IEC INTERNATIONAL 27031 STANDARDpdf
ISO/IEC 27031 was originally intended to be a multi-part standard but changed to two parts (a formal specification plus a guideline) and finally produced a single part (just the guideline) which was published in 2011.
IEC INTERNATIONAL 27031 STANDARDpdf
ISO/IEC 27031:2011 describes the concepts and principles of information and comunication technology (ICT) readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation) for improving an organization's ICT readiness to ensure business continuity. It applies to any organization (private, governmental, and non-governmental, irrespective of size) developing its ICT readiness for business continuity program (IRBC), and requiring its ICT services/infrastructures to be ready to support business operations in the event of emerging events and incidents, and related disruptions, that could affect continuity (including security) of critical business functions. It also enables an organization to measure performance parameters that correlate to its IRBC in a consistent and recognized manner.
The scope of ISO/IEC 27031:2011 encompasses all events and incidents (including security related) that could have an impact on ICT infrastructure and systems. It includes and extends the practices of information security incident handling and management and ICT readiness planning and services.
Many organizations struggle to define the best method to meet business expectations regarding information technology (IT) recovery. ISO 27031 provides guidance to business continuity and IT disaster recovery professionals on how to plan for IT continuity and recovery as part of a more comprehensive business continuity management system (BCMS). The standard helps IT personnel identify the requirements for Information and Communication Technology (ICT) and implement strategies to reduce the risk of disruption, as well as recognize, respond to and recover from a disruption to ICT.
ISO 27031 introduces a management systems approach to address ICT in support of a broader business continuity management system, as described in ISO 22301. ISO 27031 describes a management system for ICT readiness for business continuity (IRBC). An IRBC is a management system focused on IT disaster recovery. IRBC uses the same Plan-Do-Check-Act (PDCA) model as the business continuity management system described in ISO 22301. The objective of IRBC is to implement strategies that will reduce the risk of disruption to ICT services as well as respond to and recover from a disruption. Business continuity and IT professionals will find the use of the PDCA model very familiar but with necessary changes to support recoverability of ICT based on business requirements and expectations.
As a guidance standard, organizations cannot be certified in ISO 27031 like ISO 22301, but the management system follows many of the same steps that experienced preparedness professionals are used to implementing with business continuity planning. The following diagram displays IRBC management system detailed in ISO 27031.
IRBC Management Systems ISO 27031 uses the same basic PDCA management system used in ISO 22301 but adapts it to fit the technical nature of IRBC. In addition to technical changes to PDCA, ISO 27031 also relies on the Business Impact Analysis (BIA) conclusions developed and approved as part of the broader BCMS for an organization. For IRBC, the PDCA management system is broken down the following way:
In order to be effective, ISO 27031 states that the IRBC strategies described above need to incorporate six components into monitoring for, responding to and recovering from disruptions to information and communication technology. The six components are:
Strategies that reduce the risk of a disruption will not fully eliminate the possibility of a disruption to information and communication technology. IT staff implement strategies and draft plans to overcome residual risk when disruptive incidents become reality. Response and recovery plan documentation is required to ensure personnel understand the activities necessary to meet business expectations. ISO 27031 includes many of the same considerations that are used in ISO 22301, including plan purpose and scope, defined roles and responsibilities, alternate personnel, plan invocation criteria, and contact information.
The IRBC program detailed in ISO 27031 assists IT and business continuity professionals, together with their program sponsors, in maintaining effective ICT resiliency. By implementing an IRBC management system, IT and business continuity professionals help their organization to monitor for, respond to and recover from a disruption to ICT. ISO 27031 applies and adapts the BCM concepts described in ISO 22301 to assist with reducing the risk of disruptions to information and communication technologies, as well as to the business as a whole.
In this context, the ISO 27031 standard approaches how to use the PDCA (Plan-Do-Check-Act) cycle to put into place a systematic process to prevent, predict, and manage ICT disruption incidents that have the potential to disrupt ICT services. By doing so, this standard helps to support both Business Continuity Management (BCM) and Information Security Management (ISM). By its nature, ISO 27031 is a perfect standard to resolve the control A.17.2.1 from ISO 27001 (Availability of information processing facilities).
It is true that the term disaster recovery is not an official ISO term, and consequently, its meaning is not universally accepted. However, most of the IT professionals identify this term with the ability to recover the IT infrastructure in case of a disruption. Therefore, ISO 27031 is the best fit amongst the ISO standards exactly for this purpose. (See also: Disaster recovery vs. Business continuity.)
ISO 27031 is a standard for IT disaster recovery. It's an international standard that specifies how to plan, implement, and maintain disaster recovery systems. The purpose of ISO 27031 is to help organisations ensure that their business continuity plans are able to deal with any type of disaster. The standard also helps companies develop a consistent approach to planning and implementing their disaster recovery plans.
A management systems approach to ICT in support of a business continuity management system, as stated in ISO 22301, is introduced in ISO 27031. This system is known as a ICT readiness for business continuity (IRBC) management system.
Although organisations cannot be certified in ISO 27031 like they can in ISO 22301, the management system follows many of the same procedures that experienced preparation experts are used to adopting with business continuity planning.
ISO 27031 is based on the ISO 22301 PDCA management system but is tailored to the more technical aspects of IRBC. ISO 27031 depends on the results of the Business Impact Analysis (BIA) performed and accepted as part of the larger BCMS for an organisation in addition to the technical adjustments to PDCA. The PDCA management system at IRBC is summarised as follows:
ICT is widely used among organisations that rely heavily on it to perform critical business functions. Some of the activities that ICT supports are incident management, business continuity, disaster recovery and emergency management. The importance of ISO 27031 is that it sets guidelines to implement these activities as a part of your organisation's continuity plan.
ISO 27031 specifies that the aforementioned IRBC plans need to have six components to effectively monitor for, respond to, and recover from interruptions to information and communication technologies. These six factors are:
ISO 27031 provides guidance for an IRBC programme that helps IT and business continuity experts keep their ICT systems resilient. Organisations would better prepare for, respond to, and recover from an information and communication technology outage. ICT and business continuity are both vulnerable to interruptions, however ISO 27031 utilises and modifies the BCM ideas established in ISO 22301 to help mitigate this risk.
The International Organization for Standardization (ISO) is an independent nongovernmental organization and the world's largest developer of voluntary international standards. The International Electrotechnical Commission (IEC) is the world's leading organization for the preparation and publication of international standards for electrical, electronic, and related technologies.
The international acceptance and applicability of ISO/IEC 27001 is the key reason why certification to this standard is at the forefront of Microsoft's approach to implementing and managing information security. Microsoft's achievement of ISO/IEC 27001 certification points up its commitment to making good on customer promises from a business, security compliance standpoint. Currently, both Azure Public and Azure Germany are audited once a year for ISO/IEC 27001 compliance by a third-party accredited certification body, providing independent validation that security controls are in place and operating effectively.
Compliance with these standards, confirmed by an accredited auditor, demonstrates that Microsoft uses internationally recognized processes and best practices to manage the infrastructure and organization that support and deliver its services. The certificate validates that Microsoft has implemented the guidelines and general principles for initiating, implementing, maintaining, and improving the management of information security.
ISO 27001 is currently the most widely adopted international information security standard and is used by organizations all over the world. By following ISO 27001, organizations can be confident that their ISMSes are up to date and comply with current best practices.
Understand and prioritize the threats to your business with the international standard for business continuity. ISO 22301 specifies the requirements for a management system to protect against, reduce the likelihood of, and ensure your business recovers from disruptive incidents