Should your organisation choose to produce their business continuity management system using the ISO 22301 standard for either accreditation (as required by the Department for Education, education and skills funding contract requirements) or for compliance then it would make sense to use the same standard to guide the production of your disaster recovery management system to ensure business requirements can be followed through by senior leadership and both internal and external auditors to ensure KPIs can be met.
Any integrated management system documentation would also benefit from using the Annex SL which provides document guidance for most of the standards your organisation may choose to adopt (ISO 9001, 22301, 27001, 14001 et al.)
The leading requirements of the disaster recovery policy documentation should include:
Leadership and commitment.
The chain of responsibility should be easy to navigate both in the conduct of any disaster recovery process and in the absence of any person at any specific layer of responsibility or task. This will ensure that all operators can quickly and accurately direct reports of their actions and any problems or requirements for additional resources to an authoritative level.
Demonstrating leadership can be met by keeping all of those that would be involved in operating the disaster recovery process involved in the planning, production, and output of the policy. Those closest to the task often have better knowledge about potential problems or common workarounds that may only reside in the operators’ head and would benefit from being properly documented.
Demonstrating commitment can usually be done by involving all staff in scenario limited exercises, often these can be desk-based exercises to reduce the impact on production systems. Where a test of a physical system is required, i.e., fail-over of the network, recovery from a backup then often a more tangible outcome can be measured and reported upon.
Reviewing the solutions designed to ensure a swift return to service will allow for problems to be identified, new solutions can then be identified and fed into a new version of the disaster recovery plan.
Maintaining an evidence base of the above should also be done, minutes of meetings, records of training undertaken by team members, requests for additional resources if made, and all communications to the business would be suitable examples.
Actions to address risks and opportunities:
Identify from the higher business continuity management system the context of the organisation, generally education, but are there dependencies that may not be supported by the internal IT service? These may be legal requirements or perhaps a priority of service recovery that is at odds with the established perception. i.e, a health and safety requirement.
Do you have residences on site? Many independent specialist colleges will have students resident that have high(er) dependency needs or medical equipment within their accommodation, it is likely that this will have local protective equipment, but does the recovery time objective fall with the maximum parameters of this protective equipment?
Addressing risks and opportunities
Once all risks and opportunities have been identified, specifying the actions required should be done. Few ISO standards mandate that a risk assessment and risk treatment document should exist, but Jisc strongly recommends it. Many Jisc members will be achieving the Cyber Essentials accreditation. This is a good baseline to reduce the exploitable inroads for service outage attacks, it does, however, only address 4 areas of the National Cyber Security Centre’s 10 steps to cyber security. Alternatively, staying with integrated management systems the control set listed either are Annex A to the ISO 27001 or the fuller content within the ISO 27002 documentation could be used to generate a risk assessment.
All risks will or should have an associated risk mitigation plan, the mitigation should help identify any underlying dependencies that require prior resolution.
A full understanding of the risks and their treatments can then be turned into a operations plan, this will particularly help with identifying the scope of the resource required to meet the higher level KPIs and whether the people element of this resource require additional skills. Jisc has a self-help skills assessment matrix that can be used to score and identify gaps, if this would be useful, please contact your Jisc relationship manager who can be found here.
Next in series: Supporting your disaster recovery plan.
Further resources:
Training for ISO 22301 accreditation can be brokered through Jisc Training, courses available can be viewed at the IT Governance website.
Reading:
Business continuity management system, Kogan Page, ISBN: 978-0-7494-6911-5
ISO 22301:2019 and business continuity management, ITgp, ISBN: 978-1-78778-299-0