Inside Track: A gold standard
10 November 2016 | 0
Business continuity (BC) and disaster recovery (DR) are standard parts of the IT lexicon, and all businesses that depend significantly on their IT estate will have some form of them in place.
But with ever more integrated solutions and services now offering more capabilities than ever before, and with general data protection regulation (GDPR) looming and the prospect of information discovery requests becoming a major burden, what are the standards that client companies should be looking for?
The market is full of companies offering BCDR services, but one challenge for those in the market for such services is knowing how to assess one against another. Are they all equally trustworthy and technically reliable, or are some providers better than others? How can you know? Is there an objective way to measure BC and DR services or is it a matter of luck of the draw?
According to Michael Conway, co-author of “Business Continuity for Dummies,” contributor to various standards groups, and director and practitioner with BCDR specialist Renaissance, the answer is yes, but it is complicated. To begin with, while there is a standard that providers can be measured against, almost nobody in this country has attained that standard officially.
“In terms of business continuity, there is ISO22301 and before that there was a British standard, BS25999. The issue with this standard is that there are very, very few — and I mean only a handful of organisations — that have actually become accredited to that standard in this country,” he said.
Planning and emergency
Conway is a member of the Business Continuity Institute of Ireland, and a fellow of the Emergency Planning Society — organisations involved in business continuity and emergency planning.
“This standard is not like the other traditional ISO standards that are fairly commonly held and that people aspire towards. When it comes to ISO22301, maybe about 10 people have looked for that in this count,” he said.
With so few companies accredited to ISO standards, how can you know if your BC and DR provider knows what they are doing? The answer, according to Conway is that you cannot. The best you can do is inspect the provider’s systems and satisfy yourself they’re competent.
“The reality is that you’ve got to look at their business continuity management programme and see is it in alignment with the ISO standard, where are they vis-à-vis that and get analysis vis-à-vis that. That’s the only way you can actually know with some sort of metric where your provider is,” he said.
“The reality is that organisations talk about ISO22301 and about where they are in the business continuity management life cycle, but business continuity management is nothing like as mature as those traditional ISO standards are in terms of operational practice.”
This means that it is necessary for client companies to do their own due diligence on BC and DR suppliers with which they are contemplating doing business.
“You either have to take their assurances on face value or you’ve got to review the supplier’s business continuity management programme and see where they are with regard to that,” said Conway.
“What has happened in the real world is that because of the downturn in the Irish economy over the last seven or eight years, Irish companies slowed down and stopped their investment in business continuity altogether. It was seen as a luxury and companies are only now starting to refocus on moving towards standards.”