss of one or more of the following system components:

  • Computer room environment (secure computer room with climate control, conditioned and backup power supply, etc.)
  • Hardware (networks, servers, desktop and laptop computers, wireless devices and peripherals)
  • Connectivity to a service provider (fiber, cable, wireless, etc.)
  • Software applications (electronic data interchange, electronic mail, enterprise resource management, office productivity, etc.)
  • Data and restoration

Developing an IT Disaster Recovery Plan

Businesses should develop an IT disaster recovery plan. It begins by compiling an inventory of hardware (e.g. servers, desktops, laptops and wireless devices), software applications and data. The plan should include a strategy to ensure that all critical information is backed up.

Identify critical software applications and data and the hardware required to run them. Using standardized hardware will help to replicate and reimage new hardware. Ensure that copies of program software are available to enable re-installation on replacement equipment. Prioritize hardware and software restoration.

Document the IT disaster recovery plan as part of the business continuity plan . Test the plan periodically to make sure that it works.

Businesses generate large amounts of data and data files are changing throughout the workday. Data can be lost, corrupted, compromised or stolen through hardware failure, human error, hacking and malware. Loss or corruption of data could result in significant business disruption.

Data backup and recovery should be an integral part of the business continuity plan and information technology disaster recovery plan. Developing a data backup strategy begins with identifying what data to backup, selecting and implementing hardware and software backup procedures, scheduling and conducting backups and periodically validating that data has been accurately backed up.

Developing the Data Backup Plan

Identify data on network servers, desktop computers, laptop computers and wireless devices that needs to be backed up, along with other hard copy records and information. The backup plan should include regularly scheduled backups from wireless devices, laptop computers and desktop computers to a network server. Data on the server then can be backed up. Backing up hard copy vital records can be accomplished by scanning paper records into digital formats and allowing them to be backed up along with other digital data.

Data should be backed up frequently. The business impact analysis should evaluate the potential for lost data and define the “recovery point objective.” Data restoration times should be confirmed and compared with the IT and business function recovery time objectives.

Resources for Information Technology Disaster Recovery Planning

  • Computer Security Resource Center - National Institute of Standards and Technology (NIST), Computer Security Division Special Publications
  • Contingency Planning Guide for Federal Information Systems - NIST Special Publication 800-34 Rev. 1
  • Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities – NIST Special Publication 800-84
  • Building An Information Technology Security Awareness and Training Program - NIST Special Publication 800-50

Last Updated: 09/07/2023

Return to top

Logo

ICT Business Continuity Plan Template

ICT Business Continuity Plan Template

What is an ICT Business Continuity Plan?

An ICT (Information and communication technology) business continuity plan is an organized strategy designed to ensure that essential processes and services keep running during a disruption or incident. This plan focuses on the resilience of ICT infrastructure, data centers, and communication networks. It includes a comprehensive set of procedures for how to respond to a disruption or incident, how to protect critical information and assets, and how to restore operations and services as quickly as possible.

What's included in this ICT Business Continuity Plan template?

  • 3 focus areas
  • 6 objectives

Each focus area has its own objectives, projects, and KPIs to ensure that the strategy is comprehensive and effective.

Who is the ICT Business Continuity Plan template for?

This ICT Business Continuity Plan template is designed for ICT companies and organizations who want to develop a comprehensive plan to protect their business from disruptions or incidents. The plan will help organizations identify and prioritize their most critical operations and services, create a backup and recovery plan, and develop a disaster recovery plan.

1. Define clear examples of your focus areas

Focus areas are the major areas of your business that you want to address in your business continuity plan. For ICT businesses, these focus areas could include increasing the resilience of ICT infrastructure, improving data center availability, and increasing communication network resilience.

2. Think about the objectives that could fall under that focus area

Objectives are the goals that you want to achieve for each focus area. For example, under the focus area of increasing the resilience of ICT infrastructure, you may have objectives such as creating a backup and recovery plan and developing a disaster recovery plan.

3. Set measurable targets (KPIs) to tackle the objective

KPIs (Key Performance Indicators) are measurable goals that help track progress towards an objective. For example, for the objective of creating a backup and recovery plan, you may set a KPI of decreasing recovery time from 72 hours to 24 hours.

4. Implement related projects to achieve the KPIs

Projects (or actions) are the steps needed to achieve the KPIs. For the example KPI above, you may need to research and develop a backup and recovery plan.

5. Utilize Cascade Strategy Execution Platform to see faster results from your strategy

Cascade Strategy Execution Platform is the perfect tool to help businesses see faster results from their business continuity plans. It provides an easy-to-use platform to manage strategy, align teams, and track progress. Cascade helps organizations quickly and easily track progress toward their goals, so they can make sure their business continuity plans are being implemented effectively.

ISO 27031: IT disaster recovery and business continuity

DataGuard

ISO 27031 is a standard for IT disaster recovery. It's an international standard that specifies how to plan, implement, and maintain disaster recovery systems. The purpose of ISO 27031 is to help organisations ensure that their business continuity plans are able to deal with any type of disaster. The standard also helps companies develop a consistent approach to planning and implementing their disaster recovery plans.

In this article, let’s take a closer look at ISO 27031 and its components, along with why your organisation may need to implement the standard.

In this article

Iso 27031 terms and definitions, what is iso 27031, more on irbc management systems, why do you need iso 27031, what are the core elements of iso 27031.

  • What are the benefits of having an IT disaster recovery plan?

Before we dive into the full details of ISO 27031, there are some key terms and definitions that you should be aware of to understand the full extent of ISO 27031.

A management systems approach to ICT in support of a business continuity management system, as stated in ISO 22301, is introduced in ISO 27031. This system is known as an ICT readiness for business continuity (IRBC) management system.

An IRBC is a management system designed for use in the event of an IT disaster. Similar to the business continuity management system outlined in ISO 22301, IRBC employs a Plan-Do-Check-Act (PDCA) cycle. The goal of IRBC is to put into action measures that improve preparedness for and speed in the aftermath of an interruption in ICT services.

The PDCA paradigm is highly recognisable to those in the business continuity and IT fields, but it requires some minor adjustments to better support the recoverability of ICT in accordance with what businesses need and anticipate.

Although organisations cannot be certified in ISO 27031 like they can in ISO 22301, the management system follows many of the same procedures that experienced preparation experts are used to adopting with business continuity planning.

To further enhance your organization's information security management, consider ISO 27001 Certification. Learn more about our certification services.

ISO 27031 is based on the ISO 22301 PDCA management system but is tailored to the more technical aspects of IRBC. ISO 27031 depends on the results of the Business Impact Analysis (BIA) performed and accepted as part of the larger BCMS for an organisation, in addition to the technical adjustments to PDCA. The PDCA management system at IRBC is summarised as follows:

  • Plan — In the first stage, the IRBC management system's overarching governance structure is established and maintained. As a result of the work conducted in the Plan phase, the company will have an IRBC policy and many potential IT strategy solutions to choose from to fulfil the business's needs.
  • Do — In this phase, employees carry out the tasks and put in place the solutions that will allow the company to keep an eye out for and get back up and running after an interruption in ICT services. When it comes to ensuring the reliability of ICT services, the Do phase's primary outcomes are the actualisation of said strategies, the development of said plans, and the carrying out of said training and awareness efforts.
  • Check — Review and analysis of the IRBC management system's output are part of the Check step. Key deliverables from the Check phase include regular inspections of ICT responsiveness and recoverability and ongoing monitoring of ICT for disruptions and performance levels.
  • Act — In the Act phase, leadership may assess how effectively the IRBC initiative is working and order remedial measures to be taken to improve the management system's effectiveness and/or lessen the likelihood of future interruptions to ICT services.

ICT is widely used among organisations that rely heavily on it to perform critical business functions. Some of the activities that ICT supports are incident management, business continuity, disaster recovery and emergency management. The importance of ISO 27031 is that it sets guidelines to implement these activities as a part of your organisation's continuity plan.

It ensures that your organisation's ICT, personnel, and processes are ready to handle unforeseeable events that could change the risk environment and endanger the business.

With the implementation of ISO 27031, you can leverage and streamline resources among business continuity, emergency response, security incident handling and disaster recovery.

ISO 27031 specifies that the IRBC plans need six components to effectively monitor for, respond to, and recover from interruptions to information and communication technologies. These six factors are:

In the event of a disruption, it will be necessary to resume providing ICT services; therefore, recovery plans must consider this. When planning for the operation of an organisation's information and communication technology (ICT), it is important to account for the fact that no single employee may possess all of the necessary expertise.

Preventing the loss that might occur from running information and communication technology (ICT) systems out of a single location is an important part of any recovery strategy.

Planned facility considerations guarantee that information and communication technology (ICT) systems can continue to function in the event of a primary facility failure.

Technologies

When developing a recovery plan, it is important to take into account the technical specifications necessary to achieve the Recovery Time Objective (RTO) and the Recovery Point Objective set by the company (RPO).

When planning a strategy, it's important to factor in the time and resources needed to restore gear and software to working order. Power, cooling, staffing, vendor support, and wide-area network connection are all essential factors to think about.

When planning for recovery, it's important to think about how to safeguard the crucial information your company relies on. Strategies that take data into account guarantee that consumers can access, use, and trust the information they need.

Planning for the ongoing activities required to monitor, manage, and recover ICT systems in order to satisfy business needs is an integral part of any effective recovery strategy. Strategies that take processes into account determine the IT operations that must be performed before, during, and after an outage.

Recovering and running ICT systems requires a number of third-party suppliers, all of whom must be kept in the loop during the recovery process. Strategies that consider suppliers determine whether companies help maintain and restore ICT systems before, during, and after a disruption.

While ISO 27031 provides a robust framework for IT disaster recovery, it's important to understand its relationship with ISO 27001, another crucial standard in the ISO 27000 family.

If you are interested in learning more about other information security standards, check out our article on ISO 27001.

The connection between ISO 27001 and ISO 27031

While ISO 27001 and ISO 27031 are separate standards within the ISO 27000 family, they are closely related and often implemented together to create a comprehensive information security management system.

ISO 27001 is the international standard for Information Security Management Systems (ISMS) . It provides a framework for establishing, implementing, maintaining, and continually improving an ISMS within the context of the organization. This includes aspects like risk management , internal audits, continual improvement, and compliance with legal and other requirements.

On the other hand, ISO 27031 focuses on the guidelines for information and communication technology readiness for business continuity. It provides a detailed framework for ensuring an organization's IT systems can survive and recover from disruptive incidents. Furthermore, by adhering to the principles of ISO 27001, organizations are also better positioned to meet the evolving cybersecurity standards of NIS2 .

In essence, ISO 27001 provides the overarching framework for an organization's information security management, while ISO 27031 provides specific guidance on how to ensure business continuity in the face of IT disruptions.

Together, these standards form a comprehensive approach to information security. ISO 27001 manages information security risks, while ISO 27031 ensures swift recovery and resumption of operations post-IT disruption.

Implementing both standards can bolster information security management and IT disaster recovery, safeguarding valuable information and ensuring business continuity.

What are the benefits of having an IT disaster recovery plan ?

IT disasters impact organisations the most when no preparations have been made to deal with them. The ensuing chaos has far-reaching consequences for organisations that extend well beyond the time it takes to restore operations. Last-minute repairs may be expensive, data breaches can result in fines, and disasters can damage your company's brand and productivity in a variety of ways.

Therefore, having a solid plan to curb the effect of disaster is essential to every organisation.

Here are a few benefits of implementing an IT disaster recovery plan:

  • Builds confidence among your customers — When you implement IT disaster recovery, you're making sure that your business is well-positioned to recover from an outage in a timely and effective manner. This makes it easier for your customers to trust their business with you, which boosts brand loyalty and customer satisfaction.
  • Helps mitigate your financial risks — By shortening the time it takes to restore organisation information systems, you may limit losses not only in terms of income but also in other areas, such as the cost of potential harm caused by downtime and the expense of management or technical help.
  • Minimise the interruption to critical processes — To ensure the organisation’s survival there are essential operations that must run continuously. By having a Disaster Recovery solution in place, critical procedures can be safeguarded, and interruptions to operations may be kept to a minimum.
  • Increased productivity — The danger to your data may be minimised by making sure your staff understand their parts in data security and have a plan in place for dealing with attacks. More than that, it will boost productivity in every area. Since employees know what to do in the event of a crisis, they will be less likely to go into a state of panic, which is one of the many benefits of having a disaster recovery plan. Instead, the crisis can be dealt with in a controlled environment.

ISO 27031 provides guidance for an IRBC programme that helps IT and business continuity experts keep their ICT systems resilient. Organisations would better prepare for, respond to, and recover from an information and communication technology outage. ICT and business continuity are both vulnerable to interruptions. However, ISO 27031 utilises and modifies the BCM ideas established in ISO 22301 to help mitigate this risk.

Ready to improve your organisation's resilience against IT disruptions and enhance your information security? Find out how the DataGuard ISO 27001 certification solution can strengthen your strategies and guarantee business continuity. Our experts are on hand to provide expert insights and bespoke solutions.

Preview ISO 27001 - Get Certified For The First Time UK

Ready to take the first step towards ISO 27001 certification?

This guide will provide you with everything you need to know about ISO 27001, its benefits for your organisation, and how to get certified for the first time.

Don't forget to share this post!

About the author.

DataGuard

Don’t miss these topics:

Related articles.

Why business continuity plans fail and what you can do about it

Why business continuity plans fail and what you can do about it

Business continuity plans (BCP) often fail, exposing your organisation to risks. Find out the main reasons why BCPs fail and what you can do to prevent it.

Is the EU getting ready to act on cookie banners?

Is the EU getting ready to act on cookie banners?

Read about the newest update on the EU cookie pledge initiative and what this could mean for your business.

How to protect client data in consulting business: 7 ways

How to protect client data in consulting business: 7 ways

Discover 7 ways to protect client data in consulting companies to preserve client confidentiality and maintain trust.

How to write a Business Continuity Plan (BCP)?

How to write a Business Continuity Plan (BCP)?

Find out how to prepare a Business Continuity Plan (BCP) in your organisation, including best practices, clear steps and mistakes to avoid.

How to face top 10 cyber threats in manufacturing industry as an IT leader

How to face top 10 cyber threats in manufacturing industry as an IT leader

Discover how to face the top 10 cyber security threats in the manufacturing industry as an IT leader, from insider threats to phishing or ICS attacks.

Phishing 101: how to spot, prevent and report phishing emails

Phishing 101: how to spot, prevent and report phishing emails

Discover how to help your employees spot and stop phishing attacks in this guide for IT leaders and managers.

Contact Sales

See what dataguard can do for you..

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact

Get to know DataGuard

Simplify compliance.

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority suppor t during breaches and emergencies
  • Get a defensible GDPR position - fast!
  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX ®️ , as well as NIS2 Compliance .
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies

100% success in ISO 27001 audits to date

TISAX ® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX ® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

  • Transparent consent collection
  • Comply with GDPR, CCPA, LGPD, ePrivacy , and more
  • Consolidate consents across multiple touchpoints
  • Support from privacy experts
  • Integrates with your marketing tools and CRM
  • Proactive support
  • Create essential  documents and policies
  • Staff compliance training
  • Advice from  industry experts
  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent  reporting

An illustration of a woman sitting at her computer trying to deflect a cyber attack

Published: 21 December 2023 Contributors: Mesh Flinders, Ian Smalley

Business continuity disaster recovery (BCDR) refers to a process that helps organizations return to normal business operations in the event of a disaster. While the terms business continuity and  disaster recovery  are closely related, they describe two subtly different approaches to crisis management that businesses can take.

As data loss prevention and downtime become more and more expensive, many organizations are upping their investment in emergency management. In 2023, companies worldwide are poised to spend USD 219 billion on cybersecurity and solutions, a 12% increase from last year  according to a recent report by the International Data Corporation (IDC)  (link resides outside ibm.com).

What is a disaster recovery plan?

A  disaster recovery plan (DRP)  is a contingency plan for how an enterprise will recover from an unexpected event. Alongside business continuity plans (BCPs), DR plans help businesses navigate different disaster scenarios, such as massive outages, natural disasters,  ransomware  and  malware  attacks, and many others.

What is a business continuity plan?

Like DRPs, business continuity plans (BCPs) play a critical role in disaster recovery, helping organizations return to normal business functions in the event of a disaster. Where a DRP focusses specifically on IT systems, business continuity management focusses more broadly on various aspects of preparedness.

Be better prepared for breaches by understanding their causes and the factors that increase or reduce costs. Explore the comprehensive findings from the Cost of a Data Breach Report 2023.

Subscribe to the IBM newsletter

Most organizations divide BCDR planning into two separate processes: business continuity and disaster recovery. This is an effective approach because while the two processes share many steps, there are also key differences in how the plans are built, implemented and tested.

The primary difference is that BCPs tend to be proactive, while DRPs tend to be more reactive. It’s good to keep this in mind when building the two parts of your BCDR plan because it governs how the two processes relate to each other. A strong business continuity strategy focuses on processes, procedures and roles that are critical to business operations before, during and immediately following a disaster. DR planning is more geared towards reacting to an incident and taking appropriate actions to recover from it. 

Both processes depend heavily on two critical components, recovery time objective (RTO) and recovery point objective (RPO):

  • Recovery time objective (RTO):  RTO refers to the amount of time it takes to restore business processes after an unplanned incident. Establishing a reasonable RTO is one of the first things businesses need do when they’re creating their DRP. 
  • Recovery point objective (RPO):  Your business’ RPO is the amount of data it can afford to lose in a disaster and still recover. Since data protection is a core capability of many modern enterprises, some constantly copy data to a remote  data center  to ensure continuity in case of a massive breach. Others set a tolerable RPO of a few minutes (or even hours) for business data to be recovered from a backup system and know they will be able to recover from whatever was lost during that time.

1.    Conduct business impact analysis (BIA)

To build an effective BCP, you’ll first need to understand the various risks your organization faces. Business impact analysis (BIA) plays a crucial role in risk management and business resilience. BIA is the process of identifying and evaluating the potential impact of a disaster on normal operations. Strong BIA includes an overview of all potential existing threats and vulnerabilities—internal and external—as well as detailed plans for mitigation. Additionally, the BIA must identify the likelihood of an event occurring so the organization can prioritize accordingly.

2.    Design responses

Once your BIA is complete, the next step in building your BCP is planning effective responses to each of the threats you’ve identified. Different threats will naturally require different disaster recovery strategies, so each of your responses should have a detailed plan for how the organization will spot a specific threat and address it.

3.    Identify key roles and responsibilities

This step dictates how key members of your team will respond when facing a crisis or disruptive event. It documents expectations for each team member as well as the resources required for them to fulfill their roles. This is a good part of the process to consider how individuals will communicate in the event of an incident. Some threats will shut down key networks—such as cellular or internet connectivity—so it’s important to have fallback methods of communication your employees can rely on.

4.    Test and update your plan

To be actionable, you need to constantly practice and refine your BCDR plan. Constant testing and training of employees will lead to a seamless deployment when an actual disaster strikes. Rehearse realistic scenarios like cyberattacks, fires, floods, human error, massive outages and other relevant threats so team members can build confidence in their roles and responsibilities.

Like BCPs, DRPs require business impact analysis (BIA)—the outlining of roles and responsibilities and constant testing and refinement. But because DRPs are more reactive in nature, there is more of a focus on risk analysis and  data backup and recovery . Steps 2 and 3 of DRP development, performing risk analysis (RA) and creating an asset inventory are not part of the BCP development process at all. 

Here's a widely used five-step process for creating a DRP:

1.    Conduct business impact analysis

Like in your BCP process, start by assessing each threat your company could face and what its ramifications might be. Consider how potential threats might impact daily operations, regular communication channels and worker safety. Additional considerations for a strong BIA include loss of revenue, cost of downtime, cost of reputational repair (public relations), loss of customers and investors (short and long term) and any incurred penalties from compliance violations.

2.    Analyze risks

DRPs typically require more careful risk assessment than BCPs since their role is to focus on recovery efforts from a potential disaster. During the risk analysis (RA) portion of planning, consider a risk’s likelihood and potential impact on your business.

