BS ISO IEC 27031:2011 pdf – lnformation technology-Security techniques —Guidelines for information and communication technology readiness for business continuity.
5.4 Outcomes and benefits of IRBC
The benefits of effective IRBC for the organization are that it:
a) understands the risks to continuity of ICT services and their viinerabilities:
b) Identifies the potential impacts of disruption to ICT services:
C) encourages improved collaboration between its business managers and its ICT service providers (internal and external):
d) develops and enhances competence in its ICT staff by demonstrating cxedible responses through exercising ICT continuity plans and testing IRBC arrangements:
e) provides assurance to top management that it can depend ton predetermined levels of ICT services and receive adequate support and communications In the event of a disruption:
1) provides assurance to top management that information security (confidentiality, integrity and availability) is property preserved, ensuring adherence to information security policies;
9) provides additional confidence in the business continuity strategy through linking Investment In IT solutions to business needs and ensuring that ICT services are protected at an appropriate level given their importance to the organization;
h) has ICT services that are cost-effective and not under- or over-invested through an understanding of the level of its dependence on those ICT services: and the nature, location, interdependence and usage of components that make up the ICT services;
i) can enhance its reputation for prudence and efficiency;
j) potentially gains competitive advantage through the demonstrated ability to deliver business continuity and maintain product and service delivery in times of disruption; and
k) understands and documents staketiolders’ expectations and their relationships with, and use of, ICT services.
Thus IRBC provides a meaningful way to determine the status of an organization’s ICT services In supporting Its business continuity objectives by addressing the question “Is our ICT capable of responding” rather than is our ICT secure”
5.5 Establishing IRBC
IRBC is likely to be more efficient and cost effective when designed and built into ICT services from their inception as part of an IRBC strategy which supports the organization’s BC objectives. This ensures that ICT services are better built, better understood and more resilient. Retrofitting IRBC can be complex, disruptive and expensive,
The organization should develop, implement, maintain and continually improve a set of documented processes which will support IRBC.
These processes should enstwe that: the IRBC objectives are clearty stated, understood and communicated. and top managements commitment to IRBC is demonstrated.
Figure 5 presents graphically the activities in the different stages of IRBC
5.6Using Plan Do Check Act to establish lRBC
IRBC involves the organization in establishing processes to develop and enhance its key lRBC elements(see 5.2) to improve their capability to respond to any type of disruption,including changing risk situationsthrough the use of the Plan-Do-Check-Act (PDCA) approach. Figure 5 presents graphically the activities in thedifferent stages of lRBC.
5.7 Management Responsibility
5.7.1 Management leadership and commitment
To be effective an lRBC program should be a process fully integrated with the organization’s managementactivities, driven from the top of the organization, endorsed and promoted by top management. A number ofprofessional lRBC practitioners and staf from other management disciplines and departments may berequired to support and manage the lRBC program. The quantity of resources required to support such aprogram will be dependent upon the size and complexity of the organization.
5.7.2IRBC policy
The organization should have a documented lRBC policy. Initally,this may be at a high level with furtherrefinement and enhancement as the entire IRBC process matures.The policy should be regulary reviewedand updated in line with organization needs and should be consistent with the wider organizational BCM objectives.