ISO 27001 & ISO 22301

Did you think that the frequency of backup is based on the IT manager’s whims? Or, perhaps, based on the least expensive solution? Well, you are wrong.

Backup policy, or to be precise – the most important part of this policy – how often the backup is to be performed, must be based on analysis. And such analysis must be based on the business value of the data in question.

Recovery Point Objective (RPO) / Maximum Data Loss

This analysis is emphasized in ISO 22301, the leading business continuity standard. It specifies that Recovery Point Objective and Maximum Data Loss have the same meaning: “Point to which information used by an activity must be restored to enable the activity to operate on resumption.” This is basically the answer to the question How much data can you afford to lose?

The easiest way to perform this kind of analysis is during the business impact analysis (BIA), because that is when you have to complete all these interviews/questionnaires, so a couple more questions won’t disturb anyone. (Read also: Five Tips for Successful Business Impact Analysis.)

Best practice for BIA

When performing the BIA, you have to ask your respondents to list all their databases, applications and files, but also all services (e.g. email), etc., and for each of them separately to state the acceptable limit up to which you can afford to lose the data. Usually, this limit is displayed in number of hours, but sometimes it can also be in number of transactions or records.

The main criteria while doing the analysis must be the damage of any potential data loss to the company – in terms of money or other impacts like legal, reputation, etc. Also, while doing such analysis it is important not to be distracted by the fact that you already have the backup. The question is – if your existing backup fails, how much data can you really afford to lose?

The result is RPO/Maximum Data Loss – in some cases it will be 24 hours (the data you created in the last 24 hours), in others, perhaps 2 hours, but sometimes you won’t be able to afford the loss of a single bit of information – this is where RPO is zero.

Implications for backup frequency

Let’s take two examples from a bank – in the first example, in the loan application process, the bank can probably afford to lose 24 hours of data, because it won’t be very difficult to recreate the data by asking potential clients to send that information again. However, in the case of payment processing, the banks typically cannot afford to lose a single transaction – this is because of the huge volume of transactions and the inability to track back who has given which payment order if all the data is lost.

The conclusions here are actually very simple – if the analysis shows that the RPO/Maximum Data Loss is 24 hours, then you have to perform backup at least once a day; if the RPO is 2 hours, then backup has to be done at least every two hours; if RPO is zero, then you need to have a mirrored site with replication of data in real time.

But, as always, there is also the question of price – someone may say that doing the backup every 2 hours is too expensive. While this may really be so, the real question is what would be the damage to the whole business if you really lose all this data.

Click here to download a free preview of Business Impact Analysis Questionnaire template.

In my experience, companies usually find two things in their business continuity or information security management to be the most difficult: risk assessment, and business continuity planning. Here I’ll give you some tips on business continuity plans (BCP).

What is a business continuity plan?

According to ISO 22301, business continuity plan is defined as “documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption.” (clause 3.5)

This basically means that BCP focuses on developing plans/procedures, but it doesn’t include the analysis that forms the basis of such planning, nor the means of maintaining such plans – all these are required elements of business continuity management that are necessary for enabling successful contingency planning.

To read more about analysis, see Five Tips for Successful Business Impact Analysis, and to find out how to interpret the analysis, read Can business continuity strategy save your money?.

Business continuity plan example

Here’s what I found to be the optimal structure for the business continuity plan for smaller and midsize companies, and what each section should include:

Purpose, scope and users – why this plan is developed, its objectives, which parts of the organization it covers, and who should read it.

Reference documents – to which documents does this plan relate? Normally, these are Business Continuity Policy, Business Impact Analysis, Business Continuity Strategy, etc.

Assumptions – the prerequisites that need to exist in order for this plan to be effective.

Roles and responsibilities – who will be responsible for managing the disruptive incident, and who is authorized to perform certain activities in case of a disruptive incident – e.g. activation of the plans, urgent purchases, communication with media, etc.

Key contacts – contact details for persons who will participate in the execution of the business continuity plan – this is usually one of the annexes of the plan.

Plan activation and deactivation – in which cases can the plan be activated, and the method of activation; which conditions need to exist to deactivate the plan.

Communication – which communication means will be used between different teams and with other interested parties during the disruptive incident. Who is in charge of communicating with each interested party, and the special rules of communication with media and government agencies.

Incident response – how to react initially to an incident in order to reduce the damage – this is very often an annex to the main plan.

Physical sites and transportation – which are the primary and alternative sites, where the assembly points are, and how to get from primary to alternative sites.

Order of recovery for activities – list of all the activities, with precise Recovery Time Objective (RTO) for each.

Recovery plans for activities – description of step-by-step actions and responsibilities for recovering manpower, facilities, infrastructure, software, information, and processes, including interdependencies and interactions with other activities and external interested parties – these are very often annexes to the main plan. To read more about them, see How to write business continuity plans?

Disaster recovery plan – this is normally a type of recovery plan that focuses on recovering the information and communication technology infrastructure. To read more about the relationship between disaster recovery and business continuity, see Disaster recovery vs business continuity.

Required resources – a list of all the employees, third-party services, facilities, infrastructure, information, equipment, etc. that are necessary to perform the recovery, and who is responsible to provide each of them.

Restoring and resuming activities from temporary measures – how to restore business activities back to business-as-usual once the disruptive incident has been resolved.

What I like about ISO 22301 is that it requires all the elements that are necessary for this plan to be useful in case of a disaster (or any other disruption in a company’s activities). However, no standard can help you unless you understand this task seriously – a properly written and comprehensive plan can save your company in tough times, while a superficially written plan will only make things worse.

Click here to see a sample Business Continuity Plan.

They are both essential elements of business continuity, and they sound quite similar. But their purpose is quite different.

What is RTO?

So, what does RTO mean? BS 25999-2, a leading business continuity standard, defines RTO as “…target time set for resumption of product, service or activity delivery after an incident”.

This actually means that RTO is crucial when implementing business continuity in a company – calculating how quickly you need to recover will determine what kind of preparations are necessary. For example, if RTO is 2 hours, then you need to invest quite a lot of money in a disaster recovery center, telecommunications, automated systems, etc. – because you want to be able to achieve full recovery in only 2 hours. However, if your RTO is 2 weeks, then the required investment will be much lower because you will have enough time to acquire resources after an incident has occurred.

RTO is determined during the business impact analysis (BIA), and the preparations are defined in the business continuity strategy. See also this article Five Tips for Successful Business Impact Analysis to learn more about RTO and BIA.

What is RPO?

Recovery point objective is a totally different thing – according to Wikipedia, RPO is “… the maximum tolerable period in which data might be lost”. As this is quite difficult to grasp right away, I like to use this example instead – ask yourself how much data you can afford to lose? If you are filling in a database with various kinds of information, is it tolerable to lose 1 hour of work, 2 hours or maybe 2 days? If you are writing a lengthy document, can you afford to lose 4 hours of your work, the whole day or perhaps you could bear if you lost your whole week’s job?

This number of hours or days is the RPO. Recovery Point Objective is crucial for determining one element of business continuity strategy – the frequency of backup. If your RPO is 4 hours, then you need to perform backup at least every 4 hours; every 24 hours would put you in a big danger, but if you do it every 1 hour, it might cost you too much.

So, what’s the difference?

The difference is in the purpose – RTO has a broader purpose because it sets the boundaries for your whole business continuity management, while RPO is focused solely on the issue of backup frequency. They are not directly related – you could have RTO of 24 hours and RPO of 1 hour, or RTO of 2 hours and RPO of 12 hours.

But let me emphasize what is even more important: what do RTO and RPO have in common? They are both crucial for business impact analysis and for business continuity management. Without determining them properly, you would be just guessing – and guessing is the best way to ensure you never recover from a disaster.

You can also check out our Business Impact Analysis Questionnaire which describes how to gather all information necessary for RTO and RPO (commercially sold document template).

Does it make sense to implement business continuity in smaller companies? Why would they need something as costly as this if the owner of the business has all the necessary information in his/her head?

Let me start with a story I heard recently – a small company (involved in the sales of various equipment to a large customer base) has been robbed – the thief broke into their office during the night and stole all the computers together with other valuable stuff. The problem is – the owner of this company backed up the data, but saved that backup on another computer in the same office. Very soon the company went bankrupt – they simply weren’t able to recover key information about their business.

This is a classic example of the syndrome “It is not going to happen to me” that the majority of small companies have.

Business continuity framework

Does this mean that small businesses need to invest in costly disaster recovery locations with high-availability equipment? Certainly not.

In some cases business continuity is really not needed because the owner of the business does have all the information in his/her head, but such cases are very rare – how many of those don’t have a laptop with various kinds of important information? Just thinking about how to make this information available in case of a disaster is already part of a business continuity effort.

Owners of small businesses need to think carefully about which information (and other resources) are important for their business, how to ensure that such information and other resources are available in case of a disaster, and which steps are needed to recover business activities in case a disaster occurs. These steps are nothing else but performing business impact analysis, business continuity strategy, and business continuity plans, like any larger company would do when implementing business continuity. All these are described in a leading business continuity standard – BS 25999-2.

How to prepare

Now the difference between small and the large businesses is in the complexity and the price of the preparations small companies need to do for business continuity:

• Backup of electronic data – small businesses can use some of the tools that backup the data from their computers almost instantly to the cloud. Of course, due care has to be taken that all the necessary data is included.
• Backup of paper-based documents – small businesses are now in a position to eliminate paper-based documents almost completely from their daily operations and transfer everything to electronic form; for rare cases where paper-based documents must exist, they can be scanned for the purposes of business continuity.
• Alternative office locations – in most cases it will be enough that employees continue business operations from their homes – the prerequisite would be that they have an Internet connection, laptops/PCs and passwords. If working from home is not appropriate, a hotel room can always be rented in less than an hour.
• Hardware – unless there is a special kind of computer used for a business, it is very easy to find an alternative – usually there is a private computer at home, or one can be borrowed from a relative; or one can be purchased at the computer shop next door.
• Workforce – now, this is probably the most difficult one – let’s suppose that an employee is not available, and he is the only one who knows certain information (e.g. administrative passwords, steps that need to be taken in an important project, etc.) – for such cases, the preparation would be to document all this information, so that it can be used without that employee being present. The other case would be if an employee is missing and no one else would have the time or the skills to do her job – in such case the preparation would be to identify upfront who would be available for hiring on a short notice to fulfill the missing employee’s job; of course, the key here is to identify someone with the right skills/qualifications.

To conclude: there is no difference between large organizations and small with regard to business continuity framework – they both have to think in detail what preparations they need to perform in order to survive a disaster. The difference is in the level of preparations – smaller businesses can make it with very little investment.

You can also check out our webinar BS 25999-2 Foundations Part 3: Business Continuity Planning (commercially sold training).

Your management has given you the task to implement business continuity, but you’re not really sure how to do it? Although it is not an easy task, you can use the BS 25999-2 methodology to make your life easier – here are the main steps necessary to implement this standard:

1. Obtain management support

Although this is not a mandatory step in BS 25999-2, this is certainly the crucial step in the beginning – if the management does not understand the benefits of business continuity and is not committed to this project, your project is most probably going to fail.

2. Treat it as a project

It will take quite a lot of time and resources to set up your business continuity management system (BCMS) – you have to define clearly what needs to be done, in which timeframe, and what are the roles in project implementation. In other words, you have to apply project management methods.

3. Define objectives and scope; write down a BCM Policy

You have to define what is it you want to achieve with the BCMS – compliance, decreasing the level of risk, requirements of your customers/partners etc. You also have to define what you are going to include in your BCMS – the whole organization, or just a part of it. For instance, you may decide that you are going to include only your data centre if you are providing hosting services to your customers. All of these have to be documented in the BCM Policy.

4. Defining roles and responsibilities for BCMS

Because the BCMS is going to become a permanent activity in your organization, you have to define clear responsibilities for it, especially for the “sponsor” of the BCMS (someone accountable for the BCMS but not engaged in day-to-day BCMS activities) and “BCM coordinator”, “BCM manager” or something similar to it – one or more persons with active duties regarding the BCMS. It is the best to document these roles and responsibilities in your BCM Policy.

5. Implement mandatory procedures

BS 25999-2 requires the following four mandatory procedures to be implemented: document and records control, internal audit, preventive and corrective actions – these procedures are actually the foundation of your management system, similarly to ISO 27001 or ISO 9001.

6. Perform business impact analysis and risk assessment

Through business impact analysis you have to indentify the critical activities, their maximum tolerable period of disruption, the dependencies of those critical activities (including dependencies to suppliers and outsourcing partners), and set recovery time objectives.

By doing the risk assessment you actually find out what could be the causes to the disruption of your critical activities – those could be natural, but also man-made activities (either malicious or accidental). You would also need to do risk treatment, which means you need to decide how to decrease the possibility of something going wrong. Unfortunately, the risk assessment and treatment are not very well defined in this standard, so you might take a look at ISO 27001 which describes them in more detail.

7. Determining the business continuity strategy

Before you proceed with writing business continuity plans, you actually have to determine which resources you will need for resuming your critical activities – which people, locations, data, hardware, software, suppliers, outsourcing partners etc.

The business continuity strategy has to determine not only what you need, but also how you are going to provide those resources.

8. Developing incident management plans and business continuity plans

The purpose of incident management plans is to describe how you are going to respond directly to the occurrence of an incident (e.g. fire, earthquake, bomb threat, power failure etc.) in order to prevent it to spread, and to try to decrease its direct effects.

On the other hand, the purpose of business continuity plans is to describe how you are going to recover your critical activities – how you are going to put all the resources you have prepared into action. This means you have to describe who is going to do what, in which time, using which data and technology, in order to put your organization back into operation.

All of these plans have to be described in detail, because they must be executed even in case the main personnel is not available – therefore, they have to be written in such a way that somebody else would be able to execute them.

9. Training and awareness

You need to define the level of competence needed for the execution of business continuity plans in case of disruption, and then train all the personnel (both employees and external partners) to reach this level of competence.

However, this is not enough – you also need to explain to your personnel why BCM is necessary. Let’s face it – your business continuity plans will be used maybe only once in a life time, so most people consider it as a waste of time. Therefore, you have to explain to them why such a thing must exist. (See also How to deal with BCM sceptics)

10. BCMS exercising

If you thought you have written your plans perfectly, you are probably wrong – it is almost impossible to write a plan with no errors right at the beginning. This is why exercising is a mandatory part of BCMS – you have to test your plans in a situation that more or less resembles a real disruption. Only then will you find out what you planned well, and what you didn’t.

11. Maintaining and reviewing the BCMS

Another way to keep your BCMS up-to-date is by defining the intervals at which you will review your business continuity plans, but also other arrangements (e.g. contracts with suppliers and outsourcing partners, training and awareness etc.). There are all sorts of changes in the environment that are threatening your documentation to become obsolete – it is enough for an employee to leave the company to have an unusable telephone number in a plan if that person had a role in the BCMS.

It is also mandatory to perform post-incident review if an incident really occurred – the purpose is to find out how the organization really reacted – did it follow the plans or not.

12. Internal audit

The purpose of internal audit is to find out if there is something wrong, in an objective manner – the internal auditor should be a person who can find out if something is done wrong within your BCMS in order to correct it. If done properly, internal audit could be one of the best ways to improve your BCMS. (Read Dilemmas with ISO 27001 & BS 25999-2 internal auditors)

13. Management review

As said before, it is very important to get your management involved in the project – management review is designed exactly for that. The standard requires the management to examine all the relevant facts about BCM and decide whether it has fulfilled its purpose. Once that is done, the management has to decide which improvements must be made.

14. Preventive and corrective actions

The best thing would be to prevent mistakes (or in terms of BS 25999, the “non-conformities”) from happening – this is what the preventive actions are used for – they are a systematic way of correcting things before a problem occurs. Similar to preventive actions, there are also corrective actions which resolve the problem that has already occurred.

Now the question is – why would you use BS 25999-2? Although it is (still) not an international standard, it is the most popular standard for business continuity worldwide – the abovementioned steps are designed by the best business continuity experts, so if you want to implement the best accepted practices for business continuity, you have to look no further.

Here you can download the diagram of BS 25999-2 implementation process showing all these steps together with the required documentation (registration required).