James Thew - Fotolia
To ensure their business continuity and resilience efforts are best in class, organizations rely on standards -- both established and new.
Many standards for business continuity and disaster recovery (BCDR) have been updated in the past two to three years. They have also been joined by newer and more focused standards that expand the knowledge and standards base for BCDR professionals globally.
These newer standards address an issue that has been the subject of debate over the past 20 years: IT resilience. Some consider resilience to be the future of business continuity and disaster recovery, while others view it as a practice that's completely separate and distinct from BCDR. Most of the fundamental issues that make up the BC profession can be found in business continuity and resilience standards.
Let's review existing standards for business continuity and resilience, their recent updates and newer standards that extend the reach and focus of the BCDR profession. To obtain copies of these standards, purchase the full documents on the standard organizations' websites.
ISO 223XX and other resilience standards
Standards for business continuity and resilience include the International Organization for Standardization's ISO 223XX series and its latest additions, plus other relevant standards and documents. While some of these standards are applicable globally, many countries have their own BCDR and resilience standards, regulations and practices. The standards referenced below may be most relevant for a U.S. audience.
Standards created by the ISO are the most widely used and have become firmly established in the U.S. Typically, ISO updates standards every 5 years. ISO 22301:2019 Security and resilience -- Business continuity management systems -- Requirements is the global business continuity standard.
Standards serve as helpful guidelines for a business continuity strategy. They cover a wide range of topics within the field of business continuity and can aid with compliance, security, resilience and recovery.
Updated by ISO in 2019, this standard provides additional information to plan and execute a business continuity management system. It can also serve as a tool to audit business continuity programs.
Below are the current standards in the ISO 223XX series that apply to business continuity and resilience.
When selecting a disaster recovery provider or planning crisis communications, organizations may also find ISO/IEC 27031:2011 and ISO/IEC 24762:2008 to be useful.
ISO/IEC 27031:2011 is titled Information technology -- Security techniques -- Guidelines for information and communications technology readiness for business continuity. This standard provides a concise description of a technology disaster recovery program.
ISO 24762:2008 is titled Information technology -- Security techniques -- Guidelines for information and communications technology disaster recovery services. It provides useful criteria to select a service provider.
The ISO standards in the table above explicitly address business continuity and resilience. However, there are other standards that address different areas of IT that can guide resilience and BCDR planning. The standards in the table below are worthwhile parts of a BCDR professional's technical library.
Resilience standards from across the pond
Many of the resilience standards in widespread use today originated from the U.K., in the form of publicly available specifications or British Standard documents. The British Standards Institution (BSI) continues to develop and publish standards and guidance documents that are essential reading for BCDR and resilience professionals.
The Business Continuity Institute provides a solid foundation to understand BCDR activities with its Good Practice Guidelines (GPG). Training courses based on the GPG are available from established educational firms.
In August 2020, the U.K. government published version 3.0 of a set of individual standards to guide resilience on the local level. While these standards are not intended to be international and were created specifically for the U.K., they cover relevant and important BCDR activities such as risk assessments and informing the public of a crisis.
Other resilience standards of note
The ISO TC-292 committee on security and resilience and the BSI continue to be among the leading voices in the evolution of standards. Standards and regulations addressing specific vertical markets, such as banking and healthcare, have also been updated by their respective organizations. The National Institute for Standards and Technology, National Fire Protection Association and ASIS International are the global leaders in the development of standards for business continuity, security and resilience.
In addition to these standards, ASIS International has also published an e-book, Business Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster Recovery. In 2019, the Federal Financial Institutions Examination Council updated its IT examination handbook, Business Continuity Management. The Disaster Recovery Journal continues to update its generally accepted practices for business continuity.