
Sergey Nivens - Fotolia
Today's most popular business continuity/disaster recovery standards
BC/DR standards have evolved dramatically over the past 10-15 years. Find out the most widely used standards and practices with this updated list.
While much of the focus of business continuity and disaster recovery (BC/DR) standards in the past four years has...
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
been on the internationally accepted ISO 22301:2012 standard, work continues on developing new standards, practices and guidance pinpointed at BC/DR activities. This article provides an updated list of business continuity and disaster recovery standards to know and use.
First, you will find currently available U.S. and U.K. standards and good practice documents.
Then, you'll learn the business continuity and disaster recovery standards in the ISO 223XX Series, plus other relevant standards and good practice documents. Regulations addressing BC/DR, security and related issues are also in place for specific vertical markets, such as banking and healthcare. Many countries have their own BC/DR standards, regulations and practices; most recognize the ISO standards in addition to their own.
Finally, you'll get information on where to obtain your own copies of these and other standards and practices.
Globally, the ISO standards for business continuity and disaster recovery are the most widely used, and are gaining acceptance in the U.S. The global BC standard, ISO 22301:2012, provides a solid foundation for developing business continuity management systems (BCMS) and can also be used for auditing existing BC programs. ISO 22313:2012, the companion standard for 22301, provides additional details (e.g., "how-to") that support 22301's requirements.
Table 1 lists the current standards in the ISO 223XX Series that apply to business continuity and related activities. The ISO 22398 and 22399 standards are also worth a look. The standards can be purchased from the ISO by visiting the www.iso.org website and entering the number of the standard.
Table 1 – The ISO 223XX Series – Societal Security
Designation |
What it Addresses |
Where to Buy |
ISO 22300:2012 |
Societal Security – Vocabulary |
www.iso.org |
ISO 22301:2012 |
Business Continuity Management Systems – Requirements |
www.iso.org |
ISO 22311:2012 |
Video Surveillance |
www.iso.org |
ISO 22313:2012 |
Business Continuity Management Systems – Guidance |
www.iso.org |
ISO 22315:2014 |
Mass Evacuation – Guidelines |
www.iso.org |
ISO 22320:2011 |
Emergency management – Requirements for Incident Response |
www.iso.org |
ISO 22322:2015 |
Emergency management – Guidelines for Public Warning |
www.iso.org |
ISO 22324:2015 |
Emergency management – Guidelines for Color-coded Alert |
www.iso.org |
ISO 22351:2015 |
Emergency management – Message Structure for Interoperability |
www.iso.org |
ISO 22397:2014 |
Guidelines for Establishing Partnering Arrangements |
www.iso.org |
ISO 22398:2013 |
Guidelines for Exercises |
www.iso.org |
ISO 22399:2007 |
Guidelines for Incident Preparedness and Operational Continuity Management |
www.iso.org |
Table 2 lists two important technology disaster recovery standards. ISO 27031 provides a concise description of a technology disaster recovery program, planning process and supporting activities. ISO 24762 provides useful criteria for selecting a technology DR service provider. The two standards in Table 3 are can also be helpful for BC/DR planning.
Table 2 – ISO Technology DR Standards
Designation |
What it Addresses |
Where to Buy |
ISO 27031:2011 |
Guidelines for Information and Communications Technology Readiness for Business Continuity |
www.iso.org |
ISO 24762:2008 |
Guidelines for Information and Communications Technology Disaster Recovery Services |
www.iso.org |
Table 3 – Additional Important ISO Standards
Designation |
What it Addresses |
Where to Buy |
ISO 27000 |
ISO Information Security Standard |
www.iso.org |
ISO 31000 |
ISO Risk Management Standard |
www.iso.org |
Below you will find the Business Continuity Institute's (BCI) Good Practice Guidelines (GPG) in Table 4, as it provides a comprehensive foundation for understanding the business continuity process, and also maps closely to the ISO 22301 standard. Training courses based on the BCI's GPG are available from the BCI and other established educational firms.
Table 4 – U.K. Standards and Good Practice
Designation |
What it Addresses |
Where to Buy |
PD 25222 |
Guidance on Supply Chain Continuity |
|
PD 25111:2010 |
Human Aspects of Business Continuity |
|
PD 25666:2010 |
Exercising BCM |
|
PD 25888 |
Guidance on Business Recovery |
|
BS 11200:2014 |
Crisis Management Standard |
|
BS 65000:2014 |
Organizational Resilience Standard |
|
PAS 7000 |
Supply Chain Risk Management |
|
BCI GPG 2013 |
Good Practice Guidelines from the Business Continuity Institute |
Table 5 provides a partial listing (as does Table 4) of standards, regulations and good practice developed in the U.S. by several different organizations, such as ASIS International, the National Fire Protection Association (NFPA), the Federal Financial Institutions Examination Council (FFIEC), the Information Systems Audit and Control Association (ISACA), the Financial Industry Regulatory Authority (FINRA), the Federal Emergency Management Agency (FEMA) and the National Institute for Standards and Technology (NIST). The Disaster Recovery Journal (DRJ) offers Generally Accepted Practices (GAP) for business continuity. The NIST Special Publications 800 series of standards provides useful insight and guidance on many aspects of information technology, including BC/DR.
Table 5 – U.S. BC/DR Standards and Good Practice
Designation |
What it Addresses |
Where to Buy |
NFPA 1600:2013 |
American National Standard for business continuity and emergency management; approved as part of P.L.110-53 Private Sector Preparedness (PS-Prep) Act of 2009 |
|
ASIS SPC.1:2009 |
Organizational Resilience Standard; approved as part of P.L.110-53 Private Sector Preparedness (PS-Prep) Act of 2009 |
|
FFIEC BC Handbook |
Business Continuity Planning; IT Examination Handbook (2008) |
|
ISACA Document G32 |
IT Auditing Guideline; Business Continuity Plans |
|
FINRA Rule 4370 |
Business Continuity Plans and Emergency Contact Information; consolidates NYSE Rule 446 and NASD Rules 3510 and 3520 |
|
FEMA FCD |
Federal Continuity Directives for government agencies |
|
DRJ GAP |
Disaster Recovery Journal Generally Accepted Practices |
|
NIST SP 800-34 |
Contingency Planning Guide for Information Technology Systems |
|
NIST SP 800-53 |
Security and Privacy Controls for Federal Information Systems |
|
NIST SP 800-84 |
Guide to Test, Training and Exercise Programs for IT Plans |
An excellent single-source compendium of current standards from the U.S., U.K. and many other countries is the BCI's publication BCM Legislation, Regulations, Standards and Good Practice (January 2015).
Business continuity and disaster recovery standards, regulations and good practice have evolved dramatically over the past 10-15 years. In this article we've listed the most widely used standards and practices. Performing your BC/DR work in alignment with these standards will ensure you are prepared for future audits and reviews.