3.    Create an asset inventory

To create an effective DRP, you must know exactly what your enterprise owns, its purpose/function and its condition. Doing regular asset inventory helps identify hardware, software, IT infrastructure and anything else your organization might own that is crucial to your business operations. Once you’ve identified your assets, you can group them into three categories— critical, important  and  unimportant:

  • Critical:  Only label assets as critical if they are required for normal business operations.
  • Important:  Give this label to assets that are used at least once a day and, if disrupted, would have an impact on business operations (but not shut them down entirely).
  • Unimportant:  These are assets your business uses infrequently that are not essential for normal business operations.

4.    Establish roles and responsibilities

Just like in your BCP development, you’ll need to clearly outline responsibilities and ensure team members have what they need to perform their required duties. Without this crucial step, no one will know how to act during a disaster. Here are some roles and responsibilities to consider when building your DRP:

  • Incident reporter:  Someone who maintains contact information for relevant parties and communicates with business leaders and stakeholders when disruptive events occur.
  • DRP supervisor:  The DRP supervisor ensures team members perform the tasks they’ve been assigned during an incident. 
  • Asset manager:  Someone whose job it is to secure and protect critical assets when a disaster strikes. 
  • Third-party liaison:  The person who coordinates with any third-party vendors or service providers you’ve hired as part of your DRP and updates stakeholders accordingly on how the DRP is going.

5.    Test and refine

Like your BCP, your DRP requires constant practice and refinement to be effective. Practice it regularly and update it according to any meaningful changes that need to be made. For example, if your company acquires a new asset after your DRP has been formed, you’ll need to incorporate it into your plan to ensure it's protected going forward.

When it comes to BCDR planning, every business is going to have its own unique set of needs. Here are a few examples of plans that have proven effective for companies of differing sizes and industries:

  • Crisis management plan:  A crisis management plan, also known as an incident management plan, is a detailed plan for managing a specific incident. It provides detailed instructions on how your organization will respond to a specific kind of crisis, such as a power outage, cyberattack or natural disaster.
  • Communications plan:  A communications plan outlines how your organization will handle public relations (PR) in the event of a disaster. Business leaders typically coordinate with communications specialists to formulate communications plans that complement any crisis management activities needed to keep business operations going during an unplanned incident.
  • Data center recovery plan : A data center recovery plan focuses on the security of a data center facility and its ability to get back up and running after an unplanned incident. Some common threats to data storage include overstretched personnel that can result in human error, cyberattacks, power outages and difficulty following compliance requirements. 
  • Network recovery plan:  Network recovery plans help organizations recover from an interruption of network services, including internet access, cellular data, local area networks (LAN) and wide area networks (WAN). Given the importance of many networked services to business operations, network recovery plans must clearly outline the steps, roles and responsibilities needed to restore services quickly and effectively when a network has been compromised.
  • Virtualized recovery plan:  A virtualized recovery plan  relies on virtual machine (VM) instances that can be ready to operate within a couple of minutes of an interruption. Virtual machines are representations, or emulations, of physical computers that provide critical application recovery through high availability (HA), or the ability of a system to operate continuously without failing.

BCDR planning helps organizations better understand the threats they face and better prepare to face them. Enterprises that don’t undertake BCDR planning face a variety of risks, including data loss, downtime, financial penalties and reputational damage. Effective BCDR planning helps ensure business continuity and the prompt restoration of services in the event of a business disruption. Here are some of the benefits companies with strong BCDR planning enjoy:

When an unplanned incident disrupts business as usual, it can cost hundreds of millions of dollars. Additionally, high-profile cyberattacks frequently attract unwanted attention in the press and can result in loss of confidence in both customers and investors. BCDR plans increase an organization’s ability get back up and running swiftly and smoothly after an unplanned incident.

According to  IBM’s recent Cost of Data Breach Report , the average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over the last 3 years. Enterprises with strong BCDR can reduce those costs by helping maintain business continuity throughout an incident and speeding recovery afterwards. Another opportunity for cost-savings with strong BCDR is in cyber insurance. Many insurers simply won’t ensure organizations that don’t have a strong BCDR plan in place.

Data breaches incur hefty fines when private customer information is compromised. Businesses that operate in heavily regulated sectors like healthcare and personal finance face especially costly penalties. Since these penalties are often tied to the duration and severity of a breach, maintaining business continuity and shortening response and recovery lifecycles is critical to keeping financial penalties low.

Even a minor outage can put you at a competitive disadvantage. Protect your data with a cloud disaster recovery plan. 

Employ a highly durable, scalable, and security-rich destination for backing up your data.

Expand capacity and consolidate data center infrastructure onto an automated and centrally managed software-defined data center with IBM Cloud for VMware Solutions.

Learn about what factors come into play when deciding whether to invest in and manage your on-premises Disaster Recovery (DR) solutions or use Disaster Recovery as a Service (DRaaS) providers.

Learn about technologies and practices for making periodic copies of data and applications, that enable your business to recover in case of a power outage, cyberattack, human error, disaster, or some other unplanned event.

Discover critical similarities and differences between disaster recovery and backup, as well as how these solutions can help you solve your business' most important problems.

Learn about IBM's plans and processes tot help sustain its business by assessing and preparing for potential disasters.

Find out how Zerto helps clients access robust disaster recovery and data protection capabilities while leveraging the agility and flexibility of IBM Cloud for VMware Solutions shared in a single-click deployment.

Learn about immutable storage, a kind of storage protocol that protects stored data by preventing any changes or alterations for either a set or indefinite amount of time.

The demand for increasingly scalable, capable, and affordable backup and recovery solutions has never been greater. Talk to an IBM representative about how IBM Cloud Solutions can help support your priorities and budget.

What is BCDR? Business Continuity and Disaster Recovery Explained

With organizations going through digital transformations and more employees working remotely, cybersecurity is a top priority for almost all IT teams. Businesses have to be prepared for cyberattacks and unexpected IT outages. In fact, in the 2019 State of IT Operations Survey Report , nearly 61 percent of the survey respondents who had a security breach in the past year, had two to four IT outages.

In the event of a disruption, businesses must be able to quickly recover mission-critical data, restore IT systems and smoothly resume operations. A robust business continuity and disaster recovery (BCDR) plan is the key to having confidence in your ability to recover quickly with minimal disruption to the business.

What Is Business Continuity and Disaster Recovery (BCDR) and Why Is It Important for Businesses?

BCDR represents a set of approaches or processes that helps an organization recover from a disaster and resume its routine business operations. Disasters include natural calamities, outages or disruption due to power failure, employee negligence, hardware failure, or cyberattacks.

A BCDR plan ensures that businesses operate as close to normal as possible after an unexpected interruption, with minimal loss of data.

In the past, some companies were under the impression that only large enterprise organizations needed BCDR plans. However, it is just as critical for small and midsize businesses. The 2019 Verizon Data Breach Investigations Report showed that “43 percent of [security] breaches involved small business victims.”

Having a proper BCDR plan in place enables businesses to minimize both the downtime and the cost of a disruption.

What Is the Difference Between Business Continuity and Disaster Recovery?

The business continuity component of a BCDR plan deals with the people, processes and resources that are needed before, during and after an incident to minimize interruption of business operations and cost to the business. It includes:

  • Team – The first and one of the most important components of a business continuity plan (BCP) is organizing a continuity team. Your BCP will be effective only if it is well-designed and if there is a dedicated team to execute it at a moment’s notice.
  • Business Impact Analysis (BIA) – A deep analysis of potential threats and how they could impact the business — usually described in terms of cost to the business. The BIA identifies the most critical business functions that you need to protect and restore quickly.
  • Resource Planning – Identifying resources (hardware systems, software, alternative office space and other items to be used during a crisis) as well as the key staff, and the roles they must play in the event of a disaster.

Disaster recovery is a subset of business continuity planning and involves getting IT systems up and running following a disaster.

Planning for disaster recovery includes:

  • Defining parameters for the company such as recovery time objective (RTO) — the maximum time systems can be down without causing significant damage to the business, and recovery point objective (RPO) — the amount of data that can be lost without affecting the business
  • Implementing backup and disaster recovery (BDR) solutions and creating processes for restoring applications and data on all systems

What Are the Objectives of a BCDR Plan?

A BCDR plan aims to protect a company from financial loss in case of a disruptive event. Data losses and downtime can lead to businesses being shut down. A robust BCDR plan:

  • Reduces the overall financial risk to the company
  • Enables the company to comply with industry regulations with regards to data management
  • Prepares the organization to respond adequately and resume operations as quickly as possible in the aftermath of a crisis

6 Steps to Execute a Robust BCDR Plan

  • Identify the team : The continuity team will not only carry out the business continuity plan in the event of a crisis but will also ensure that your other employees are informed and know how to respond in a crisis. The team will also be responsible for planning and executing crisis communications strategies.
  • Conduct a business impact analysis (BIA) : A BIA identifies the impact of a sudden loss of business functions, usually in terms of cost to the business. It also identifies the most critical business functions, which allows you to create a business continuity plan that prioritizes recovery of these essential functions.
  • Design the recovery plan : Determine acceptable downtime for critical systems and implement backup and disaster recovery (BDR) solutions for those critical systems as well as SaaS application data. BDR solutions can be appliance-based or in the cloud. Consider Disaster Recovery as a Service (DRaaS) solutions as part of your overall strategy.
  • Test your backups : Disaster recovery testing is a vital part of a backup and recovery plan. Without proper testing, you will never know if your backup can be recovered. According to the 2019 State of IT Operations Survey Report, only 31 percent of the respondents test their disaster recovery plan regularly, which shows that businesses usually underestimate the importance of BDR testing.
  • Execute the plan : In the event of a disruption, execute the processes that get your systems and business back to normal.
  • Measure, review and keep the plan updated : Measure the success of your execution and update your plan based on any gaps that are uncovered. Testing the BCDR plan beforehand is recommended for better results.

Learn more about BCDR planning and its importance to successful business operations by downloading our eBook Business Continuity Planning to Combat a Crisis .

ict business continuity and disaster recovery plan

What Is a Virtual Desktop?

In today’s digital age, where a dispersed workforce and remote work have become commonplace, virtual desktops enable users to access Read More

ict business continuity and disaster recovery plan

What Is Endpoint Security Management and Why Is It Important?

