If you’re looking to build your first disaster recovery (DR) plan, or even start your first DR program, taking a look at established disaster recovery and business continuity (BC) standards can be a useful place to begin. However, navigating your way through the myriad of international and industry standards available online can be also difficult and confusing. While there is no shortage of suppliers willing to offer DR and BC assistance, understanding disaster recovery standards can go a long way towards helping you launch or sustain a DR program on your own.
DR and BC standards come in four main categories:
1. Government “Publications”
This category is for legislative and statutory DR and BC requirements as they target government departments and agencies. These sets of standards provide the basis for Disaster Recovery audits and reviews of each department and agency, but they also serve as voluntary standards for comparable situations in the private sector.
The titles of the standards themselves often read like secret code. In the U.S. there’s Title IX, NIST 800-34, and NFPA 1600, while Canada offers the Emergency Management and Civil Protection Act and the equivalent CSA Z1600. Generally speaking, government standards center on business continuity concerns, proscribing what activities the department or agency needs to maintain, but without providing many specific details as to how to achieve that BC program.
2. Industry Regulations
These are DR and BC standards, which are government-sponsored and mandated, since they apply to the most visible and information-sensitive private sector industries – banking, securities trading, health care, and telecommunications. These standards were created to react mostly to consumer protection pressures. For example, guaranteeing that investors have access to their brokerage investments within 48 hours of disruption, or that personal health records remain private, yet continuously accessible. Trade associations representing some of these sectors may also infer their “DR-related”, corresponding standards upon their members (e.g. PCI or INTERAC for payment card processors). You may encounter such names as the Basil Accord for international banking, SSAE 16 (SEC rules for US publicly traded companies), IDA for securities, and HIPAA for the mostly private US health care industry.
3. International Guidelines & Standards
The British Standards organization and ISO provide corresponding country and international standards for DR and BC, as they are known by their acronyms BS 25999, ISO 22301, ISO 22313, and ISO/IEC 27031 among others. These papers can be very useful for providing a framework for a DR audit, since they are relatively brief and focus on standard BC practices – the need for a BC program, program leader, policies and typical project definitions and so on. They are less useful for the nuts and bolts of sitting down and writing a DR plan in the first place.
4. Credentialing Organizations for BC and DR + related IT Areas
Body of Knowledge “Standards” created directly by DR and BC professionals can be much more useful for the practitioner striving to learn more about DR, or “organizational resilience” which has become the new buzzword in the community for DR. These DR credentialing organizations include DRI’s 10 Professional Practices, Business Continuity Institute’s Good Practice Guidelines, the Axelos ITIL Service Design Book, (IT Service Continuity Management) and ISACA’S COBiT 5 Control Objectives for Information and Related Technology.
It’s important to remember that with IT changing and morphing constantly, many of the DR and BC standards that focus on emergency preparedness need to be continuously adapted and extended for use in the revolving world of technology. The good news is that understanding disaster recovery standards can be helpful because the DR/BC standard-makers are increasingly addressing new and changing risk realities, as well as, information technology and communications (ICT) marketplace offerings.
The not-so-good news is that each business has unique BC and DR issues because their applications-systems-platform combinations are rarely the same as any other. There is no one-size-fits-all DR solution, and while standards can provide guidelines, each individual business is best-suited by a “customized” DR/BC plan that is made specifically by and for themselves.
