ISO/IEC 27031

ISO/IEC 27031:2011 – Information technology – Security techniques – Guidelines for ensuring business continuity through information and communications technologies

Introduction

Using ISO/IEC 27031 as a guide, you can understand the concepts and principles behind the role that technology plays in ensuring business continuity.

In general, the standard:

– Proposes a structure (a set of methods and processes which are coherent and applicable to all types of organizations) – public, private, and non-profit;
– Identifies all appropriate aspects, such as performance criteria, design and implementation details, that will improve the organization’s ICT readiness and help ensure business continuity;
– Provides a consistent and recognized method for an organization to measure their ICT continuity and security.

Scope and objectives

As a result, all events and incidents (and not just those related to information security) affecting ICT infrastructure and systems are covered by the standard. In this way, it complements the practices for handling and managing incidents of information security, and planning and implementing ICTs.

ICT Readiness for Business Continuity [a collective term for the processes outlined in the standard] strengthens Business Continuity Management “by establishing ICT services that are resilient and can be recovered within agreed time frames.”

The importance of ICT readiness for business continuity can be explained as follows:

– ICT is widely used, and many organizations rely heavily on ICT to perform their critical business functions;
– Furthermore, ICT supports incident, business continuity, disaster recovery, and emergency management activities;
– ICT availability and continuity need to be adequately considered and protected as part of business continuity planning.

Among the components of ICT readiness are:

– Ensure the organization’s ICT (i.e. the IT infrastructure, operations, and applications), as well as personnel and processes, are ready to handle unforeseeable events that could change the risk environment and endanger the business;
– The ability to leverage and streamline resources among business continuity, emergency response, security incident handling, and disaster recovery.

The goal of ICT readiness is to reduce the impact (in terms of the extent, duration, and/or consequences) of an information security incident on a company.

Taking greater account of ICT in the traditional business continuity planning process, the standard incorporates the cyclical Plan-Do-Check-Act process of Deming. Among the methods used is Failure Modes and Effects Analysis, which examines the triggering events that could cause more or less serious incidents.

To ensure alignment and avoid overlap or conflict, the SC 27 team responsible for ISO/IEC 27031 collaborated with ISO Technical Committee 233 on business continuity. AFCD’s recommendation was:

The establishment of IRB is preferably consistent with existing or intended processes tied to these standards, such as ISO/IEC 27001 to establish Information Security Management System (ISMS) and/or ISO 2239PAS or ISO 23301 to establish Business Continuity Management System (BCMS). The linkage may support the formation of IRBC, and they may also avoid having to go through multiple processes.”

The standard’s status

It was originally planned for ISO/IEC 27031 to be a multi-part standard, but this was reduced to two parts (a formal specification and a guideline) and eventually to a single part (the guideline) in 2011.

After reaching the 6th Working Draft stage without achieving consensus, the routine standard revision project was cancelled in 2020. In the end, it went off track. In the end, it was put to rest. The project has ended. It no longer exists.

The standard is being revised once again to cover both deliberate and accidental incidents in terms of business continuity. It is available to SC 27 as a Working Draft. The title will be changed to “Information technology — Cybersecurity — Information and communication technology readiness for business continuity”. The book will be published at the end of 2023.

Commentary

This standard does not add much value, given that ISO 22301 does so well in this general area and ISO/IEC 24762:2008 covers ICT disaster recovery.

To remain a part of ISO27k, I believe it must be properly aligned with the current ISO 22301 standard, ideally extending beyond the ICT domain as ISO27k is about risk and security in information technology, “not all ‘IT’” (a gross exaggeration of plain old ‘IT’ which in common usage has always included communication).

However, in the revised ToR, it is stressed that the scope remains tight-knit around ICT:
This document focuses on information and communications technology (ICT) readiness for business continuity. In a world where ICT is disrupted by any kind of external event, a company’s business continuity objectives can still be achieved with the use of its operational capabilities.”

In addition, to avoid any overlap or conflict with the ISO 22300 standards, the revised ToR confirms that the 27031 will not replace a Business Continuity Management System.

Despite the issue standard noting resilience to disaster as well as recovery from it, there is very little coverage of resilience because of the strange definition: “Resilience: ability to transform, renew, and recover in response to the conditions around it”. I find that odd! As an information risk and security practitioner, resilience refers to the organization’s ability to adapt to intense pressure without breaking.
The essence of the matter is toughness and determination and keeping the essential core activities afloat despite adversity. The most common example of high-availability IT systems is load balancing with redundant servers and communications lines, and automated failover. By implementing engineering techniques such as redundancy, robustness, and flexibility, businesses are guaranteed that their vital business operations won’t be materially hampered or halted by the majority of incidents. Additional safeguards that help maintain critical services include proactive maintenance and change management along with effective high priority incident responses.

It is expected that ISO 22300:2018 will define resilience as the “ability to absorb and adapt in a changing environment.” Although I still feel that it is too vague and off-topic, that is at least a step in the right direction.