The previous articles in this series have offered guidance on how to create IT disaster recovery (DR) plans for cloud environments and implement them.
In the first, we examined risk and business impact assessment as the initial building block. We looked at developing the DR plan in detail in the second piece. The third looked at staff awareness of DR, training, and how to manage an incident.
In this final article, we look at maintaining the disaster recovery plan and how to review and audit it in a process of continuous improvement.
Final steps in DR planning The final steps in the IT disaster recovery planning process are to:
Establish a process for keeping IT plans and all associated IT activities up to date. Audit and review plans to ensure they are still fit for purpose and consistent with applicable standards and management controls. Establish a process for continuous improvement of the overall IT DR programme. The use of cloud technologies makes these final steps just as important as those stated in previous articles because cloud services are widely used for production IT systems as well as IT DR strategies and planning.
Standards referenced in DR planning Each article in the series has referenced an important international standard – the ISO/IEC 27031:2011, Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity. This is considered the global standard for IT disaster recovery as applicable to users.
Another ISO standard, ISO/IEC 24762:2008, addresses IT disaster recovery from a service provider perspective and should be carefully reviewed when cloud services are being considered. Both standards can help develop and implement DR programmes.
Sections 8 (Monitor and Review) and 9 (IRBC Improvement) in ISO 27031 address the issues described in this article. Among the key points are the following:
Top management must be actively engaged in the IT/DR process. Tests and exercises should be conducted to ensure plans are up to date and fit for purpose. Plans and programmes should be regularly reviewed and updated, especially upon completion of an exercise. IT operating infrastructures should be monitored to detect any possible threats. Plans and programmes should be examined by internal auditors (or external auditors if needed) to ensure compliance with appropriate standards and regulations. Readiness of the organisation for potential IT disruptions should be regularly monitored and assessed. As part of the review process, continuous improvement activities ensure that IT DR initiatives will perform as required. Maintenance, auditing and continuous improvement in the DR planning process Previous articles in this series described how DR strategies and procedures help organisations protect their investments in IT systems and operating infrastructures. Disaster recovery’s principal mission is to return IT operations to an acceptable level of performance as quickly as possible following a disruptive event.
The use of cloud services can greatly enhance an organisation’s ability to survive a disruption to IT operations by backing up critical applications and data, protecting essential network connectivity using enhanced security resources and being an active participant in DR tests and exercises.
Before investing in cloud solutions, however, it is essential to perform extensive due diligence, not only on the prospective cloud supplier(s) but on the services they offer and their policies regarding DR customer support activities, such as participating in DR testing.
Figure 1 depicts the IT disaster recovery lifecycle, and is adapted from ISO 27031. It shows where maintenance and auditing fit into the overall IT DR lifecycle. Continuous improvement ideally occurs at all points in the DR planning lifecycle, and can be implemented through effective programme management and periodic programme reviews and assessments.
Figure 1: Stages of the IT disaster recovery lifecycle Activities shown in Figure 1 should be adapted to cloud technologies and services when they are implemented in an organisation. The key difference is that cloud services are located elsewhere and cannot be actively managed by users. Successful use of cloud technologies depends on suppliers and how well users work with them.
Building an IT DR maintenance plan When building a technology DR maintenance plan, be sure to secure senior management review and approval. It may also be appropriate to invite cloud service suppliers to participate in maintenance activities, if they provide that level of support.
Key activities for successful DR plan maintenance include the following checklists.
Establish an ongoing plan maintenance schedule of activities. Include updates to:
Existing risk assessments (RAs). Business impact analyses (BIAs) – and updates to existing BIAs. Plan reviews. Plan exercises. Contact lists. Plan training and awareness activities. Maintenance programmes can be initiated using a spreadsheet with the headings shown in Figure 2.
Figure 2: DR maintenance plan spreadsheet headings DR maintenance tasks should include the need to:
Coordinate DR maintenance activities with existing IT activities such as change management, hardware and software maintenance, and helpdesk operations. Coordinate with cloud suppliers if possible. Document all maintenance actions, including date and time maintenance was performed, summary of maintenance activities, cloud service activities, and approvals as needed. Leverage existing internal resources, such as a company intranet, to provide a secure repository for maintenance activities. Coordinate these activities with cloud suppliers. Generate periodic – quarterly, for example – maintenance reports to management, highlighting the status of maintenance activities and issues that need to be addressed. Building an IT/DR audit plan Periodic audits of IT DR plans, whether by an internal audit department or an external auditing firm, help ensure they continue to be fit for purpose and compliant with industry standards and company IT policies. Consider the following tips for this process:
Prepare an audit plan for IT disaster recovery by defining and documenting audit criteria, scope, method and frequency (an annual audit, for example). Ensure that only qualified auditors are appointed for the audit. Check to ensure audit firms have expertise in business continuity, disaster recovery and cloud services. Select and engage auditors and conduct the audit to ensure objectivity and partiality during the audit process. Establish a process to ensure that deficiencies identified in an audit are corrected within an agreed-upon timeframe. Ensure audits address internal and external organisations (for example, audit cloud service suppliers to ensure their capabilities support the organisation’s IT disaster recovery strategies and plans). Check in advance with cloud suppliers on their policy regarding participation in user audits. Conduct an audit when there are significant changes to critical IT DR services, cloud-based services, business continuity and/or disaster recovery requirements. Document the audit results and report them to top management, who should review the results and support follow-up corrective actions. ISO 27031 can help prepare for an audit as it identifies relevant audit issues. Building a continuous improvement capability Once the IT DR programme is completed, you can launch an ongoing process of continuous improvement. Be sure that activities in this part of the process coordinate with cloud suppliers and their service offerings.
This stage links with previously discussed maintenance and audit activities, and leverages the results of both.
Be sure to secure top management authorisation when organising a continuous improvement programme.
Continually improve DR disaster and business continuity activities by monitoring the overall programme and applying preventive and corrective actions, such as periodic reviews of programme performance.
Maintain awareness of any changes in the business, such as a merger or acquisition or changes in service offerings from cloud suppliers, and ensure these changes are incorporated into DR plans and supporting programmes. It is essential that the DR programme accurately reflects the current state of the organisation and its operations.
Summary This article has explained how to establish maintenance, audit and continuous improvement activities to ensure IT DR programmes and associated plans are kept current, their activities are consistent with good DR practice as well as applicable standards, the plan is properly aligned with the organisation’s goals and strategies, and that the programme is continually monitored and evaluated for improvement.
Read more from this series on cloud-era disaster recovery planning Part 1: Assessing risk and business impact. A step-by-step guide to building firm foundations for the disaster recovery plan, with risk assessment and business impact analysis. Part 2: Setting strategy and developing plans. How to formulate a DR strategy and develop detailed DR plans for your organisation, while taking cloud services into account. Part 3: Staff training, incident and media management. Key components of DR staff awareness and training programmes, incident management and dealing with the media.