Among all IT components, endpoints are the easiest to exploit, making them the most vulnerable to cyberattacks. This makes endpoint Read More

ict business continuity and disaster recovery plan

What Is Disaster Recovery-as-a-Service (DRaaS)?

In today’s hyperconnected digital landscape, business continuity is non-negotiable. From conglomerates to small enterprises, every organization requires a robust disaster Read More

ict business continuity and disaster recovery plan

How Mobile Device Management Helps in Unified Management of Endpoints

The extensive use of mobile devices for corporate-related tasks has revolutionized work models, with hybrid approaches dominating the business landscape. Read More

ict business continuity and disaster recovery plan

  • Break Free From Your IT Groundhog Day: Top Tasks to Automate February 5th, 2024
  • What Is Vulnerability Management? Definition, Process Steps, Benefits and More January 25th, 2024
  • What Is Professional Services Automation (PSA) Software? January 24th, 2024
  • What Is a Virtual Desktop? January 22nd, 2024
  • Marketing Your MSP: A Sprint, Not a Marathon January 18th, 2024

A Guide to Business Continuity & Disaster Recovery Planning

As we know business is very competitive and therefore the best prepared and organised businesses will thrive while others will flounder. Here are a few key points to consider when thinking about how your business can continue to operate effectively if a major business disruption takes place.

Laptop, pen and paper

Business Continuity Plan

The Business Continuity (BC) plan must list all the procedures and steps that need to be performed to keep the systems and processes operating to maintain business operations in the event of an emergency. Of course, these situations could be very wide-ranging, from natural disasters, public health emergencies, infrastructure failures or even human error. We have produced a separate article ‘ IT Business Continuity and Disaster Recovery – So what can go wrong, what can you do and why should you? ‘ giving an overview of various scenarios. However, the raison-d’être being “What happens If”?” and of course we must always remember Murphy’s Law, which is typically stated as “Anything that can go wrong will go wrong!”.

The COVID 19 pandemic has focussed everyone’s mind on how to continue to work effectively with disruption to workplace access, supplies and deliveries as well as access to information. While most businesses have put stop gaps in place many are still trying to come to terms with the changes and in many cases, only parts of the business are operating as normal.

Even under normal working situations businesses managers very often do not appreciate the risks systems and information are exposed to. Furthermore, when an event occurs additional pressure is placed on staff, systems and processes with a change to operating practices – this means that any weaknesses are further exposed presenting further risks to the business. It is therefore important that the plans make sure all the same resilience and protection remains in place.

Some studies claim that less than 50% of small businesses have a business continuity plan in place. So, while business continuity plans may be alien to most small businesses their importance should not be underestimated. We would always recommend that even a basic business continuity plan is in place because one never knows when an incident could take place. Whatever you do, don’t be put off creating a plan just because it looks difficult or because you don’t have time, once started it won’t seem so bad so we encourage business owners to make time.

We can say that Business Continuity (BC) involves planning to keep all aspects of a business functioning during disruptive events, with the planning typically referred to as Business Continuity Planning (BCP) and the whole process as Business Continuity Management (BCM). Similarly, this can be extended to incorporate Disaster Recovery Management (DRM).

As we all know ICT plays a huge roll in business operations and increasingly so in our “Always Connected” world and it is for this reason that IT Business Continuity Management is often separated out as a significant section of BC. Additionally, Disaster Recovery (DR) is considered as a further sub-set of business continuity, it focuses on the IT or technology systems that support business functions and how these can be restored when a disaster strikes.

It is important for businesses to create an IT Business Continuity & Disaster Recovery Plan (BC-DR Plan) which considers different scenarios that could affect operations and to conduct an impact analysis that considers not just the financial loss but also the impact to Customers, Staff, Suppliers and other Stakeholders. The plan should also become part of the Standard Operating Procedure for the business.

Disaster Recovery

Disaster Recovery assumes that information is not recoverable (at least for some time) and represents a process of restoring data and services to an acceptable level. While we consider the parameters in depth that define this in another article, it is an important part of making sure your business can recover the information it needs and expects within a critical timescale.

As part of our Business Continuity and Disaster Recovery Service (BC-DR Service), we implement resilient systems for businesses as well as security fabric to protect business information from damage or loss. A wide range of replication, backup and restore solutions are matched to a business’s requirements following consultancy and discovery exercises. Continuing support and systems management maintains reliability and availability. However, it must be remembered that the IT Services provider is not responsible for the recovery of business operations from all causes, only the technology.

Depending on your particular business and level of risk, every business will have different primary threats to business as usual. That’s why risk assessments prior to assembling a business continuity plan can be so helpful. It’s also why every plan needs to be bespoke and needs to plan for multiple, potential interruptions to services caused by the unavailability of services, staff, workplaces, and third parties etc. So, we start with the premise that you need to have a plan.

Creating a Business Continuity Plan (BCP)

Step 1: Create a Business Continuity Team

It’s important to have the right team in place to create and implement a business continuity plan in your organization. Even if your business is small, don’t be deterred, gather your employees and start to work on the plan. Work out the roles and responsibilities of each individual and if you use external resources then they should also be involved – HR, IT and Finance. Try to make sure nothing is missed and roles are not duplicated.

Team members should be given responsibilities for executing the plan and should prepare policies, train additional team members and identify processes to streamline the implementation of the plan. Simply put – who does what and when. Make sure you explain what you are doing to all people in the organisation and ask for their ideas too. When a crisis hits a business, it affects all staff and so having everyone’s “buy-in” will be vital.

Step 2: Have the Team conduct a Risk Assessment and Impact Analysis

Good analysis is key to gathering the information needed to develop strategies to limit the effects and define recovery plans:

  • Identify what types of threats and risks are likely to impact your business. Explore each threat and risk, aim to understand how each impacts your business.
  • Identify time-sensitive or critical functions, their weaknesses, the resources that support them and the impact caused in the event of an outage.
  • Detail the resources you have vs the resources you need and create a GAP Analysis. This process will help identify the vulnerabilities which can make your assets/resources more susceptible.

Step 3: Make sure the Team identify the Stakeholders and what are the Critical Functions

  • Begin by identifying the key stakeholders, critical resources and functions without which the organization cannot function smoothly.
  • Consider what controls or preventative measures you may already have in place which can minimise the risk and how these can be improved or other measures adopted.
  • Establish contact points with these stakeholders etc and remember other teams may be dependent on them, so map the dependencies.
  • Define the acceptable minimum levels of operations for each of these functions and how they will ensure the continuity of the business, and to what extent.
  • Determine how long each area of the business can cope without specific services.
  • State what the acceptable loss of information is to each area of business.
  • Understand the full impact and cost to the business for outages caused by the identified threats.
  • Identify what information and how information about an incident should be managed and communicated both internally and externally.

Step 4: Draw up the Plan

With all the information gathered, create a draft plan which should include the following:

  • The intentions of the BCP
  • The roles and responsibilities of individuals
  • Details of stakeholders and critical functions
  • The Business Impact and GAP Analysis
  • Details of things you need to do to Prevent, Respond, Limit and Recover
  • What you will do to test the plan

Step 5: Review and Revise your plan

Once the plan is in place, test it so that omissions can be corrected before an incident occurs. Individual parts can be tested on a scheduled basis and meetings set up to discuss emergency scenarios. Situations can be hypothetically created and the team members can review the effectiveness of the plan.

The threat landscape will continue to change just as other business demands change and therefore the continuity plan will need to adapt. However, by using the points above, your business will be better placed to withstand a disruptive event and stay ahead of your competitors.

While this may seem to be a big undertaking it really is well worthwhile and can even be a great way to build confidence with your customers. As stated earlier, don’t be put off creating a plan just because it looks daunting or because time is short.

Contact us today to find out more.

EXCEED ICT

  • App Development
  • Asset Management
  • Device Enrolment
  • Telecoms Expense Management
  • Fleet Management
  • IoT Helpdesk
  • Project Management
  • Device Staging
  • Help Desk Intercom
  • QR video intercom
  • Touchless Check-in
  • 5G Technology
  • WasteMate Smart Bin
  • Waste Intelligence
  • Endpoint Security
  • Quality Assurance
  • Secure Cloud
  • Secure File Transfer
  • Secure Platform
  • Adaptive Networks
  • Cisco Control Centre
  • Keyless Entry
  • Vehicle Telematics
  • Telstra Track and Monitor
  • Waste Intelligence Solutions
  • RealWear Wearable Solution
  • Telstra Adaptive Mobility
  • Telstra Enterprise Wireless
  • Mobile Signal Boosting
  • Ruggerdised Devices
  • Cradlepoint
  • Diagnostics & Erasure
  • 4k solutions & MBK Kits
  • Teleportivity
  • Sustainability

Call us on 1300 832 639

Mastering Disaster Recovery and Business Continuity: A Comprehensive Guide

Mastering Disaster Recovery and Business Continuity: A Comprehensive Guide

In the fast-paced digital landscape, ensuring the resilience of your business in the face of unforeseen challenges is not just a best practice; it’s a necessity. Disaster recovery and business continuity plans are the bedrock of a robust strategy that safeguards your operations, data, and reputation. In this comprehensive guide, we delve into the intricacies of creating an effective network disaster recovery plan to fortify your business against potential disruptions.

Understanding the Essence of Disaster Recovery

Defining disaster recovery.

At its core, disaster recovery involves the strategic processes and tools aimed at regaining access to, and functionality of, IT infrastructure after a natural or man-made disaster. This encompasses the restoration of critical data, applications, and systems to ensure minimal downtime and a swift return to normal operations.

The Imperative of Proactive Planning

Proactive planning is the linchpin of a successful disaster recovery strategy . Waiting until disaster strikes is not an option. By meticulously anticipating potential scenarios, you position your business to respond swiftly and effectively, mitigating the impact of unforeseen events.

Crafting a Robust Business Continuity Plan

The synergy of disaster recovery and business continuity.

Business continuity is not a standalone concept; it intertwines seamlessly with disaster recovery. While the latter focuses on the restoration of IT functions, the former encompasses a broader spectrum, addressing the continuity of all business operations.

Identifying Critical Functions

A key aspect of an effective business continuity plan is the identification of critical functions. These are the core activities that must continue without interruption, even in the face of a crisis. Understanding and prioritising these functions form the foundation of a resilient continuity plan.

