Business continuity management and ICT disaster recovery implementation fact sheet
This fact sheet replaces the Whole-of-government business continuity management and disaster recovery implementation guideline.
Introduction
Every agency is responsible for creating, validating and maintaining ICT Disaster Recovery (ICT DR) and Business Continuity Plans (BCP) including mitigation of ICT related disruptions.
In the event of a disaster, agencies must be able to function effectively and ICT is a substantial component of this.
For business continuity and ICT disaster recovery to be relevant to the organisation, sustainable and achievable, practitioners need to approach the planning process in the context of providing certainty over the delivery of business outcomes (services).
To achieve this, departments must establish a process for identifying all deliverables for which they are responsible, prioritising those outcomes and identifying the key dependencies along with vulnerabilities that might expose the organisation to failure.
This factsheet provides high level advice as to how this can be achieved from the perspective of ICT dependent delivery. It is critical to emphasise that ICT alone will not ensure the ongoing resilience of the organisation and that ICT DR planning must be conducted in the context of the agency's all hazards approach to continuity planning.
Legislated requirement
For Queensland Government Departments, the development of robust and effective business continuity and ICT Disaster recovery arrangements are articulated as accountable officer obligations:
- Financial Accountability Act 2009 (section 61 risk management provisions)
- Financial and Performance Management Standard
Current policies and guidelines
Information Security Policy (IS18:2018) requires agencies to implement an Information Security Management Systems (ISMS)based on the ISO 27001 standard (Principle 1).
ISO 27001Annex A.17 relates to the Information Security Aspects of Business Continuity Management.
The control objectives outlined in this section are:
- A.17.1.1 Planning Information Security Continuity
- A.17.1.2 Implementing Information Security Continuity
- A.17.1.3 Verify, Review & Evaluate Information Security Continuity
- A.17.2.1 Availability of Information Processing Facilities
ISO 27001 Annex A.15 may also be considered as it relates to Supplier Relationships.
Please Note: Queensland Government has a whole-of-government agreement with SAI Global to provide access to some of the ISO27000 suite of standards.
Good practice for business continuity management and disaster recovery
The previous IS18 policy (IS18:2009) Requirement 9 focused on business continuity and ICT disaster recovery. Whilst the policy is no longer in force, the BCP and DR requirements remain good practice for agencies to consider.
'A managed process including documented plans must be in place to enable information and ICT assets to be restored or recovered in the event of a disaster or major security failure.
- Methods must be developed to reduce known risks to information and ICT assets including undertaking a business impact analysis.
- Business continuity plans must be maintained and tested to ensure information and ICT assets are available and consistent with agency business and service level requirements.
- Plans and processes must be established to assess the risk and impact of the loss of information and ICT assets in the event of a security failure or disaster to enable information and ICT assets to be restored or recovered.
- ICT disaster recovery plans must be maintained and tested to ensure information and ICT assets are available and consistent with agency business and service level requirements.'
Understanding the business
The development of a detailed business impact analysis (BIA) will help the agency to identify the critical outputs of the agency and the vulnerabilities that threaten the ongoing delivery of those outcomes.In doing this, the BIA will support decisions around investments in making services more resilient. Decisions relevant to service maintenance during periods of disruption and prioritisation of restoration activities following on from a critical service failure, will also be supported by the intelligence contained within the BIA.
A BIA will identify:
- critical and non-priority services across the agency through a standardised methodology
- the risk associated with service failure
- service priorities, evaluating impact over time
- common resources and infrastructure dependencies shared across multiple areas/services (including ICT, people, buildings and utilities)
- common vendor dependencies
- agency exposure to potential failure of individual vendors
- opportunities to ensure the agency can manage the business continuity arrangements from a supply chain perspective
- gaps between corporate enabling services and business area (client) requirements and expectations.
Supplier relationships and dependencies
During the development of agency business continuity and ICT DR arrangements the BIA will identify points of reliance (dependencies) that may undermine the delivery of outcomes across the agency.
This information will help to identify strategies to deliver appropriate levels of resilience across the agency. These decisions will include justification for decisions to increase levels of redundant infrastructure or to accept the risk and employ alternate recovery strategies that are proportionate to the value of the data and processes supported by the dependencies.
The BIA supports effective management of 3rd party (outsourced) dependencies through the establishment of specifications that outline meaningful metrics and expectations.
ISO 27001 Annex A.15 may also be considered as it relates to Supplier Relationships. A.15 provides control objectives where information is managed or held by suppliers - such as in the cloud. The objective here is protection of the organisations valuable assets that are accessible to or affected by suppliers.
Further Information
- Australian National Audit Office
- Business Continuity Institute
- ISO - ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements (paid service)
- AS ISO 22301:2020 Security and resilience - Business continuity management systems – Requirements (paid service)
- ISO/IEC 27031:2011 Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity