This is the first of a series of related blogs posts, more to follow soon.
Business continuity and disaster recovery planning is essential to ensuring the organisation can recover from an effect that impacts the business delivery processes.
Business continuity planning is a senior leadership responsibility as it should have contingencies for all functional areas of the business such as estate, people, service delivery or supply interruption and potential reputational damage. Each impact area should have a defined contingency plan to deal with the incident. Each of these plans should also have been subjected to desk based scenario limited exercises at their inception and at least annually thereafter. Using a trusted methodology such as the:
Plan-Do-Check-Act
To ensure a cyclic model of test and review that allows for lessons learnt to be used to inform a revised and more proficient contingency plan as the business model changes or previously unknown variables are identified or appear unexpectedly from off-stage.
The contingency plan(s) for each potentially impacted business area should have identifiable key performance indicators for the sub-ordinate service managers to use to identify how their teams will respond, this will be particularly relevant for IT support teams possibly due to the divergent services offered and the differing geographical locations from which they are delivered. Recovering services should be prioritised based on the wider business need, obviously a base infrastructure will need to be bought online first, but the competing priorities of the IT service users should fit the business need, not placate the department that shouts loudest.
In a commercial organisation, always on is expected and for many organisations the service will be under a continuous load with little variance. Some however will have calendar-based peaks (i.e., Amazon Black Friday et al), the academic requirement is also an example of this, annual student recruitment and exam periods will be especially important, outages at these will have severe knock-on effects.
Business continuity plans are part of the wider group of integrated management systems that an organisation could choose to adopt, all of these are heavily reliant on the organisational It service delivery and the ‘always on’ expectations of availability. Examples are:
- ISO 14001 Environmental management systems
- ISO 22301 Security and resilience – Business continuity management systems.
So why do I need to take on ISO 22301 business continuity, the short answer is that it has been mandated as part of the Department for Education contract for those Jisc members that receive Education and Skills funding agency (ESFA) money. The requirement is detailed in schedule 7, paragraph 1.15 of the contract, link to the sector contracts for Higher, Further, Skills, et al delivery partners is here, scroll to page 9 of the Schedule of changes document. This statement is replicated in all the other contract documents for all other sector delivery partners eligible to receive the ESFA monies. The text reads:
1.15 Notwithstanding any other provisions as to business continuity and disaster recovery in the Agreement, the College will, as a minimum, have in place robust Business Continuity arrangements and processes including IT disaster recovery plans and procedures that conform to ISO 22301 to ensure that the delivery of the Agreement is not adversely affected in the event of an incident. An incident will be defined as any situation that might, or could lead to, a disruption, loss, emergency or crisis to the Services delivered. If an ISO 22301 certificate is not available, the College will provide evidence of the effectiveness of their ISO 22301 conformant Business Continuity arrangements and processes including IT disaster recovery plans and procedures. This should include evidence that the College has tested or exercised these plans within the last twelve (12) months and produced a written report of the outcome, including required actions.
It is a clear requirement in that it mandates that the business continuity plan is written to the ISO22301 standard and if no ISO22301 certificate is held then evidence of the business continuity and disaster recovery plan along with evidence of tests or exercises. In the case of a service interruption then the forensic analysis of this including the outcome and further actions are to be documented. It is a little bit vague in the purpose of the documentation, however it does suggest, in the absence of an ISO 22301 certified accreditation that it should be sent to the Department of Education. As a minimum it should be scrutinised by internal and external auditors.
As an element of the business continuity plan, IT Disaster Recovery is explicitly identified in the amended clause and as a technology focussed organisation, we’ll focus on this area in later Blogs, however the next Blog in this series will concentrate on the components of a Business Continuity management system and how they apply to the development of your Disaster recovery plan.
Further resources:
Training for ISO 22301 accreditation can be brokered through Jisc Training, courses available can be viewed at the IT Governance website.
Reading:
Business continuity management system, Kogan Page, ISBN: 978-0-7494-6911-5
ISO 22301:2019 and business continuity management, ITgp, ISBN: 978-1-78778-299-0