ISO IEC 27031:2011 pdf – Information technology一Security techniques一Guidelines for information and communication technology readiness for business continuity.
5.4 Outcomes and benefits of IRBC
The benefits of effective IRBC for the organization are that it:
a) understands the risks to continuity of ICT services and their vulnerabilities.
b) identifies the potential impacts of disruption to ICT services;
c) encourages improved collaboration between its business managers and its ICT service providers (internal and external);
d) develops and enhances competence in its ICT staff by demonstrating credible responses through exercising ICT continuity plans and testing IRBC arrangements;
e) provides assurance to top management that it can depend upon predetermined levels of ICT services and receive adequate support and communications in the event of a disruption;
f) provides assurance to top management that Information security (confidentiality, integrity and availability) is properly preserved, ensuring adherence to information security policies;
g) provides additional confidence in the business continuity strategy through linking investment fri IT solutions to business needs and ensunng that ICT services are protected at an appropriate level given thefr importance to the organization;
h) has ICT services that are cost-effective and not under- or over-invested through an understanding of the level of its dependence on those ICT services; and the nature, location, interdependence and usage of components that make up the ICT services:
i) can enhance Its reputation for prudence and efficiency;
j) potentially gains competitive advantage through the demonstrated ability to deliver business continuity and maintain product and service delivery in times of disruption; and
k) understands and documents stakeholders’ expectations and their relationships with, and use of, ICT
Thus IRBC provides a meaningful way to determine the status of an organization’s ICT services In supporting its business continuity objectives by addressing the question is our ICT capable of responding’ rather than is our ICT secure’.
5.5 EstablIshIng IRBC
IRBC Is likely to be more efficient and cost effective when designed and built into ICT services from their inception as part of an IRBC strategy which supports the organization’s BC objectives. This ensures that ICT services are better built, better understood and more resilient. Retrofitting IRBC can be complex, disruptive and expensive.
The organization should develop, implement, maintain and continually improve a set of documented processes which will support IRBC.
These processes should ensure that: the IRBC objectives are clearly stated, understood and communicated, and top management’s commitment to IRBC is demonstrated.
Figure 5 presents graphically the activities in the different stages of IRBC.
The IRBC policy should provide the organization with documented principles to which it will aspire and against which its IRBC effectiveness can be measured. It should:
a) Estableh and demonstrate commitment of top management to an IRBC program:
b) Include or make reference to the organization’s IRBC objectives;
c) Define the scope of IRBC including limitations and exclusions;
d) Be approved and signed off by top management;
e) Be communicated to appropnate internal and external stakeholders;
f) Identity and provide relevant authorities for the availability of resources such as budget; personnel necessary to perform activities in line with the IRBC policy; and
g) Be reviewed at planned intervals and when significant changes, such as environmental changes, change of an organization’s business and structure, occur.
6 IRBC Planning
6.1 General
The main oplective of the planning phase is to establish the organization’s ICT readiness requirements. including:
a) the IRBC strategy and IRBC Plan that are required to support the business, legal, statutory and regulatory requirements relating to the defined scope and the achievement of the organization’s business continuity aims and objectives: and
b) the performance criteria needed by the organization to monitor the degree of ICT readiness it requires to achieve those aims and objectives.
6.2 Resources
6.2.1 General
As part of the policy mandate, the organization should define the need for an IRBC Program as part of Its overall BCM objectives and, in addition, determine and provide the resources needed to establish, implement, operate and maintain such an IRBC program.
IRBC roles, responsibilities, competencies and authorities should be defined and documented. Top management should:
a) appoint or nominate a person with appropriate seniority and authority to be accountable for IRBC policy and implementation; and
b) appoint one or more competent persons, who, irrespective of other responsibilities, should implement and maintain the IRBC managemeni system as descnbed in this International Standard.
6.2.2 Competency of IRBC staff
The organization should ensure that all personnel who are assigned IRBC responsibilities are competent to perform the required tasks. Refer to 7.2.1 for details.