How would you recover if something went drastically wrong with some, or all of your business operations? When we think of worst-case scenarios, typically the risk to IT and information is front of mind. But, as the storming of the US government buildings in January demonstrated, the breach of physical defences is just as much a threat to information – not to mention the safety of people and premises.
From threats to IT and information to risks associated with premises and the supply chain, there are just too many variables that are out of the control of any organisation.
That’s why this article looks at the various security frameworks and standards available to organisations wanting to protect and manage these risks, prepare for and minimise the impact of disruptions and build business resilience.
In particular, we will focus on two of the ISO family of standards – ISO 27001 and ISO 22301 and the situations where each comes into play.
Determining your level of risk
Information Technology (IT) today plays a role in every business.
Different types of business have different levels of reliance on their IT – this level of reliance informs the level of risk if something goes wrong with some or all of your business operation.
And the level of risk determines your approach and investment to addressing problems if they occur. So, every business that has any element of reliance on IT needs to consider the security of their information, the resilience of their IT and what to do when things go wrong.
You may be aware of your level of risk and are here because you want to deepen your knowledge of business continuity and disaster recovery and the relevant standards. However, if you are unsure, you will find Ascentor’s Online Risk Assessment of help. It involves 12 questions and you’ll receive your results and an action plan.
Take the test here – it’s free, completely confidential and we don’t ask for any identifying data: Online Risk Assessment test
Some Definitions – With Relevant Standards For Each
As with any discussion of terminology a little clarity helps. These are very short explainers of much bigger topics but, for the purposes of this blog, enable a ‘helicopter view’ of the main aspects of each.
Information security, sometimes shortened to ‘Infosec’, is the practice of protecting information by mitigating information risks. It is part of information risk management and typically involves preventing or at least reducing the probability of unauthorised/inappropriate access to – or the unlawful use of – data. It also involves actions intended to reduce the adverse impacts of such incidents. (Wikipedia).
Also known as Business Continuity Management (BCM), it the most powerful way a business can effectively manage any disruption arising from an incident affecting the availability of critical business processes. It is the process of creating systems of prevention and recovery to deal with potential threats to an organisation and enable ongoing operations before and during execution of disaster recovery. (Wikipedia).
The certification standard for Information security is ISO 22301.
Disaster Recovery involves a set of policies, tools and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. Disaster recovery focuses on the IT or technology systems supporting critical business functions, as opposed to business continuity, which involves keeping all essential aspects of a business functioning despite significant disruptive events. Disaster recovery can therefore be considered a subset of business continuity. (Wikipedia).
The term ‘Disaster Recovery’ is not an ISO recognised term, but, as it involves being able to recover the IT infrastructure, it is most closely covered by ISO 27031 which focuses on preparing IT for recovery.
What is it?
ISO 27001 is probably the most well-known of the ISO standards as it’s the one that organisations are audited against.
It’s the international standard for information risk management, designed to provide guidance in the selection of adequate and proportionate controls to protect information. However, it does not explain how business continuity management should be implemented.
The controls include identifying information security risks, proactively managing compliance with laws and regulations and providing a framework for the implementation and management of controls. They also set out the objectives of information security management and define the information security policies, processes and standards to be adopted by a business.
Why have it?
- You recognise that loss or leakage, non-availability, or loss of integrity of information must be prevented in order to create value for customers and preserve trust.
- You want to provide third parties and customers with confidence that any information they share will be protected.
- It’s accepted worldwide as evidence of an organisation’s commitment to information security.
Who’s it for?
- If your organisation is dependent on IT to deliver services and not physical products, it’s likely that information technology and its security is crucially important. For example, you might be a telecoms provider, financial institution or e- commerce site.
- If you are concerned about a threat to your data – perhaps a denial of service, data or IP theft, ransomware attacks – ISO 27001 is essential.
Further information on ISO 27001.
What is it?
ISO 22301 is the international standard for business continuity management. It was developed to help organisations prepare for and minimise the impact of disruptions which are often totally outside their control. This disruption can be anything from a minor annoyance to a complete loss of essential services. Even the inability to get into a building – or to keep others out, can have dire consequences.
Having the ability to recover quickly from a cyber attack is another example of the benefit of having a business continuity plan, especially if access to an IT system or the internet is mission critical.
Why have it?
- Continued operation in the event of business disruption is a fundamental requirement for any organisation.
- ISO 22301 will help you identify your critical assets and put in place management processes and plans to ensure those assets are available in the event of an incident.
- It will also protect your reputation and revenue and assure customers that you have the necessary measures in place.
Who’s it for?
- When your important processes and resources depend on more than IT alone and you have vulnerability to threats that are not IT related. For example, you might be a manufacturer with supplies going in and out, a production unit, warehousing and offices, and a delivery supply chain.
- When you need to plan for scenarios such as a supplier’s production being halted or your office being unsafe for entry – just two examples of things out of your control.
- If you are concerned about the physical security of any aspect of your business – ISO 222301 is essential.
Further information on ISO 22301.
ISO 27001 vs ISO 22301 – which one do you implement? Or both?
The above scenarios describing Information Security and Business Continuity are not always mutually exclusive. Many organisation’s needs fall somewhere between and require a blend of measures to address information security and business continuity risks and recovery. You could implement both, but clarity on your level and areas of risk will point you towards which standard to choose first.
You’d be more likely to consider ISO 27001 if you mainly deal with digital products and services and your business is largely run on IT. If the risks you face are mainly non-IT and have the potential to damage or stop your operations, you would find the business continuity management standard ISO 22301 more closely meets your needs.
There is, however, one additional standard we should cover. We mentioned that ISO 27001 covers what must be accomplished, but not actually how to do it. So, how do you manage the implementation?
ISO 27031 – The ‘Recovery’ standard
Most businesses think about their IT when considering what would be involved in disaster recovery. Which makes ISO 27031 the standard to follow as it covers a systematic process to prevent, predict and manage incidents that disrupt IT. However, ISO 27031 is not just about IT recovery. It covers the continuity of business as a whole considering many types of incidents as a potential cause of disruption (including a pandemic).
So, ISO 27031 comes in to play as the implementation tool for ISO 22301, focusing on the organisation’s facilities, technology, data, processes and suppliers – providing the know-how needed for the continuity of IT.
Further information on ISO 27031.
How Ascentor can help
Implementing ISO management system standards is a time consuming task for any organisation. As well as helping you identify your level of risk, Ascentor’s Gap Analysis can steer you through what is needed to become ISO 27001 compliant. We’ll help you understand where you are today, what needs to be done and an outline plan of how to achieve it.
More about Ascentor’s support for ISO 27001 certification.