• Home /
• Useful BCM resources /
• BS 25777: 2008 Information and communications technology continuity management. Code of practice

BS 25777:2008 Information and communications technology continuity management. Code of practice

In most organisations, the processes that deliver products and services depend on information and communication technology (ICT). Disruption to ICT can therefore be a huge risk and can damage your organisation's ability to operate and undermine its reputation. The consequences of a disruptive incident vary and can be far-reaching, and might not be immediately obvious at the time. BS 25777 will help your organisation plan and implement an ICT continuity strategy.

Sample content - BS 25777: 2008 Information and communications technology continuity management. Code of practice

Contents

Forward

Introduction

1. Scope
2. Terms and definitions
3. ICT continuity programme management
4. Understanding the ICT requirements for business continuity
5. Determining ICT continuity strategies
6. Developing and implementing ICT strategies
7. Exercising and testing
8. Maintenance, review and improvement

Annexes

Annex A (informative) ICT continuity management milestones

Bibliography

List of figures

Figure 1 – Relationship between ICT continuity management and business continuity management

Figure 2 – Elements of ICT service recovery

Figure A.1 – Key ICT continuity management timescales

Introduction

ICT continuity management and its relationship with business continuity management

In most organizations, the processes that deliver products and services depend on information and communication technology (ICT). Disruption to ICT can therefore constitute a strategic risk, damaging the organization's ability to operate and undermining its reputation. The consequences of a disruptive incident vary and can be far-reaching, and might not be immediately obvious at the time.

ICT continuity management supports the overall business continuity management (BCM) process of an organization. BCM seeks to ensure that the organization's processes are protected from disruption and that the organization is able to respond positively and effectively when disruption occurs. The organization sets out its BCM priorities, and it is within this context that ICT continuity management activities take place. ICT continuity management ensures that the required information and communications technology and services are resilient and can be recovered to predetermined levels within timescales required by and agreed with the top management. Thus, effective BCM depends on ICT continuity management to ensure that the organization can meet its objectives at all times, particularly during times of disruption. To be successful, both BCM and ICT continuity management have to become embedded within the organization’s culture (see Figure 1).

BCM and ICT continuity management form an important element of effective management, sound governance and organizational prudence. Top management is responsible for maintaining the ability of the organization to continue to function in the face of disruption. Many organizations also have a statutory or regulatory duty to maintain effective risk-based controls including BCM.

(Figure 1 is not shown here)

ICT continuity management and organizational strategy

ICT continuity management is integral to both ICT strategy and ICT service management, which align to organizational strategy. It is the element of ICT strategy and service management that enables an organization to continue to meet its goals and deliver its products and services when adverse conditions occur.

Benefits of effective ICT continuity management

All activity is susceptible to disruption from internal and external events, such as technology failure, fire, flood, utility failure, illness and malicious attack. ICT continuity management provides resilience to prevent ICT disruptions and to recover when disruptions occur.

The benefits of effective ICT continuity are that the organization:

• understands the threats to, and vulnerabilities of, ICT services;
• identifies the potential impacts of disruption to ICT services;
• encourages improved collaboration between its business managers and its ICT service providers (internal and external);
• develops and enhances competence in its ICT staff by demonstrating credible responses through exercising ICT continuity plans and testing ICT continuity arrangements;
• provides assurance to top management that it can depend upon predetermined levels of ICT services and receive adequate support and communications in the event of a disruption;
• provides additional confidence in the business continuity strategy through linking investment in ICT solutions to business needs and ensuring that ICT services are protected at an appropriate level given their importance to the organization;
• has ICT services that are cost-effective and not under- or over-invested through an understanding of:
  • the level of its dependence on those ICT services; and
  • the nature, location, interdependence and usage of components that make up the ICT services;
• can enhance its reputation for prudence and efficiency;
• potentially gains competitive advantage through the demonstrated ability to deliver business continuity and maintain product and service delivery in times of disruption; and
• understands and documents stakeholders' expectations and their relationships with, and use of, ICT services.

ICT continuity is more easily achieved and is likely to be less costly when designed and built into ICT services from their inception as part of ICT strategy. This ensures that ICT services are better built, better understood, cheaper and easier to maintain. Retrofitting ICT continuity can be complex, disruptive and expensive. The content of an ICT continuity plan will be influenced by an organization's risk appetite.

Focus of ICT continuity management

ICT continuity management focuses not only on the likelihood and impact of disruptive incidents, but also on the ability of the organization to detect and respond to the occurrences of such incidents. This requires the organization to monitor its ICT services to ensure that:

• they are resilient and recoverable at the appropriate level;
• any unexpected event within a service is detected, addressed and investigated in a timely manner;
• the dependencies between ICT services and external factors are known and used in assessing risk and the impact of change; and
• dependencies on the technical components are known and used in assessing risk and the impact of change.

ICT continuity management processes and solutions are also intended to ensure that legal obligations (such as to protect personal and otherwise sensitive data) are not breached.

Principles of ICT continuity management

ICT continuity is based around six key principles:

a) Protect: Protecting the ICT environment from incidents, failures and disruptions by improving the resilience of ICT services is critical to maintaining the desired levels of service availability for an organization.

b) Detect: Detecting incidents at the earliest opportunity will minimize the impact to services, reduce the recovery effort, and preserve the quality of service.

c) React: Reacting to an incident in the most appropriate manner will lead to a more efficient recovery and minimize any downtime. Reacting poorly can result in a minor incident escalating into something more serious.

d) Recover: Identifying and implementing the appropriate recovery strategy will ensure the timely resumption of services and maintain the integrity of data. Understanding the recovery priorities allows the most critical services to be reinstated first. Services of a less critical nature may be reinstated at a later time or, in some circumstances, not at all.

e) Operate: Running in ICT disaster recovery mode until return to normal is possible. This might require some time and necessitate "scaling up" ICT disaster recovery operations to support increasing business volumes needing to be serviced over time.

f) Return: Devising a strategy for every ICT continuity plan that allows an organization to migrate back from ICT disaster recovery mode to a position where it can support normal business.

Elements of an ICT service

The key elements of an ICT service can be summarized as follows (see also Annex A).

a) People: the specialists (including their deputies) with appropriate deputies and knowledge;

b) Premises: the physical environment in which ICT resources are located;

c) Technology:

i) the racking, servers, storage arrays, tape devices, other hardware and other permanent fixtures;

ii) network, including data connectivity and voice services, including switches and routers;

iii) software, including operating system software and application software, links or interfaces between applications and batch processing routines;

d) Data: application data, voice data and other types of data;

e) Processes: including supporting documentation to describe the configuration of ICT resources and enable the effective operation, recovery and maintenance of ICT services; and

f) Suppliers: other components of the end-to-end services where ICT service provision is dependent upon an external service provider or another organization within the supply chain, e.g. a financial market data provider, telecoms carrier or internet service provider.

Purchase BS 25777:2008 Information and communications technology continuity management. Code of practice