iQoncept - Fotolia
Governance, risk and compliance are important factors to business leaders. Of these three criteria, compliance is important because it can be validated and demonstrated. The number of standards and regulations companies have to address has grown steadily in the past 20 years. The ability to demonstrate compliance by meeting specific standards for business continuity, disaster recovery and cybersecurity has become a competitive advantage.
For example, an increasing number of organizations want to see hard evidence that a potential business partner is compliant with specific standards, such as ISO 9000 (quality management). ISO standards are created by the International Organization for Standardization, a nongovernmental entity with representatives from over 160 countries. Because of their prevalence, ISO standards are widely used in many areas of IT.
More organizations are beginning to require evidence that companies are compliant with standards for business continuity, such as ISO 22301:2019, NFPA 1600 from the National Fire Protection Association or those found in the Business Continuity Planning booklet from the Federal Financial Institutions Examination Council. Compliance with such standards clearly demonstrates that organizations value their partners' ability to stay running when faced with a disruptive event.
The following steps can be used to determine that a cybersecurity strategy or business continuity/disaster recovery (BC/DR) plan is in compliance with today's standards:
- Identify the standards and regulations for which compliance is needed.
- Read and understand the standards and regulations.
- Assess the current state of the organization with regard to the standards and regulations.
- Pinpoint where changes need to be made to achieve compliance.
- Determine the resources and funding needed to make changes needed for compliance.
- Make the changes that have been identified.
- Validate and document that the required level of compliance has been achieved using either internal or external auditors.
Standards serve as helpful guidelines for a business continuity strategy. They cover a wide range of topics within the field of business continuity and can aid with compliance, security, resilience and recovery.
Perhaps the most important activity is documenting activities that demonstrate that you meet compliance standards for business continuity, disaster recovery and cybersecurity. These typically include policies and procedures, as they provide real evidence that the organization has made the effort to achieve compliance.
Once an organization has achieved and demonstrated its compliance with BC/DR and cybersecurity standards and regulations, compliance must be periodically reviewed and recertified. This should be performed annually. Along with ISO 22301:2019, standards for business continuity include ISO 22316:2017 and the rest of the ISO 223xx series. Cybersecurity compliance may be determined with the ISO/IEC 27000 series. Evidence of compliance with standards and regulations is often realized as certificates that can be framed and displayed where customers can see them.
Dig Deeper on Disaster recovery planning - management
Related Q&A from Paul Kirvan
A major element in maintaining business continuity during a pandemic is taking care of employee health. Pandemic-specific planning must be a part of ... Continue Reading
This backup and recovery audit checklist offers a comprehensive group of controls and evidence examples to get you ready for the important process of... Continue Reading
Examine the major elements of an active archiving environment, including the kinds of data that you can use in one and resources to help with ... Continue Reading