Building a Network Disaster Recovery Plan

Conducting a thorough risk assessment.

A thorough risk assessment is the cornerstone of any successful disaster recovery plan. By identifying potential vulnerabilities in your network infrastructure, you can tailor your strategy to address specific risks, ensuring a more robust response to unforeseen events.

Embracing Technological Solutions

In the digital era, technology is both the cause of and solution to many challenges. Implementing cutting-edge technological solutions such as cloud-based backups, redundant systems, and real-time data replication enhances the agility and effectiveness of your disaster recovery plan.

The Role of Employee Training

Cultivating a culture of preparedness.

While technological advancements are pivotal, the human element remains equally crucial. Employee training is not just a compliance requirement; it’s an investment in the resilience of your organisation. Educating your staff on emergency procedures and their roles in the recovery process ensures a cohesive response during critical times.

Regular Testing and Updates

Disaster Recovery and Business Continuity

The Dynamics of Testing: A well-crafted disaster recovery and business continuity plan is not a static document. Regular testing and updates are imperative to ensure its efficacy. Simulating various disaster scenarios helps identify weaknesses and provides opportunities for refinement, ensuring your plan evolves with the dynamic nature of your business.

In a world where unpredictability is the only constant, a robust disaster recovery and business continuity plan is your organisation’s shield against potential setbacks. By understanding the intricacies of these plans, embracing proactive strategies, and leveraging technological advancements, you pave the way for a resilient future.

You may also like to know more about

  • Comprehensive IT and Network Disaster Recovery Plan Checklist .
  • 6 Steps to a Successful Network Disaster Recovery Plan .
  • Explaining Disaster Recovery Plan Key Features .
  • Crafting an Effective Disaster Recovery Plan: What Should Be Included ?

Stay connected with EXCEED ICT

Stay connected with EXCEED ICT by joining our social networks (given at footer). Get the latest updates, news, and tips for enterprise device deployment. Follow us on  Twitter ,  Facebook , and  LinkedIn   for the best enterprise device deployment solutions.

Help us to improve our enterprise by rating us on  Google Maps . Your feedback and comments are valuable to us and will be used to make our services even better.

Recent Posts

Optimizing telstra expense management services for efficient business operations.

Expense Management Solutions - 22 hours ago

7 Proven Strategies for Optimising Telstra Expense Management Effortlessly For Business Success

Telstra - 5 days ago

7 Revolutionary Telecom Expense Management Solutions to Slash Costs

Expense Management Solutions - 7 days ago

ict business continuity and disaster recovery plan

ISO 27002:2022, Control 5.30 – ICT Readiness for Business Continuity

Book a demo

business,team,busy,working,talking,concept

  • Purpose of Control 5.30

Control 5.30 acknowledges the important role played by ICT platforms and services in maintaining business continuity , following disruption or a critical event.

Control 5.30 outlines how ICT services interact with various key metrics and supporting controls, including an organisation’s recovery time objective (RTO) and the overall business impact analysis (BIA) .

The end goal is to ensure that information integrity and availability is maintained before, during and after a period of business disruption.

Attributes Table

5.30 is a corrective control that maintains risk by creating ICT continuity plans which contribute towards the organisation’s overall level of operational resilience.

  • Attributes of Control
  • General Guidance on Control 5.30

Changes From ISO 27002:2013

How isms.online helps.

We started off using spreadsheets and it was a nightmare. With the ISMS.online solution, all the hard work was made easy.

General Guidance of Control 5.30

Processes and procedures created through Control 5.30 should be drafted following a thorough BIA, that considers how an organisation needs to react when experiencing operational disruption.

A BIA should make use of differing impact types and organisation-specific variables to gauge how business continuity will be affected , should any or all products and services be rendered unavailable or inoperable, due to any level of disruption.

Organisations should use two key variables to formulate an agreed-upon RTO, that sets clear goals for resumption of normal operations:

a) the magnitude of the disruption

b) the type of disruption experienced

Within their BIA, organisations should be able to specify precisely what ICT services and functions are required to achieve recovery, including individual performance and capacity requirements.

Organisations should undergo a risk assessment that evaluates their ICT systems and forms the basis of an ICT continuity strategy (or strategies) that bolsters recovery prior to, during and following a period of disruption.

Once a strategy has been agreed, specific processes and plans should be put in place to ensure that ICT services are resilient and adequate enough to contribute towards recovery of critical processes and systems, before, during and after disruption.

Within the scope of ICT continuity plans, Control 5.30 outlines three main guidance points :

  • ICT incidents often require quick decisions to be made relating to information security by senior members of staff, in order to expedite recovery. Organisations need to maintain a robust chain of command that includes competent individuals with the ability to make authoritative decisions on technical matters related to business continuity and RTO adherence. Organisational structures need to be up to date and widely communicated, to facilitate adequate communication and speed up recovery times.
  • ICT continuity plans should be given a great deal of attention, including regular testing and evaluations, and approval by senior management. Organisations should conduct test runs to gauge their effectiveness, and measure key metrics such as response and resolution times.
  • ICT continuity plans should contain the following information: a) performance and capacity requirements of any systems or processes used in recovery efforts b) a clear RTO for each ICT service in question, and how the organisation aims to restore them c) a recovery point objective (RPO) is designated for each ICT resource, and procedures are created that ensure information is able to be restored.

ISO 27002:2022 , control 5.30 is a new control with no precedence in ISO 27002:2013.

ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process, from defining the scope of your ISMS through risk identification and control implementation.

Our platform is intuitive and easy-to-use. It’s not just for highly technical people; it’s for everyone in your organisation. We encourage you to involve staff at all levels of your business in the process of building your ISMS , because that helps you to build a truly sustainable system.

Get in touch today to book a demo .

ict business continuity and disaster recovery plan

Are you ready for the new ISO 27002

We’ll give you an 81% headstart from the moment you log in Book your demo

New Controls

Organisational controls, people controls, physical controls, technological controls.

  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle

img

ISMS.online launches a new Public API. Click here to find out more

Techfunnel

Mastering BCDR in 2024: Best Practices for Business Continuity and Disaster Recovery Planning

Best Practices for Business Continuity and Disaster Recovery Planning

In today’s business climate, data is more valuable than ever before. It facilitates more targeted marketing, product development, and trend forecasting. Because of these factors, business executives must ensure their data’s privacy, security, and integrity from disasters, and operations can resume with little to no disruption.

Such potential breakdowns are managed or dealt with in two distinct domains: business continuity and disaster recovery. These two disciplines address the possible repercussions of any catastrophic event that could continually impact your organization’s ability to offer its products and services.

Especially since the pandemic, a robust BCDR strategy has emerged as an enterprise staple for CxOs.

Fundamentals of Business Continuity and Disaster Recovery

BCDR is a collection of processes and techniques that help an organization restore access to critical data to continue or resume regular operations soon after a disaster. This expansive idea encompasses the functions and responsibilities of both business and IT in a post-crisis scenario.

CxOs must know BCDR’s two discrete components and their strategic import.

  • Business continuity describes how an organization will function during and after a disaster. It might also offer contingency plans that outline how the organization will sustain its operations if compelled to relocate to an alternative site. Furthermore, it might consider minor disruptions or calamities of a diminished magnitude, such as power failures.
  • Disaster recovery relates to the strategic initiatives undertaken by an organization to address a catastrophic incident — be it a natural calamity, fire, terrorist attack, live shooter situation, or hacking. Disaster recovery refers to the actions an organization takes in response to an incident to resume normal, safe business operations as soon as feasible.

The repercussions for companies beset with catastrophic events with no BCDR planning can be disastrous . Financial loss is the most apparent consequence; the longer an organization fails to deliver its products and services, the more significant its financial losses. Further, technical consequences, like compromising vital or confidential data, can lead to compliance bottlenecks.

BCDR strategies seek to mitigate the impact of a catastrophic incident. Further, they can foster trust and confidence among staff members; a workplace that operates per detailed and explicit protocols on calamity response can give them greater peace of mind.

Risk Assessment and Analysis

Risk assessment is the process of identifying potential hazards to an organization’s development and long-term success by means of an evaluation. Before you start establishing the parameters of your BCDR plan, consider how your organization could be affected by natural and artificial disasters.

This begins with recognizing and accepting that any business is susceptible to four significant losses: suspension of access to organizational facilities, vital data, information technology functions, and service functionalities.

CxOs and IT managers must solicit feedback from other organization members and relevant stakeholders to identify every potential risk that might impact the business. Documenting the risks and their repercussions on employees or supply chains using structured templates facilitates the detection of issues and supports the development of long-term solutions.

Developing a Comprehensive BCDR Plan

The plan must define two primary objectives: first, guaranteeing the organization’s continued operations after accidental or malicious data loss or a natural calamity, and second, restoring the infrastructure to its original state before the crisis.

The first objective, which offers a strategic plan for ensuring operational efficiency, needs to be addressed in the business continuity planning segment. The next goal refers to the section on disaster recovery planning, which focuses on expediting the recovery of critical data systems and IT infrastructure to full functionality.

A comprehensive catalog of hardware and infrastructure elements, data loss acceptance, recovery time objective (RTO), and recovery point objective (RPO) must all be incorporated into the BCDR plan. Also, it must prioritize data cleansing protocols after an emergency so there’s no security gap or vulnerability.

The BCDR plan additionally includes a recurring timetable for plan revisions and updates. For the plan to stay relevant, there has to be an organized process for examining and amending it, along with guidelines for routine testing.

Data Backup and Recovery Strategies

The most valuable asset for an organization’s data. Although larger organizations are more susceptible to data loss due to their massive databases, smaller businesses are still impervious to threats. Over half of SMBs witnessed a cyberattack in 2022, underscoring the importance of a multi-layered BCDR strategy.

To facilitate BCDR planning, IT and organizational executives must neutrally evaluate current legacy systems. They must also identify deficiencies in digital systems, workloads, data storage, and associated apps.

