Topic-specific policies
ISO/IEC 27031


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC 27031:2011 < Click to purchase via Amazon — Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity (first edition)

 

Abstract

“ISO/IEC 27031:2011 describes the concepts and principles of  information and comunication technology (ICT) readiness for business  continuity, and provides a framework of methods and processes to  identify and specify all aspects (such as performance criteria, design,  and implementation) for improving an organisation's ICT readiness to  ensure business continuity ...”
[Source: ISO/IEC 27031:2011]
 

Introduction

ISO/IEC 27031 provides guidance on the concepts and principles behind the role of Information and Communication Technology in ensuring business continuity.

The standard:

  • Suggests a structure or framework (a coherent set or suite of methods and processes) for any organisation – private, governmental, and non-governmental;
  • Identifies and specifies all relevant aspects including performance criteria, design, and implementation details, for improving ICT readiness as part of the organisation’s ISMS, helping to ensure business continuity;
  • Enables an organisation to measure its ICT continuity, security and hence readiness to survive a disaster in a consistent and recognized manner.

 

Scope and purpose

The standard encompasses all events and incidents (not just information security related) that could have an impact on ICT infrastructure and systems. It therefore extends the practices of information security incident handling and management, ICT readiness planning and services.

ICT Readiness for Business Continuity [a general term for the processes described in the standard] supports Business Continuity Management “by ensuring that the ICT services are as resilient as appropriate and can be recovered to pre-determined levels within timescales required and agreed by the organisation.”

ICT readiness is important for business continuity because ICT is prevalent and vital: many organisations’ critical business processes (including those involved in managing incidents plus the related business continuity, disaster and emergency responses) are highly dependent on ICT. Therefore, BCM would be incomplete without adequately considering the need to protect availability and continuity of the ICT.

ICT readiness encompasses:

  • Preparing the organisation’s ICT (i.e. the IT infrastructure, operations and applications), plus the associated processes and people, against unforeseeable events that could change the risk environment and impact ICT and business continuity;
  • Leveraging and streamlining resources among business continuity, disaster recovery, emergency response and ICT security incident response and management activities.

ICT readiness should of course reduce the impact (meaning the extent, duration and/or consequences) of information security incidents on the organisation.

The standard incorporates the cyclical Plan-Do-Check-Act Deming-style approach, extending the conventional business continuity planning process to take greater account of ICT. It incorporates ‘failure scenario assessment methods’ such as Failure Modes and Effects Analysis, with a focus on identifying ‘triggering events’ that could precipitate more or less serious incidents.

The SC 27 team responsible for ISO/IEC 27031 liaised with ISO Technical Committee 233 on business continuity, to ensure alignment and avoid overlap or conflict.

 

Status of the standard

ISO/IEC 27031 was originally intended to be a multi-part standard, then two parts (a formal specification plus a guideline) and finally a single part (just the guideline)

The first edition was published in 2011.

The routine standard revision project ran into the buffers and was cancelled in 2020.

A rebooted SC 27 project is once again revising the standard to cover the need for ICT support for business continuity arising from both deliberate and accidental incidents.

The second edition is to be re-titled “Information technology — Cybersecurity — Information and communication technology readiness for business continuity”.

The second edition is at Final Draft International Standard stage and should be published at the end of 2024 or in 2025.

 

Personal comments

The value of this standard is unclear, given that ISO 22301 does such a good job in this general area while ISO/IEC 24762 covers ICT Disaster Recovery specifically.

I personally feel the standard should be extended beyond the ICT domain since:

  • the ISO27k standards concern risk and security to information, not just “ICT” (a clumsy and unnecessary amplification of good old “IT” which in common usage has included comms for, oh at least 50 years); and
  • Operational Technology (such as Industrial Control Systems running manufacturing plant, and assorted facilities management systems providing power, cooling etc.) is not mentioned, not even once - neither included nor excluded, just completely ignored.

However, the standard’s scope is specific to ICT:

“The scope of this document is clearly delimited on information and communication technology (ICT) readiness for business continuity. Readiness of ICT for business continuity means that ICT and its operational capabilities demonstrate the ability to achieve desired business continuity objectives in case of a disruption affecting ICT.”

Furthermore, to avoid any hint of overlap/conflict with the ISO 22300 standards, the revised ToR clearly states that ISO/IEC 27031 will not replace a Business Continuity Management System. That said, the draft 2nd edition orbits around “IRBC” (ICT Readiness for Business Continuity) ... which is essentially a systematic way to manage the IT elements of business continuity, supplementing the BCMS as a whole.

Although the issued standard mentions ICT resilience to - as well as recovery from - disastrous situations, the coverage on resilience is quite light.

Contingency planning involves developing the organisation’s flexibility, capability, resources and dogged determination to cope with whatever situations actually eventuate, preparing for the uncertainties and challenges ahead. What will actually happen following an incident is contingent on the situation that occurs, its significance (reflecting its scale, nature, timing, implications for the business etc.) and the resources available (surviving!) at that point. The draft revised standard only refers once to ‘contingency’, as a convoluted note to the definition of [ICT] readiness.

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT Ltd. Contact us re Intellectual Property Rights