Skip to content

Page354

Specific BCP/DRP Frameworks

Given the patchwork of overlapping terms and processes used by various BCP/DRP frameworks, this chapter focused on universal best practices, without attempting to map to a number of different (and sometimes inconsistent) terms and processes described by various BCP/DRP frameworks.

A handful of specific frameworks are worth discussing, including NIST SP 800-34, ISO/IEC-27031, and BCI.

NIST SP 800-34

The National Institute of Standards and Technology (NIST) Special Publication 800-34 Rev. 1 “Contingency Planning Guide for Federal Information Systems” may be downloaded at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf. The document is of high quality and in the public domain. Plans can sometimes be significantly improved by referencing SP 800-34 when writing or updating a BCP/DRP.

ISO/IEC-27031

ISO/IEC-27031 is a new guideline that is part of the ISO 27000 series, which also includes ISO 27001 and ISO 27002 (discussed in Domain 2: Asset Security). ISO/IEC 27031 focuses on BCP (DRP is handled by another framework; see below).

The formal name is “ISO/IEC 27031:2011 Information technology—Security techniques—Guidelines for information and communication technology readiness for business continuity.” According to https://www.iso27001security.com/html/27031.html, ISO/IEC 27031 is designed to:

  • “Provide a framework (methods and processes) for any organization—private, governmental, and nongovernmental;
  • Identify and specify all relevant aspects including performance criteria, design, and implementation details, for improving ICT readiness as part of the organization’s ISMS, helping to ensure business continuity;
  • Enable an organization to measure its continuity, security and hence readiness to survive a disaster in a consistent and recognized manner” [20].

Terms and acronyms used by ISO/IEC 27031 include:

  • ICT—Information and Communications Technology
  • ISMS—Information Security Management System

A separate ISO plan for disaster recovery is ISO/IEC 24762:2008, “Information technology—Security techniques—Guidelines for information and communications technology disaster recovery services.” More information is available at https://www.iso.org/standard/41532.html.