Also, it’s important to remember that depending solely on one backup source is ineffective in safeguarding data against deletion, catastrophe, and corruption. To mitigate this, the 3-2-1 framework for data storage and recovery is the standard process followed by the entire industry:

  • 3 — Maintain one original copy and two duplicates of the data: Retain the original copy with a minimum of two duplicates in case one or more become inaccessible.
  • 2 — Create two distinct storage formats: Organizational security can be enhanced by diversifying/expanding storage devices in case of a data failure. When data is stored on an internal hard drive, a secondary device like an external or cloud source must be used.
  • 1 — Offsite storage of at least one copy of data: The consequences of maintaining two or more duplicates in the exact location during a natural disaster could be disastrous. One copy stored offsite entails a dependable security measure.

Employee Training and Awareness About BCDR

The effectiveness of BCDR in practical scenarios is contingent upon a functional awareness and training initiative.

While creating a well-scripted BCDR strategy, many organizations erroneously fail to educate their workforce on their responsibilities while implementing the plan. Launching a program with employees reading and understanding it is fruitless in almost all work environments.

Employers are obligated to establish and maintain an awareness and training program and ensure that every staff member has undergone the required training. The program must incorporate a systematic approach to training and a mechanism for assessing whether or not staff members retained the intended knowledge.

Training and awareness programs should take place on three levels:

  • Organization-wide awareness : This offers a primer on business continuity and a summary of the organization’s BCDR strategy. Data is initially disseminated via a publicly accessible platform, like the organization’s website. Secondly, it is recommended that administrators engage in talks with employees and collect their signatures on a document confirming their familiarity.
  • Supervisor training : Online training on the basics of business continuity is essential for all supervisors. Further, they would be obligated to go through the organization’s BCDR strategy and submit their signatures confirming their cognizance of its contents.
  • BCDR responder training : This training is necessary for employees with an immediate connection to the BCDR plan. Typical components are crisis communication, incident command system (ICS), and emergency operations center (EOC) training. It includes several short online and in-person courses. Additionally, the aim is to deliver scenario-based training to these individuals.

In Conclusion: What is the Role of Technology in BCDR?

As the velocity and variety of business interruptions increase, especially given the highly digital nature of modern enterprises, the role of technology in BCDR has become more critical. BCDR software helps companies execute business-impact analyses, recovery plan formulation, and policy gap detection.

To automate the BCDR process, these software solutions gather and display vital metrics related to business continuity. Advanced analytics can help organizations determine their vulnerability to internal and external hazards, devising efficient responses to data intrusions and natural disasters. Also, these tools facilitate the dissemination of program-related data to organizational stakeholders.

In 2024, CxOs can consider popular BCDR technology vendors like Arcserve, Axcient, Continuity Logic, StorageCraft, and Strategic BCP to assist in their strategic planning.

Next, download the whitepaper on achieving breakthrough business continuity with low cost and complexity . If you found this article helpful, share it with your network by clicking the top social media buttons.

ict business continuity and disaster recovery plan

Chiradeep BasuMallick | Chiradeep BasuMallick is a content marketing expert, startup incubator, and tech journalism specialist with over 11 years of experience. His background includes advertising, marketing communications, corporate communications, and content marketing. He has collaborated with several global and multinational companies. Presently, he runs a content marketing startup in Kolkata, India. Chiradeep writes extensively on IT, banking and financial services, healthcare, manufacturing, hospitality, financial analysis, and stock markets. He holds a literature and public relations degree and contributes independently to leading publications.

Chiradeep BasuMallick | Chiradeep BasuMallick is a content marketing expert, startup incubator, and tech journalism specialist with over 11 years of experience. His backgr...

ict business continuity and disaster recovery plan

Related Posts

Article is about monetize chatbots

Turning Chatbots into Cash: Creative Strategies to Monetize Chatbots

Data in Content Personalization

Unlocking the Power of Data in Content Personalization: What You’re Missing Out On

Article is about data enrichment

How to Enhance Data Quality with Enrichment Processes for Business Success

Latest read, latest watch.

ict business continuity and disaster recovery plan

Skip links and keyboard navigation

  • Skip to content
  • Use tab and cursor keys to move around the page (more information)

Popular services

  • Apply for leave
  • Apply for higher duties or relieving at level
  • Extend a temporary or casual employee
  • Hire a staff member (recruitment)

Browse by category

  • Search for directives, policies, circulars, and guidelines
  • Employee pay and benefits
  • Queensland Shared Services
  • Career development

Upcoming change: On Thursday 29 February we’re updating the Employment, policy, career and wellbeing and Human resources sections. We’re updating titles and moving content to make it easier for you to find.

Business continuity management and ICT disaster recovery implementation fact sheet

This fact sheet replaces the Whole-of-government business continuity management and disaster recovery implementation guideline.

Introduction

Every agency is responsible for creating, validating and maintaining ICT Disaster Recovery (ICT DR) and Business Continuity Plans (BCP) including mitigation of ICT related disruptions.

In the event of a disaster, agencies must be able to function effectively and ICT is a substantial component of this.

For business continuity and ICT disaster recovery to be relevant to the organisation, sustainable and achievable, practitioners need to approach the planning process in the context of providing certainty over the delivery of business outcomes (services).

To achieve this, departments must establish a process for identifying all deliverables for which they are responsible, prioritising those outcomes and identifying the key dependencies along with vulnerabilities that might expose the organisation to failure.

This factsheet provides high level advice as to how this can be achieved from the perspective of ICT dependent delivery. It is critical to emphasise that ICT alone will not ensure the ongoing resilience of the organisation and that ICT DR planning must be conducted in the context of the agencys all hazards approach to continuity planning.

Legislated requirement

For Queensland Government Departments, the development of robust and effective business continuity and ICT Disaster recovery arrangements are articulated as accountable officer obligations:

  • Financial Accountability Act 2009 (section 61 risk management provisions)
  • Financial and Performance Management Standard

Current policies and guidelines

Information Security Policy (IS18:2018) requires agencies to implement an Information Security Management Systems (ISMS)based on the ISO 27001 standard (Principle 1).

ISO 27001Annex A.17 relates to the Information Security Aspects of Business Continuity Management.

The control objectives outlined in this section are:

  • A.17.1.1 Planning Information Security Continuity
  • A.17.1.2 Implementing Information Security Continuity
  • A.17.1.3 Verify, Review & Evaluate Information Security Continuity
  • A.17.2.1 Availability of Information Processing Facilities

ISO 27001 Annex A.15 may also be considered as it relates to Supplier Relationships.

Please Note: Queensland Government has a whole-of-government agreement with SAI Global to provide access to some of the ISO27000 suite of standards .

Good practice for business continuity management and disaster recovery

The previous IS18 policy (IS18:2009) Requirement 9 focused on business continuity and ICT disaster recovery. Whilst the policy is no longer in force, the BCP and DR requirements remain good practice for agencies to consider.

'A managed process including documented plans must be in place to enable information and ICT assets to be restored or recovered in the event of a disaster or major security failure.

  • Methods must be developed to reduce known risks to information and ICT assets including undertaking a business impact analysis .
  • Business continuity plans must be maintained and tested to ensure information and ICT assets are available and consistent with agency business and service level requirements.
  • Plans and processes must be established to assess the risk and impact of the loss of information and ICT assets in the event of a security failure or disaster to enable information and ICT assets to be restored or recovered.
  • ICT disaster recovery plans must be maintained and tested to ensure information and ICT assets are available and consistent with agency business and service level requirements.'

Understanding the business

The development of a detailed business impact analysis (BIA) will help the agency to identify the critical outputs of the agency and the vulnerabilities that threaten the ongoing delivery of those outcomes.In doing this, the BIA will support decisions around investments in making services more resilient. Decisions relevant to service maintenance during periods of disruption and prioritisation of restoration activities following on from a critical service failure, will also be supported by the intelligence contained within the BIA.

A BIA will identify:

  • critical and non-priority services across the agency through a standardised methodology
  • the risk associated with service failure
  • service priorities, evaluating impact over time
  • common resources and infrastructure dependencies shared across multiple areas/services (including ICT, people, buildings and utilities)
  • common vendor dependencies
  • agency exposure to potential failure of individual vendors
  • opportunities to ensure the agency can manage the business continuity arrangements from a supply chain perspective
  • gaps between corporate enabling services and business area (client) requirements and expectations.

Supplier relationships and dependencies

During the development of agency business continuity and ICT DR arrangements the BIA will identify points of reliance (dependencies) that may undermine the delivery of outcomes across the agency.

This information will help to identify strategies to deliver appropriate levels of resilience across the agency. These decisions will include justification for decisions to increase levels of redundant infrastructure or to accept the risk and employ alternate recovery strategies that are proportionate to the value of the data and processes supported by the dependencies.

The BIA supports effective management of 3 rd party (outsourced) dependencies through the establishment of specifications that outline meaningful metrics and expectations.

ISO 27001 Annex A.15 may also be considered as it relates to Supplier Relationships. A.15 provides control objectives where information is managed or held by suppliers - such as in the cloud. The objective here is protection of the organisations valuable assets that are accessible to or affected by suppliers.

Further Information

  • Australian National Audit Office
  • Business Continuity Institute
  • ISO - ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements (paid service)
  • AS ISO 22301:2020 Security and resilience - Business continuity management systems – Requirements (paid service)
  • ISO/IEC 27031:2011 Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity

Single sign-on (SSO)

SSO is an authentication process that allows you to access multiple services and applications with one username and password.

Most Queensland Government agencies use SSO. If your agency doesn't use SSO, contact your agency IT service desk and let them know you would like to use it.

Most government-owned corporates, non-government organisations, and statutory authorities do not currently use SSO. If your organisation doesn't use SSO, contact your IT service desk and let them know you would like to use it.

Recent Blogs

Ensuring Business Continuity: Do You Have a Comprehensive Disaster Recovery Plan?

24 January 2024

In today’s rapidly evolving digital landscape, the importance of a robust disaster recovery plan cannot be overstated. Unexpected events such as natural disasters, cyberattacks, or hardware failures can jeopardise critical on-premise servers, potentially disrupting business operations. 

To mitigate these risks, organisations need a comprehensive disaster recovery solution that ensures data integrity, minimises downtime, and facilitates a seamless transition to the cloud. 

In this article, we’ll explore the integration of Acronis Cyber Protect and Microsoft Azure to create a powerful disaster recovery strategy, and how ICT Solutions can help give you and your business peace of mind.

Understanding the Need for Disaster Recovery

Disasters come in various forms, and their impact on business continuity can be severe. Whether it’s a hardware malfunction, a cyberattack, or a natural disaster, organisations need a plan in place to safeguard their data and maintain operational efficiency. This is where a well-thought-out disaster recovery plan plays a pivotal role.

The Power of Acronis Cyber Protect:

Acronis Cyber Protect is an all-in-one solution that combines backup, anti-malware, and security management to provide comprehensive data protection. Its advanced capabilities ensure the integrity and availability of critical data, making it an ideal choice for disaster recovery planning.

How to Create a Disaster Recovery Plan:

  • Assessment and Risk Analysis:

Initially, your IT support needs to identify critical systems and data within the business. This is the time to assess potential risks and vulnerabilities within your existing setup, so that your support can be tailored perfectly for your needs. If you can also determine acceptable downtime and recovery point objectives, your disaster recovery plan can be completed within your individual businesses’ operating guidelines.

  • Backup Strategy with Acronis Cyber Protect:

With our preferred software, Acronis Cyber Protect, ICT Solutions can implement regular, automated backups of on-premise servers. We can leverage Acronis Cyber Protect’s image-based backup for complete system snapshot and store backups securely on-premise and in the cloud.

  • Integration with Microsoft Azure

ICT Solutions utilises Microsoft Azure as the off-site storage and recovery environment.

We establish a secure connection between Acronis Cyber Protect and Azure to create a seamless solution for UK businesses.

  • Replication and Failover

We set up replication jobs to Azure for real-time data synchronisation and implement failover procedures to seamlessly transition operations to the Azure environment.

  • Testing and Validation

To give our clients peace of mind, ICT Solutions regularly conduct disaster recovery simulations to ensure the effectiveness of the plan that we have implemented; in the Azure environment, we can validate data integrity and system functionality. 

Benefits of the Integrated Solution:

  • Reduced Downtime

With swift recovery and failover capabilities, you can minimise downtime during disasters – helping keep your business running.

  • Enhanced Security

Acronis Cyber Protect’s integrated security features safeguard data during backup and recovery processes, giving you enhanced security and peace of mind. 

  • Cost-Effective Scalability

With Azure’s flexible infrastructure, your business will be able to scale resources based on demand, optimising costs.

  • Centralised Management

Acronis Cyber Protect provides a centralised platform for managing backup, security, and recovery processes.

Choose ICT Solutions for Your Disaster Recovery Plan 

Implementing a disaster recovery plan with Acronis Cyber Protect and Microsoft Azure empowers organisations to proactively safeguard their critical data and ensure business continuity in the face of unforeseen events.

By combining cutting-edge backup solutions with the scalability and reliability of the cloud, ICT Solutions can help your business to confidently navigate the challenges of today’s dynamic digital landscape.

To speak to one of our experienced team, get in touch today and we’ll be happy to discuss how we can help your business to be as secure as possible. 

Web Analytics

PRETESH BISWAS

PRETESH BISWAS

Your Partner in ISO Standard compliance

ISO 27001:2022 A 5.30 ICT readiness for business continuity

Information and Communication Technology (ICT) has become an integral part of many of the activities which are elements of the critical infrastructures in all organisational sectors, whether public, private or voluntary. The proliferation of the Internet and other electronic networking services, and today’s capabilities of systems and applications, has also meant that organisations have become ever more reliant on reliable, safe and secure ICT infrastructures. Meanwhile, the need for business continuity , including incident preparedness, disaster recovery planning, and emergency response and management, has been recognized. Failures of ICT services, including the occurrence of security issues such as systems intrusion and malware infections, will impact the continuity of business operations. Thus managing ICT and related continuity and other security aspects form a key part of business continuity requirements. Furthermore, in the majority of cases, the critical business functions that require business continuity are usually dependent upon ICT. This dependence means that disruptions to ICT can constitute strategic risks to the reputation of the organisation and its ability to operate. ICT readiness is an essential component for many organisations in the implementation of business continuity and Information security. It is critical to develop and implement a readiness plan for ICT services to help ensure business continuity. As a result, effective Business Continuity is frequently dependent upon effective ICT readiness to ensure that the organisation’s objectives can continue to be met in times of disruptions. This is particularly important as the consequences of disruptions to ICT often have the added complication of being invisible and/or difficult to detect. In order for an organisation to achieve ICT Readiness for Business Continuity , it needs to put in place a systematic process to prevent, predict and manage ICT disruption and incidents which have the potential to disrupt ICT services.

ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

To ensure the availability of the organization’s information and other associated assets during disruption.

ISO 27002 Implementation Guidance

ICT readiness for business continuity is an important component in business continuity management and information security management to ensure that the organization’s objectives can continue to be met during disruption. The ICT continuity requirements are the outcome of the business impact analysis (BIA). The BIA process should use impact types and criteria to assess the impacts over time resulting from the disruption of business activities that deliver products and services. The magnitude and duration of the resulting impact should be used to identify prioritized activities which should be assigned a recovery time objective (RTO). The BIA should then determine which resources are needed to support prioritized activities. An RTO should also be specified for these resources. A subset of these resources should include ICT services. The BIA involving ICT services can be expanded to define performance and capacity requirements of ICT systems and recovery point objectives (RPO) of information required to support activities during disruption. Based on the outputs from the BIA and risk assessment involving ICT services, the organization should identify and select ICT continuity strategies that consider options for before, during and after disruption. The business continuity strategies can comprise one or more solutions. Based on the strategies, plans should be developed, implemented and tested to meet the required availability level of ICT services and in the required time frames following interruption to, or failure of, critical processes. The organization should ensure that: a) an adequate organizational structure is in place to prepare for, mitigate and respond to a disruption supported by personnel with the necessary responsibility, authority and competence. b) ICT continuity plans, including response and recovery procedures detailing how the organization is planning to manage an ICT service disruption, are: 1) regularly evaluated through exercises and tests. 2) approved by management; c) ICT continuity plans include the following ICT continuity information: 1) performance and capacity specifications to meet the business continuity requirements and objectives as specified in the BIA. 2) RTO of each prioritized ICT service and the procedures for restoring those components. 3) RPO of the prioritized ICT resources defined as information and the procedures for restoring the information.

Other information

Managing ICT continuity forms a key part of business continuity requirements concerning availability to be able to: a) respond and recover from disruption to ICT services regardless of the cause. b) ensure continuity of prioritized activities are supported by the required ICT services. c) respond before a disruption to ICT services occurs, and upon detection of at least one incident that can result in a disruption to ICT services.

Further guidance on ICT readiness for business continuity can be found in ISO/IEC 27031. Further guidance on business continuity management systems can be found in ISO 22301 and ISO 22313. Further guidance on BIA can be found in ISO/TS 22317.

“ICT readiness for business continuity” defines the business continuity management requirements for information security in much more specific terms. The control includes the availability requirements based on the results of the Business Impact Analysis (BIA). Two key elements of disaster recovery are addressed. When assessing the Business Impact Analysis, the following points must be considered:

Recovery Time Objective (RTO) – How long can a business process/system be down? The Recovery Time Objective is the time taken from the moment of damage until business processes are fully restored (recovery of: Infrastructure – Data – Reprocessing of data – Resumption of activities) may elapse. The time period can vary from 0 minutes (systems must be available immediately) to several days (in some cases weeks).

Recovery Point Objective (RPO) – How much data loss can be accepted? The Recovery Point Objective is the time period between two backups, i.e. how much data/transactions can be lost between the last backup and the system failure. If no data loss is acceptable, the RPO is 0 seconds.

Based on the results of the BIA, contingency strategies are to be defined for the ICT resources with contingency options before during and after interruptions. Based on these strategies, contingency plans are to be developed, implemented and tested. In doing so, it is required that the organization

  • implement an adequate organizational structure to deal with business interruptions,
  • have ICT contingency plans that are regularly tested and approved by management,
  • have ICT plans that include performance and capacity specifications to meet the requirements from the BIA, as well as RTOs and RPOs.

ICT Readiness for Business Continuity can be achieved by

  • Protect —Protecting the ICT environment from environmental failures, hardware failures, operations errors, malicious attack and natural disasters is critical to maintaining the desired levels of system availability for an organization.
  • Detect —Detecting incidents at the earliest opportunity minimizes the impact to services, reduces the recovery efforts and preserves the quality of service.
  • React —Reacting to an incident in the most appropriate manner leads to a more efficient recovery and minimizes any downtime. Reacting poorly can result in a minor incident escalating into something more serious.
  • Recover —Identifying and implementing the appropriate recovery strategy will ensure the timely resumption of services and maintain the integrity of data. Understanding the recovery priorities allows the most critical services to be reinstated first. Services of a less-critical nature may be reinstated at a later time or, in some circumstances, not at all.
  • Operate —Operating in disaster recovery mode until return to normal is possible may require some time and necessitate “scaling up” disaster recovery operations to support increasing business volumes that need to be serviced over time.
  • Return —Devising a strategy for every IT continuity plan allows an organization to migrate back from disaster recovery mode to a position in which it can support normal business.

ICT Readiness for Business Continuity supports Business Continuity Management by ensuring that the ICT services are as resilient as appropriate and can be recovered to pre-determined levels within timescales required and agreed by the organisation. This control enables an organisation to measure its ICT continuity, security and hence readiness to survive a disaster in a consistent and recognized manner. ICT readiness encompasses preparing the organisation’s ICT (i.e. the IT infrastructure, operations and applications), plus the associated processes and people, against unforeseeable events that could change the risk environment and impact ICT and business continuity. It also helps in leveraging and streamlining resources among business continuity, disaster recovery, emergency response and ICT security incident response and management activities. ICT readiness reduces the impact (meaning the extent, duration and/or consequences) of information security incidents on the organisation. ICT readiness is important for business continuity purposes because:

  • ICT is prevalent and many organisations are highly dependent on ICT supporting critical business processes;
  • ICT also supports incident, business continuity, disaster and emergency response, and related management processes;
  • Business continuity planning is incomplete without adequately considering and protecting ICT availability and continuity.

