Achieving compliance with business continuity and disaster recovery is a matter of three actions: having the proper...
standards available, reviewing the plans against the standards and updating the plans to comply with the standards. Think of the process like an audit: standards for business continuity and disaster recovery represent the controls to which the plans must conform. So long as the plans largely conform to the standards -- within the organization's policy and planning structures -- compliance is likely.
The proper standards
For business continuity (BC), use international standard ISO 22301:2012, Societal security -- Business continuity management systems -- Requirements; ISO 22313:2012, Societal security -- Business continuity management systems -- Guidance; and the U.S. standard NFPA 1600:2016, Standard on Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs. Additional business continuity standards are available for specific vertical markets, such as banks, investment banks and credit unions.
For disaster recovery (DR), use ISO/IEC 27031:2011, Information technology -- Security techniques -- Guidelines for information and communication technology readiness for business continuity; and U.S. standard NIST SP 800-34, Contingency Planning Guide for Federal Information Systems. As with BC, disaster recovery standards are also available for vertical markets.
For most organizations, the above standards for business continuity and DR provide all the information needed to determine compliance.
Reviewing plans against the standards
Start by comparing the table of contents for each of the standards against those in your plans. Make sure your plans identify content that addresses the issues contained in the standards. If you don't have content for these specific sections, these are gaps, and should be placed in a list for later action.
Note that the standards are meant to provide a framework and guidance on developing BC/DR plans. They generally will not provide you with a boilerplate plan, but you should be able to identify content that can help you complete missing sections in your plans.
You should also read the glossaries included with each standard to better understand the terms used.
Once you have mapped your plans to the available standards, examine what you have and what needs to be developed. If you don't currently have a BC/DR training program in place, you can still note your intent to have it in the appropriate section. Be sure to eventually develop these programs, as auditors look for supporting evidence of their existence.
Update plans to comply with standards
Once your gap analysis has been completed, you should update your plans to remediate the gaps identified. The standards may have wording you can adapt for your purposes. You can also refer to one of the many books and tools available for plan development.
Finally, ensure your plans are consistent with the standards' frameworks, at least from a content perspective. It's not necessary to map your plans to the exact sequence listed in the standards for business continuity and disaster recovery, but if you're not bound by any corporate mandates, you can use them to model your plans.
More options for BC/DR standards and practices
Business continuity market continues to evolve
Integrate BC/DR planning with day-to-day operations