Confusion about mixing up business continuity management and information security or IT disaster recovery is widespread. Let’s set things straight.
For outsiders, it’s not easy to distinguish the specific purposes of business continuity (BCM), information security (IS) and IT disaster recovery (IT DR). All three areas have something to do with “security”, “losses”, “disasters” and “protection”. Read on to learn more about the particular roles of disciplines often being misunderstood by management.
For starters, let’s have a look at the definitions (in practical terms, not the rather dry official definitions):
Business Continuity Management (BCM)
As the name says, BCM protects enterprises (whole businesses) from undesirable and uncontrollable consequences of business interruptions. Staff being the most precious resource of an organization, protecting employees’ lives is of highest priority. Of course, apart from this aspect, typically there is a whole range of critical assets and resources to be protected, too. In the context of this article, IT can be considered to be such a critical resource. Implementation of a business continuity approach is governed by ISO 22301.
Interruptions may or may not have anything to do with IT systems
Various flavors of interruptions
Interruptions may or may not have anything to do with IT systems. They may be up and running, but if a major supply chain has been interrupted, production may stop unexpectedly and indefinitely. If a fire destroys a warehouse, your deliveries to customers might be affected. If staff is unable to reach the organization’s call center because of bad weather, sales or customer service will be impacted.
Information Security (IS)
IT DR is only a reactive activity
Information Security, as specified in the ISO 27000 series standards deals with a proper, safe and secure handling of information within an organization. This range of standards (with its flagship ISO 27001) focuses not only on technical issues but also deals with handling information on paper and human aspects such as social engineering.
The essence of information security is the CIA model
The essence of information security is the CIA modelOne model to express the essence of information security is the CIA model. The acronym stands for confidentiality, integrity and availability. According to widely accepted best practices information needs to be classified (e.g., public, internal, confidential), which means that access is to be organized on a “need-to-know” basis. Integrity provides assurance that the results presented by IT systems can be trusted and have not been (intentionally or otherwise) tempered with. “A” stands for availability – a characteristic of the information by which it can be accessed by authorized persons when it is needed. For example: an IT system which is not running or is not accessible is of no use. If this IT system is of importance to the organization (to the business) it is of interest for the BCM approach, too. Here we have got an important overlap.
IT Disaster Recovery (IT DR)
An IT system is not available – we have all interest to get it up and running
If we experience a system which is not available we have all interest to get it up and running within a specified period of time. This timeframe, in turn, is determined during the business impact analysis phase of the BCM lifecycle (as per ISO 22301 and ISO 22317). Defining the proper IT DR parameters is important within the context of both information security and business continuity management. ISO 27031 describes the concepts and principles of information and communication technology (ICT) readiness for business continuity, IT DR being part of this approach.
Waiting for the disaster?
IT DR is only a reactive activity
However, IT DR is only a reactive activity and a proper BCM and IS approach equally demand proactive and preventive measures to reduce both the probability and impact caused by an IT outage disaster. This is realized by properly designing the affected IT systems, usually by adding redundant elements, thereby avoiding so-called “single point of failures” (abbreviated as SPOF).
Let’s be careful with these three terms
We need to be.
Let’s reiterate: the “B” in BCM stands for the whole business and encompasses more than just IT.
BCM needs to be implemented according to ISO 22301.
However, IT usually is a very important pillar of the organization.
As such, IT should not be excluded from a BCM approach
but needs dedicated implementation according to the ISO 27000 range of standards.
IT DR is a specific reactive discipline
aimed at restoring IT systems which have stopped operating. It is a crucial element of both BCM and IS, but is quite useless if used as a single measure. As a stand-alone tactic IT DR neither provides adequate protection for a business nor is it a replacement for an information security approach.
BCM is certainly not an IT-internal issue, but covers a lot of non-IT aspects as well. A proper information security implementation is an essential and ideal building block for a holistic BCM approach.
Better and more easily understand ISO system management standards with Sokrates maps?