Processes and procedures created through Control should be drafted following a thorough BIA, that considers how an organisation needs to react when experiencing operational disruption. A BIA should make use of differing impact types and organisation-specific variables to gauge how business continuity will be affected, should any or all products and services be rendered unavailable or inoperable, due to any level of disruption. Organisations should use two key variables to formulate an agreed-upon RTO, that sets clear goals for resumption of normal operations:

  • the magnitude of the disruption
  • the type of disruption experienced

Within their BIA, organisations should be able to specify precisely what ICT services and functions are required to achieve recovery, including individual performance and capacity requirements. Organisations should undergo a risk assessment that evaluates their ICT systems and forms the basis of an ICT continuity strategy (or strategies) that bolsters recovery prior to, during and following a period of disruption. Once a strategy has been agreed, specific processes and plans should be put in place to ensure that ICT services are resilient and adequate enough to contribute towards recovery of critical processes and systems, before, during and after disruption. Within the scope of ICT continuity plans,it outlines three main guidance points:

  • ICT incidents often require quick decisions to be made relating to information security by senior members of staff, in order to expedite recovery.
  • Organisations need to maintain a robust chain of command that includes competent individuals with the ability to make authoritative decisions on technical matters related to business continuity and RTO adherence.
  • Organisational structures need to be up to date and widely communicated, to facilitate adequate communication and speed up recovery times.

ICT continuity plans should be given a great deal of attention, including regular testing and evaluations, and approval by senior management. Organisations should conduct test runs to gauge their effectiveness, and measure key metrics such as response and resolution times. ICT continuity plans should contain the following information:

  • performance and capacity requirements of any systems or processes used in recovery efforts
  • a clear RTO for each ICT service in question, and how the organisation aims to restore them
  • a recovery point objective (RPO) is designated for each ICT resource, and procedures are created that ensure information is able to be restored.

The benefits of ICT readiness for business continuity

  • Understands the risks to continuity of ICT services and their vulnerabilities
  • Identifies the potential impacts of disruption to ICT services
  • Encourages improved collaboration between its business managers and its ICT service providers (internal and external)
  • Develops and enhances competence in its ICT staff by demonstrating credible responses through exercising ICT continuity plans and testing IRBC arrangements
  • Provides assurance to top management that it can depend upon predetermined levels of ICT services and receive adequate support and communications in the event of a disruption
  • Provides assurance to top management that information security (confidentiality, integrity and availability) is properly preserved, ensuring adherence to information security policies
  • Provides additional confidence in the business continuity strategy through linking investment in IT solutions to business needs and ensuring that ICT services are protected at an appropriate level given their importance to the organization

Share this:

  • ISO 27001:2022

' src=

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt . View all posts by Pretesh Biswas

Leave a Reply Cancel reply

Notice for adblock users.

Please turn AdBlock off

Discover more from PRETESH BISWAS

Subscribe now to keep reading and get access to the full archive.

Type your email…

Continue reading

COMMENTS

  1. Business continuity vs. disaster recovery: Which plan is right ...

    Business continuity and disaster recovery plans are risk management strategies that businesses rely on to prepare for unexpected incidents. While the terms are closely related, there are some key differences worth considering when choosing which is right for you:

  2. Business Continuity & Disaster Recovery Planning (BCP & DRP)

    In an IT context, business continuity is the capability of your enterprise to stay online and deliver products and services during disruptive events, such as natural disasters, cyberattacks and communication failures. The core of this concept is the business continuity plan — a defined strategy that includes every facet of your organization ...

  3. IT Disaster Recovery Plan

    An information technology disaster recovery plan (IT DRP) should be developed in conjunction with the business continuity plan. Priorities and recovery time objectives for information technology should be developed during the business impact analysis.

  4. ICT Business Continuity Plan Template

    An ICT (Information and communication technology) business continuity plan is an organized strategy designed to ensure that essential processes and services keep running during a disruption or incident. This plan focuses on the resilience of ICT infrastructure, data centers, and communication networks.

  5. ISO 27031: IT disaster recovery and business continuity

    ISO 27031 is a standard for IT disaster recovery. It's an international standard that specifies how to plan, implement, and maintain disaster recovery systems. The purpose of ISO 27031 is to help organisations ensure that their business continuity plans are able to deal with any type of disaster. The standard also helps companies develop a ...

  6. What is business continuity disaster recovery?

    Business continuity disaster recovery (BCDR) refers to a process that helps organizations return to normal business operations in the event of a disaster. While the terms business continuity and disaster recovery are closely related, they describe two subtly different approaches to crisis management that businesses can take.

  7. What is BCDR? Business continuity and disaster recovery guide

    Business continuity (BC) and disaster recovery (DR) are closely related practices that support an organization's ability to remain operational after an adverse event. Resiliency has become the watchword for organizations facing an array of threats, from natural disasters to the latest round of cyber attacks.

  8. Disaster Recovery & Business Continuity Plan for ICT Services

    A Business Continuity Plan for ICT Services was first introduced in 2021 following an audit recommendation. It is reviewed annually or following any major change to hardware or systems covered by the plan, to ensure it is always relevant and up to date.

  9. What is BCDR? Business Continuity and Disaster Recovery Explained

    A robust business continuity and disaster recovery (BCDR) plan is the key to having confidence in your ability to recover quickly with minimal disruption to the business. What Is Business Continuity and Disaster Recovery (BCDR) and Why Is It Important for Businesses?

  10. What is business continuity and disaster recovery (BCDR)?

    The difference between business continuity (BC) and disaster recovery (DR) Business continuity is focused on supporting all aspects of a business when an emergency or disaster occurs, while disaster recovery focuses on recovering lost data and getting IT systems back online. A backup and disaster recovery plan (BDR) can be a part of a business ...

  11. PDF Information Technology Disaster Recovery Plan

    Section 2: Scope. Due to the uncertainty regarding the magnitude of any potential disaster on the campus, this plan will only address the recovery of systems under the direct control of the Department of Information Technology and that are critical for business continuity. This includes the following major areas:

  12. ISACA Introduces New Audit Programs for Business Continuity/Disaster

    Schaumburg, IL, USA -The COVID-19 pandemic spotlighted the need for robust business continuity plans like never before, and also accelerated technology innovation, as organizations quickly sought new ways of doing business.Global IT association ISACA is helping auditors expand their expertise in those areas by introducing two new audit programs: IT Business Continuity/Disaster Recovery Audit ...

  13. A Guide to Business Continuity & Disaster Recovery Planning

    Step 1: Create a Business Continuity Team. It's important to have the right team in place to create and implement a business continuity plan in your organization. Even if your business is small, don't be deterred, gather your employees and start to work on the plan.

  14. Mastering Disaster Recovery and Business Continuity: A Comprehensive

    In a world where unpredictability is the only constant, a robust disaster recovery and business continuity plan is your organisation's shield against potential setbacks. By understanding the intricacies of these plans, embracing proactive strategies, and leveraging technological advancements, you pave the way for a resilient future.

  15. Control 5.30

    Control 5.30 outlines how ICT services interact with various key metrics and supporting controls, including an organisation's recovery time objective (RTO) and the overall business impact analysis (BIA). The end goal is to ensure that information integrity and availability is maintained before, during and after a period of business disruption.

  16. Disaster Recovery Plan for Business Continuity: Case Study in a ...

    Abstract. An information technology (IT) disaster recovery (DR) plan provides a structured approach for responding to unplanned incidents that threaten an IT infrastructure, which includes hardware, software, networks, processes and people.

  17. PDF ICT System Disaster Recovery Plan & Business Continuity

    1. DISASTER RECOVERY PLAN OVERVIEW 1.1 This Disaster Recovery Plan (DRP) is an agreed Business strategy that indicates how quickly the ELRC Data Centre (or portions of the data centre) must be recovered from an outage and plans for the resources required in order to sustain the ELRC systems.

  18. How To Ensure Business Continuity In The Face Of Internet ...

    Maintaining business continuity requires planning and investment. ... establishing disaster recovery plans and embracing technology advancements like UC and AI, businesses can optimize operational ...

  19. Mastering BCDR in 2024

    The first objective, which offers a strategic plan for ensuring operational efficiency, needs to be addressed in the business continuity planning segment. The next goal refers to the section on disaster recovery planning, which focuses on expediting the recovery of critical data systems and IT infrastructure to full functionality.

  20. Business continuity management and ICT disaster recovery implementation

    For business continuity and ICT disaster recovery to be relevant to the organisation, sustainable and achievable, practitioners need to approach the planning process in the context of providing certainty over the delivery of business outcomes (services).

  21. Ensuring Business Continuity: Do You Have a Comprehensive Disaster

    How to Create a Disaster Recovery Plan: Assessment and Risk Analysis: Initially, your IT support needs to identify critical systems and data within the business. This is the time to assess potential risks and vulnerabilities within your existing setup, so that your support can be tailored perfectly for your needs.

  22. ISO 27001:2022 A 5.30 ICT readiness for business continuity

    It also helps in leveraging and streamlining resources among business continuity, disaster recovery, emergency response and ICT security incident response and management activities. ICT readiness reduces the impact (meaning the extent, duration and/or consequences) of information security incidents on the organisation.

  23. What is Business Continuity and Disaster Recovery Planning?

    CBT Nuggets trainer Bob Salmans covers the process for planning out your business continuity and disaster recovery strategies. Having a plan to follow in the...

  24. PDF Business Continuity Plan and Disaster Recovery Guidelines

    Disaster Recovery. The Business Continuity and Disaster Recovery Guidelines will also apply to all Public ICT systems currently in existence and to any new business systems that will be acquired in future, at all levels of sensitivity, whether maintained in-house or commercially. E-Government Business Continuity and Disaster Recovery

  25. Key Differences Business Continuity Vs Disaster Recovery Plans

    Q. What are the risks of operating without a business continuity or disaster recovery plan? Operating without a plan increases the risk of extended downtime, loss of data, financial losses, and potential damage to the business's reputation as a whole. Q. How do business leaders ensure the continuity and disaster recovery strategies are effective?

  26. Ensuring Continuity of Critical Services: A Disaster Recovery and

    The document provides a disaster recovery and business continuity plan for ICT services at Blackall-Tambo Regional Council. It details the council's IT infrastructure across multiple sites, potential disaster scenarios, and the procedures to recover critical systems and minimize business impacts. Key assets include virtual and physical servers, networking equipment, cloud services like ...