ISO 22301 toolkit - disaster recovery plan
Assign topic to the user
Question #1
The company is quite specific. The basic IT infrastructure is provided by the parent company, while the IT infrastructure for our main product is located on the servers of the hosting provider. I wonder if there is a need to have a separate dedicated disaster recovery plan, instead of specific activity recovery plans. One of the activities in the company is responsible for the development of the main product and the procedures for possible restoration of the main product will be on their side. On the other hand, recovery after a disaster in matters related to other software provided by the parent company is the role of the parent company's IT and it has its own disaster recovery strategies and procedures. In your opinion, can I skip the separate disaster recovery plan in such a situation?
If I understood correctly, both of your IT infrastructures are managed by third parties (being one your parent company and the other an external hosting provider).
In this case, you can skip the plans for your IT infrastructure. All you need to ensure, by means of service agreements, is that your parent company and external hosting provider have implemented plans to achieve your business continuity objectives. The only plans you need to consider are those related to the business process you run on your own (e.g., the recovery plans for the development process itself).
However, from your question, it is not clear if you are managing virtual servers or using SaaS over the provided IT infrastructure. For these specific cases you would need to have the correspondent DRPs because you are responsible for managing the virtual server, and for a SaaS, the organization is responsible for the data, and you will need a DRP for handling data recovery during a disaster.
For further information, see:
- Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
Question #2
Is chapter four of the business continuity recovery plan template sufficient against standard clause 8.4.5? Or should I supplement my recovery plans with additional steps?
I’m assuming you are referring to the Disaster Recovery Plan template.
In this case, the information to be included in the template is sufficient to be compliant with ISO 22301 clause 8.4.5.
For further information, see:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
In question two, I meant the process of restoring activities from temporary to normal. Is the information given in chapter 4 of the business continuity plan template sufficient in relation to the provisions of the standard (8.4.5). Or should I add specific steps in recovery plans of specific activities (how to step back to normal conditions for activity).
First of all, sorry for the misunderstanding.
Section 4.3 of the Business Continuity Plan template requires the definition of a specific returning to normal conditions plan, so you will need to consider those in your recovery plans.
This Return to Normal Plan can be developed from the blank template included in your toolkit, and you can use as content structure the one from de Recovery Plans (similarly to your recovery plans, you need to define people, information, resources, personnel, etc.). This is the rationale:
Recovery Plan: From Interruption situation to temporary operation scenario.
Return to Normal Plan: From temporary operation scenario to normal operation environment
I understand, thanks for the tips, I will use them. I wonder if the creation of these documents is obligatory. The standard mentions about documented recovery procedures. However, they are not included in the package and maybe there is already content that solves this issue?
Please note that while ISO 22301 requires recovery plans to be documented, the standard does not define how to document them.
The disaster recovery plan template included in the toolkit, as explained in the previous answer, has all the content structure you need to define the recovery plan (i.e., plans to return to normal). This was made this way to avoid creating additional documents, which would only unnecessarily increase the administrative work to maintain the documentation. In case you want recovery plans as separated documents, then you should use the blank template to develop this specific document.
Please note that included in your toolkit there is a List of documents files that shows which clause of the standard is covered by each template. There you will find out that clause 8.4.5 is covered by templates Appendix 6 – Disaster Recovery Plan and Appendix 7 – Activity Recovery Plan.
Comment as guest or Sign in
Sep 09, 2021