Benefits of Aligning Business Continuity Management with IT Service Recovery

IT departments within many organisations are likely to have well defined processes to support their own disaster recovery requirements.  General ‘good practice’ states that we need:
·         Backups;
·         Resiliency designs within the network architecture;
·         Data centre etc…etc…

IT Service Recovery is a legacy approach that many are comfortable with.  From the early mainframe computer days in the 1950’s initial recovery simply focused on restoring the mainframes, the systems were simply off line and business would have to wait, it could actually take a matter of days before affecting the business in anyway. 

However, with the explosion of the internet since 1995 and greater dependence on up-to-the-second information, the impact of loss can now be felt, not in days, but in minutes… if not seconds! 

The role of Business Continuity within an organization developed throughout the 90’s as it became obvious there was a need to provide protection and resilience spanning the entire business.  This led to Business Continuity professionals sitting well outside of IT, focusing on Business Impact Assessments, Crisis Management, and Business Continuity Plans, detailing how the business can continue to provide products and services at an acceptable minimum service level. 

IT has continued to support ‘general good practice’ and has kept up to date, where possible, on the technology that supports system resiliency and recovery, however, often choosing solutions without discussing requirements with the business.  Likewise, the business has been developing Business Continuity Plans on the assumption that IT services will be able to support their strategies.

It is therefore essential that you re-align Business Continuity Management with IT Service Recovery to ensure that the business clearly understands how it may implement strategies that either prevent incidents occurring, or reduce the impact if they do occur. 

To achieve continuity and recovery objectives an organisation should be able to answer questions such as:
·         Can IT recover the business systems within an acceptable period of time?
·         Has the business discussed what the “acceptable period of time” is?
·         Have you ever completed a full restore from backup?
·         Do you carryout vulnerability scans or penetration tests to examine the adequacy of your network designs?
·         Is your Data Center far enough away? Or is it likely to be impacted by the same disruptive incident as you?

CQR Services

CQR is able to help you define your Business Continuity and Service Recovery Strategies through a number of services, such as:



Business Continuity Gap Analysis against ISO 22301:2012 Business Continuity Standard

We will review existing business continuity plans, supporting documentation and governance against the industry standard ISO 22301

Business Continuity Management System (BCMS) Development

We can work with you to create a BCMS that can be certified to ISO 22301 or simply be ‘compliant to’ the requirements of the standard

Business Impact Analysis

We will work with you to analyse the consequences of a disruptive incident on your most time sensitive business processes.

Output will feed into your risk register, business continuity and recovery plans and most importantly verify whether IT are able to recover within the desired timeframes.

IT Service Recovery Technical Review

We will provide an independent review of your IT Service Recovery Plans, ensuring that the information therein is adequate to support the recovery processes and that staff are aware of their roles and responsibilities.

Vulnerability Assessment

We have specialist consultants who can carry out technical vulnerability scans that will challenge the resiliency of your network architecture.

We will provide you with a vulnerability report outlining the risks and provide recommendations to manage the identified vulnerabilities.

Exercise / Test Facilitation

CQR can work with you to design and facilitate an exercise that will test the limits of your documentation and ensure that it is:

       Accurate and up to date




The exercise will also ensure that staff get to understand their roles and responsibilities in an event.

We can also help you to test the continuity and recovery strategies outlined in the documentation to ensure that they will work as expected.

Document Development

We can review, update and create relevant business continuity and recovery documentation as per your requirements.

Yvonne Sears
Senior Security Specialist

*** This is a Security Bloggers Network syndicated blog from CQR authored by CQR. Read the original post at: