Business Continuity Planning Best Practices Iso27001
Originally published: October 20, 2020 Updated: October 07, 2022 8 min. read Cloud & DevOps Cybersecurity
In 2020, every industry underwent an unwelcome stress-test for business continuity. According to Gartner, only 12% of businesses ranked themselves as fully prepared for the impact of COVID-19.
While the dust is yet to settle, most organizations start to realize that their earlier policies are no longer sufficient to deal with the newly emerged and accelerated risks. The global pandemic isn't the only operational disruptor to be aware of. Technical failures are far more commonplace as the latest data from IBM tells:
Source
With a growing number of operations and infrastructures being migrated to the cloud, cybersecurity reaches the top levels of criticality. To protect their infrastructure, organizations need to reassess their business continuity plans.
What Is a Business Continuity Plan?
A business continuity plan (BCP) is an operational document, outlining how an enterprise will operate in case of an unplanned disaster. A business continuity strategy specifies disaster recovery approaches for recovering IT infrastructure, servers, applications, network connections, and any other resources required to run business operations. In addition, it provides a larger set of instructions for all teams on their responsibilities and actions towards regaining normal operations.
What Is the Primary Goal of Business Continuity Planning?
The goal of business continuity planning is to ensure the rapid recovery of your operations, as well as minimization of operational downtime and data losses. Having a systemized approach to business continuity management also helps to ensure the rapid resumption of services after an unplanned event – be it a natural disaster, global pandemic, or minor operational disruption (e.g., accidental data loss).
Given the current uncertain business climate, implementing a business continuity plan is crucial for ensuring greater operational resilience and protecting your company against internal and external volatility.
Why Is Business Continuity Important?
This year many businesses recognized the importance of business continuity planning when they were unexpectedly forced to shift to remote work and enable remote access to a large volume of business applications, services, and data centers. For many, the crisis presented a new opportunity to speed up the implementation of advanced technologies and adopt new digital products:
Source
Now, however, a new challenge arises – with greater reliance on digital products, data storage, and supporting IT infrastructure, business leaders now need to ensure business continuity across a wider range of assets.
Given that the hourly cost of an infrastructure failure reaches $400,000 for 41% of organizations, and tops $2mln on average for another 45%, further digitalization without proper continuity planning can accelerate, not mitigate, the operational risks.
Besides, the scope of business continuity plans also pertains to data backups and protection – another crucial aspect for ensuring business-as-usual operations, as well as avoiding regulatory penalties.
As many operations have been restarted cross-industry, taking proactive business continuity planning steps is crucial for ensuring that the new hybrid IT environments are as secure, strong, and resilient as possible.
A 5-Step Business Continuity Plan Checklist
Digitally transformed companies now operate hybrid IT environments. While such operational setups diversify the risks, they also require more diligence when it comes to security, infrastructure monitoring, and performance optimization. The reason for that is that a single element failure can cast a ripple effect over your entire business infrastructure.
A comprehensive business continuity planning process creates a clear recovery pathway for your systems and an operational blueprint for your personnel.
At Infopulse, we recommend our clients to implement a business continuity system based on the following 5 practices.
1. Develop a Detailed Business Continuity Plan
A business continuity plan is a master-checklist, outlining the following:
- Complete hardware and software inventory
- Required data backups and backup site locations
- Main disaster recovery solutions and sites
- A designated alternative site for operations
- Contact information of emergency respondents
- Notification matrix, suggesting who should be informed
- Communication plan for employees, clients, and other affected stakeholders
- Blueprint for the recovery plans
The goal of a BCP is to provide exhaustive information regarding the backup sites and disaster recovery services, specify who's in charge of leading the recovery efforts, and how different teams should respond. Plans should also include step-by-step operational strategies for ensuring operations during short-term and long-term disruptions.
Below is an example of a business continuity plan, used by IBM Global Technology Services:
Source
2. Implement 24/7 Infrastructure Monitoring and Support
Infrastructure monitoring tools help assess and diagnose the performance of all your technical assets – on-premises and cloud systems, networks and servers, virtualized environments, and any other portfolio items. By knowing how your systems operate, you can catch the early signs of potential disruptions due to network saturation, malware, unplanned downtime, or external intrusion.
Considering that most enterprises have significant technical portfolios, with infrastructure residing in on-premises data centers, IaaS, and PaaS cloud platforms, along with edge devices, infrastructure monitoring software can also ensure complete visibility into all assets and subsequently enable faster discovery of incidents.
The best infrastructure monitoring tools provide real-time insights regarding performance degradation and can be configured to:
- Run 24/7 automated monitoring of networks, servers, applications, and databases, regardless of their location.
- Perform proactive performance measurement and provide recommendations for improvements.
- Provide a detailed classification of incidents and steps for resolution.
With a well-configured IT infrastructure monitoring, you can achieve nearly 100% service availability of business-critical operations 24/7 as one of our clients did. In addition, you can reduce the operational costs of monitoring by selecting an automated monitoring solution and having an eternal L2/L3 support team on the frontline. That's exactly what another Infopulse client did to improve their customer service levels – learn more about this project in our case study.
3. Create a Disaster Recovery Strategy
A disaster recovery plan is the cornerstone of BCPs. Though the two terms often get confused. Thus, to clarify: what is disaster recovery?
Disaster recovery (DR) is an annexed plan, specifying the main strategies, policies, and procedures for managing IT disruptions and returning to full operations after unplanned interruption.
In this sense, when comparing disaster recovery vs business continuity, you should note that:
- Business continuity planning spans over multiple operational processes and departments. It's a master plan for mitigating the disruptions and regaining control.
- Disaster recovery is a key part of BCP. However, the operational focus here stays on IT systems, as well as data recovery.
A standalone DR plan includes the following documented elements:
- A complete list of hardware and software assets, ranked by criticality;
- Baseline recovery point objectives (RPO) and recovery time objectives (RTO) for each set of applications;
- Key personnel responsible for executing the disaster recovery plan;
- A list of disaster recovery sites and disaster recovery software;
- Extra instructions for customers and employees.
Your DR strategy should be designed around your recovery goals, based on the RTO and RPO values for different types of assets.
For example, critical customer-facing solutions will require a hot disaster recovery site – one offering that can accommodate a full copy of your production site, including instant data backups. In such cases, businesses opt for cloud-based disaster recovery as a service (DRaaS) solutions that provide RTO in minutes and RPO in seconds.
Less critical systems (i.e., those that can tolerate longer recovery) can be placed in warm sites. These act as remote backups of your production site; however, they require extra time and effort for establishing hardware and network connections.
Lastly, your DR plan should also specify cold sites – remote, yet more affordable locations that require extra configurations to become fully operational. Cold DR sites are the optimal choice for backing up non-critical data (e.g., information that you store due to compliance requirements).
Apart from ranking applications (and data) by recovery priority, your DR strategy should further specify the end-to-end recovery process that includes data backups, archiving, restore procedure, and cleanup.
In addition, ask your internal DR team or external consultants to:
- Select, configure, and implement a continuous deployment (CD) toolkit to achieve a smooth recovery.
- Verify that DR sites have the same security and compliance configurations as production sites.
- Check the overall security of your DR process, along with access management policies.
4. Raise Employee Security Awareness
Even the best-in-class business continuity solutions will fall short if business users fail to follow the basic IT security best practices. Phishing and social engineering scams, targeted at remote workers, are on a steady rise with 36% of CIOs admitting that the volume of cyber threats has increased since the transition to remote operations.
Disaster recovery and business continuity plans can help deal with the aftermath of an attack or data breach. However, they'll eventually fall short if your teams do not understand:
- How their daily actions contribute to operational disruptions.
- How to report suspicious activities and escalate an issue.
- What their roles and responsibilities are in the BCP process.
Make basic cybersecurity and business training mandatory for all personnel to help them develop adequate cybersecurity habits.
5. Conduct Disaster Simulation Tests
Having a BCP and a DR plan is just one part of the equation. You also need to know how effectively your team can act upon it. If you have recently implemented a new plan or adopted new business continuity software, organize a stress test for it.
In order to do that, create an environment, simulating an actual disaster (e.g., data center power outage). Assess how all involved infrastructure and personnel will respond.
To monitor the effectiveness of your plan, set forth several business continuity metrics:
- Target RPO/RTO
- Target SLA levels
- Mean time to recover a business process
- Difference between target and actual recovery time
Observe your team responses and document where they struggle. Finally, analyze the findings to determine knowledge and processual gaps in your plans.
Conclusion
With an increased pace of digitization, the importance of business continuity plans cannot be overstated. While a BC/DR strategy cannot fully protect you against all unprecedented events, it can drastically reduce the recovery time, help to mitigate rising cybersecurity risks and increase overall technical resilience.
Source: https://www.infopulse.com/blog/best-practices-business-continuity
0 Response to "Business Continuity Planning Best Practices Iso27001"
Post a Comment