continuity planning

Standards for Recovery Planning

Formalization of risk management, business continuity, and disaster recovery has come a long way.  Different models exist to aid organizations adopt best practices in these areas.  With many standards and guidelines available to help you create your strategy, but a big question is which standard should you follow?

General standards for recovery strategies provide a framework for the practices, processes, and procedures an organization implements to address the risks within their organization/environment.  

Here are four examples of standards that are available:

ISO 22301 Business Continuity Management

Ongoing management-level process to ensure that necessary steps are regularly taken to identify probable accidents, disasters, emergencies, and/or threats. It also involves (1) assessment of the probable effect of such events, (2) development of recovery strategies and plans, and (3) maintenance of their readiness through personnel training and plan testing. See also business impact analysis. (Source: Wikipedia)

ISO 27000 Series Information Security Management

The series provides best practice recommendations on information security management, risks and controls within the context of an overall information security management system (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).

The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organizations of all shapes and sizes. All organizations are encouraged to assess their information security risks, then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents. (Source: Wikipedia)

ISO 31000 Risk Management

The purpose of ISO 31000 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognized paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions. (Source: Wikipedia)

BS 65000 Guidance on Organizational Resilience

BS 65000 is a guidance standard, primarily aimed at helping organizations understand Organizational Resilience at the strategic level.  It is built on principles that help identify characteristics, attributes and capabilities that will directly improve the resilience of any organization.  It is not a compliance standard, but does link and to an extent rely on other standards and professional practices that form parts of the big picture Organizational Resilience represents.  (Source: Business Continuity & Resilience Forum)

The process developed and used by Huber Advisors can meet the requirements for a ISO22301 certification, and it can also meet ISO27001’s requirement for a recovery plan.  Likewise, our process supports the principles found in ISO31000 and follows the guidance found in BS65000.  All in all, the Huber Advisors process looks at your organizational risks, identifies those needing mitigation, and addressing any gaps through enhanced process, new systems/solutions, or simply a reasoned explanation to rationalizing and accepting the risk.  

Huber Advisors will provide the guidance on how to start, where to go, and which standard makes sense, Call today to schedule an initial consultation.

image005