Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

ISO 22301 toolkit - disaster recovery plan

  Quote
Guest
Guest user Created:   Aug 30, 2021 Last commented:   Sep 09, 2021

ISO 22301 toolkit - disaster recovery plan

I am currently preparing a business continuity plan using the ISO 22301 documentation from Advisera.

Question #1

The company is quite specific. The basic IT infrastructure is provided by the parent company, while the IT infrastructure for our main product is located on the servers of the hosting provider. I wonder if there is a need to have a separate dedicated disaster recovery plan, instead of specific activity recovery plans. One of the activities in the company is responsible for the development of the main product and the procedures for possible restoration of the main product will be on their side. On the other hand, recovery after a disaster in matters related to other software provided by the parent company is the role of the parent company's IT and it has its own disaster recovery strategies and procedures. In your opinion, can I skip the separate disaster recovery plan in such a situation?

Question #2

Is chapter four of the business continuity recovery plan template sufficient against standard clause 8.4.5? Or should I supplement my recovery plans with additional steps?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 30, 2021

Question #1

The company is quite specific. The basic IT infrastructure is provided by the parent company, while the IT infrastructure for our main product is located on the servers of the hosting provider. I wonder if there is a need to have a separate dedicated disaster recovery plan, instead of specific activity recovery plans. One of the activities in the company is responsible for the development of the main product and the procedures for possible restoration of the main product will be on their side. On the other hand, recovery after a disaster in matters related to other software provided by the parent company is the role of the parent company's IT and it has its own disaster recovery strategies and procedures. In your opinion, can I skip the separate disaster recovery plan in such a situation?

If I understood correctly, both of your IT infrastructures are managed by third parties (being one your parent company and the other an external hosting provider).

In this case, you can skip the plans for your IT infrastructure. All you need to ensure, by means of service agreements, is that your parent company and external hosting provider have implemented plans to achieve your business continuity objectives. The only plans you need to consider are those related to the business process you run on your own (e.g., the recovery plans for the development process itself).

However, from your question, it is not clear if you are managing virtual servers or using SaaS over the provided IT infrastructure. For these specific cases you would need to have the correspondent DRPs because you are responsible for managing the virtual server, and for a SaaS, the organization is responsible for the data, and you will need a DRP for handling data recovery during a disaster.

For further information, see:

Question #2

Is chapter four of the business continuity recovery plan template sufficient against standard clause 8.4.5? Or should I supplement my recovery plans with additional steps?

I’m assuming you are referring to the Disaster Recovery Plan template.

In this case, the information to be included in the template is sufficient to be compliant with ISO 22301 clause 8.4.5.

For further information, see:

Quote
0 1
Guest
Kamil Aug 30, 2021

In question two, I meant the process of restoring activities from temporary to normal. Is the information given in chapter 4 of the business continuity plan template sufficient in relation to the provisions of the standard (8.4.5). Or should I add specific steps in recovery plans of specific activities (how to step back to normal conditions for activity).

Quote
0 0
Expert
Rhand Leal Sep 02, 2021

First of all, sorry for the misunderstanding.

Section 4.3 of the Business Continuity Plan template requires the definition of a specific returning to normal conditions plan, so you will need to consider those in your recovery plans.

This Return to Normal Plan can be developed from the blank template included in your toolkit, and you can use as content structure the one from de Recovery Plans (similarly to your recovery plans, you need to define people, information, resources, personnel, etc.). This is the rationale:
Recovery Plan: From Interruption situation to temporary operation scenario.
Return to Normal Plan: From temporary operation scenario to normal operation environment

Quote
0 1
Guest
Kamil Sep 07, 2021

I understand, thanks for the tips, I will use them. I wonder if the creation of these documents is obligatory. The standard mentions about documented recovery procedures. However, they are not included in the package and maybe there is already content that solves this issue? 

Quote
0 0
Expert
Rhand Leal Sep 09, 2021

Please note that while ISO 22301 requires recovery plans to be documented, the standard does not define how to document them.

The disaster recovery plan template included in the toolkit, as explained in the previous answer, has all the content structure you need to define the recovery plan (i.e., plans to return to normal). This was made this way to avoid creating additional documents, which would only unnecessarily increase the administrative work to maintain the documentation. In case you want recovery plans as separated documents, then you should use the blank template to develop this specific document.

Please note that included in your toolkit there is a List of documents files that shows which clause of the standard is covered by each template. There you will find out that clause 8.4.5 is covered by templates Appendix 6 – Disaster Recovery Plan and Appendix 7 – Activity Recovery Plan.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Aug 30, 2021

Sep 09, 2021

Suggested Topics

Guest user Created:   Feb 18, 2021 ISO 27001 & 22301
Replies: 1
0 0

BCP Plans and procedures

Guest user Created:   Apr 22, 2020 ISO 27001 & 22301
Replies: 1
0 0

BCP and DR

Guest user Created:   Jan 15, 2020 ISO 27001 & 22301
Replies: 1
0 0

A.13 Documentation Package