Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Closing the divide between business continuity management and IT disaster recovery

By Ron Miller

It has almost become a cliché over many years now that IT disaster recovery frequently appears to be divorced from business continuity management within organizations. Why this should be the case is sometimes puzzling given that business continuity is often ‘dumped’ in the laps of the IT department as “something to do with disaster recovery and losing our computers and all that stuff…”

What is perhaps more surprising is that even when this dislocation is evident to business units and IT department staff there is a marked reluctance to do anything about it. Why is this? Is it because business continuity management is perceived as the love-child of IT DR and is now the unruly teenager giving its parent a hard time? Is it because IT departments are inward-looking “organizations-within-organizations” and no-one in them really understands the broader purpose and objectives? Is it because business units and BC practitioners within companies simply don’t understand the technology and have neither the knowledge or inclination or authority to intervene?

A few years ago I attended a Business Continuity Institute regional forum-meeting which took place just after a draft of the British Standard for Business Continuity Management - BS 25999 – had been released for public consultation. As a member of the panel developing the standard I had been asked to brief fellow practitioners attending the meeting on progress and the thinking behind the standard, and I was keen to hear their thoughts on the document and whether they felt it hit the mark. I was struck by the reaction of one attendee – an IT manager – who stated that in his view it failed to meet his requirements as a standard because it wasn’t about disaster recovery. His perception was obviously that business continuity management was a subset of IT DR and not the other way round.

Yet we can’t place all the blame on misinformed individuals within IT departments. Far too often service-users abdicate their responsibilities when considering the ICT elements of continuity. A common complaint from IT departments is that when users are asked for their requirements the response is either:

- everything is wanted immediately with absolutely no loss of data; or:
- there is a deafening silence.

Since the former results in potentially prohibitively costly IT resilience and continuity measures, the organization’s senior management typically recoil from such expense and then instruct the IT team to do what it thinks best within the budget available. In the latter, the IT team has to second guess the service-users. The end result is the same in both cases with the implementation of inappropriate and often ineffective ICT continuity measures and confusion about the purpose, scope and objectives of those measures.

In practice this means that service-users frequently expect the armour-plated-Ferrari solution but get a budget-city-car version. It also means that this disparity is invariably overlooked until the evil day when continuity plans have to be implemented in anger ... and by then of course, it’s too late. So the problem is about a mismanagement of expectations and a lack of communication between two elements within organizations, but it’s also about entrenched positions and a silo mentality.

A recognition of such problems led to a decision by BCM/1 (the BS 25999 committee) to embark on the development of the BS 25777 – ICT Continuity Management Code of Practice which was published in November 2008. The aim of the standard was to provide additional guidance to those engaged in business continuity management and related IT DR. It followed the framework established by BS 25999 and sought to provide a means by which IT continuity and resilience could be integrated into the wider business continuity objectives of the organization rather than the somewhat disjointed approach often apparent.

BS 25777 emphasises that IT DR is simply one aspect of IT continuity which has to be viewed in the same holistic manner as wider business continuity management. It also makes clear that ICT continuity management supports the overall business continuity management processes of an organization. It is BCM which seeks to ensure that the organizational processes are protected from disruption and that it can respond positively and effectively when disruption occurs. The resulting business continuity management priorities are what drive ICT continuity management.

So, more than two years since the release of BS 25777, has it succeeded in closing that great divide between what IT departments see as their objectives and those wider business continuity objectives? Depending on your point of view and the situation within your organization the answer is either “it’s too soon to tell”, “the jury is still out” or “no, not at all”. There is anecdotal evidence to suggest that those entities adopting BS 25999 have implemented much of what is contained within BS 25777 and that auditors frequently refer to the standard when reviewing the technology and information business continuity strategies, but there is evidently a long way to go before an integrated approach to IT DR within business continuity management is widespread.

So what else should be done?
Maybe the problem is that IT managers think that business continuity is something that they don’t want to get involved in as it is too far removed from their core competences. It also seems that IT security is as important an element for many IT departments as disaster recovery and many have used or are using ISO 27001 (Requirements) or ISO 27002 (Code of Practice) to provide assurance to their businesses of their competence, etc. Both of these standards have sections on business continuity and perhaps – just perhaps – many IT managers feel that once they have either adhered to the guidance or satisfied the requirements of such standards, they can sit back in the belief that they have “done their bit”. They can demonstrate their competences and do not have to worry about the messy BCM which is all about products and services and people etc.

So what if the answer to narrowing this great divide between IT DR and business continuity management is to develop guidance which sets BCM in the context of information security and vice versa? Arguably that’s what BS 25777 does, but if it could be used as the basis for an information security standard wouldn’t that get greater buy-in from the IT department?

Step forward ISO 27031
ISO 27031 – ‘Information technology – Security techniques – Guidelines for ICT readiness for business continuity’ has just been published by BSI. It provides detailed guidance on how companies may enhance the resilience of their ICT infrastructures by aligning their IT DR within a comprehensive and rational continuity environment that is driven by the organization’s business continuity objectives and risk appetite.

The questions you might be asking now are, “What about BS 25777? Where does this fit in?” Well the answer is that it is embedded in the new ISO standard. Read ISO 27031 and you quickly realise that much of it is derived from BS 25777, indeed the common sense approach of the British Standard means that in many ways what we have here is an internationalisation of BS 25777.

What does it do?
ISO 27031 describes the concepts and principles of ‘ICT readiness for BCM’ (IRBC) which encompasses all events and incidents (including security related) that could have an impact on ICT infrastructure and systems. It includes and extends the practices of information security incident handling and management and ICT readiness planning and services and is intended for use in organizations of all sizes in all sectors. It explains its relationship with business continuity management, emphasising the role that ICT readiness has in supporting business continuity priorities and about ICT services being resilient and capable of being recovered to predetermined levels within timescales required and agreed by the organization. It reiterates a fundamental point contained within BS 25777, that an organization has to set out its business continuity management priorities and it is these that drive IRBC activities. Thus BCM sets the agenda and if an IT department is to approach resilience, continuity and DR in a manner which integrates with the wider organizational objectives it needs to engage with that organizational programme rather than rely on its narrow view of criticalities.

So far, so familiar.

There are some departures from the approach adopted in BS 25777, for example it adopts a Plan, Do, Check, Act approach rather than the continuity lifecycle that we have hitherto seen in British continuity standards guidance documents. It also provides much more detailed guidance in terms of the performance measurement, however in many ways these are peripheral issues because at its heart this is a business continuity document which is intended to sit solidly within the information security sphere of standards and if an organization wishes to implement the business continuity requirements contained in either ISO 27001 or BS 25999-2 then there will at long last be a common document that provides guidance on good practice for an information security management system and/or a business continuity management system.

Will it encourage a closure of the great divide? I certainly hope so because for far too long IT continuity (particularly IT DR) has languished in a ghetto, inward-looking and divorced from organizational needs and it’s about time all that changed.

Author: Ron Miller, MA ACII MBCI, is Principal Consultant, SunGard Availability Services (UK) Limited, http://www.sungard.co.uk

•Date: 25th March 2011 • Region: UK/World •Type: Article •Topic: IT continuity

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here