Achieving compliance with business continuity and disaster recovery is a matter of three actions: having the proper...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
standards available, reviewing the plans against the standards and updating the plans to comply with the standards. Think of the process like an audit: The disaster recovery and business continuity standards represent the controls to which the plans must conform. So long as the plans largely conform to the standards -- within the organization's policy and planning structures -- compliance is likely.
The proper standards
For business continuity (BC), use international standard ISO 22301:2012, Societal security -- Business continuity management systems -- Requirements; ISO 22313:2012, Societal security -- Business continuity management systems -- Guidance; and the U.S. standard NFPA 1600:2016, Standard on Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs. Additional business continuity standards are available for specific vertical markets, such as banks, investment banks and credit unions.
For disaster recovery (DR), use ISO/IEC 27031:2011, Information technology -- Security techniques -- Guidelines for information and communication technology readiness for business continuity; and U.S. standard NIST SP 800-34, Contingency Planning Guide for Federal Information Systems. As with BC, disaster recovery standards are also available for vertical markets.
For most organizations, the above DR and business continuity standards provide all the information needed to determine compliance.
Reviewing plans against the standards
Start by comparing the table of contents for each of the standards against those in your plans. Make sure your plans identify content that addresses the issues contained in the standards. If you don't have content for these specific sections, these are gaps, and should be placed in a list for later action.
Note that the standards are meant to provide a framework and guidance on developing BC/DR plans. They generally will not provide you with a boilerplate plan, but you should be able to identify content that can help you complete missing sections in your plans.
You should also read the glossaries included with each standard to better understand the terms used.
Once you have mapped your plans to the available standards, examine what you have and what needs to be developed. If you don't currently have a BC/DR training program in place, you can still note your intent to have it in the appropriate section. Be sure to eventually develop these programs, as auditors look for supporting evidence of their existence.
Update plans to comply with standards
Once your gap analysis has been completed, you should update your plans to remediate the gaps identified. The standards may have wording you can adapt for your purposes. You can also refer to one of the many books and tools available for plan development.
Finally, ensure your plans are consistent with the standards' frameworks, at least from a content perspective. It's not necessary to map your plans to the exact sequence listed in the disaster recovery and business continuity standards, but if you're not bound by any corporate mandates, you can use them to model your plans.
More options for BC/DR standards and practices
Business continuity market continues to evolve
Integrate BC/DR planning with day-to-day operations
Dig Deeper on Disaster recovery planning - management
Related Q&A from Paul Kirvan
With software, consultants and standards at the ready, plus the rise of DR as a service, it's easy to get started on a business recovery plan. So ...continue reading
When taking a hybrid disaster recovery approach -- using public and private components -- it's important to understand your requirements, assets and ...continue reading
If you're considering software-defined networking in your disaster recovery platform, define your DR requirements first. SDN can help support data ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.