BS25999 dışında ISO tarafından hazırlanan 3 farklı iş sürekliliği standardı bulunuyor. Bunları BS25999 uyarlaması aşamasında dikkate almak gerekiyor.

ISO 27001 uygulayıcıları zaten BCM ile ilgili zemini oluşturmuş olmak zorundalar. ISO 20000 uygulayıcıları da keza zaten zorunmlu bir süreç olarak iş sürkliliği ile IT Servis Sürekliliği adı altında karşılaştılar.

İş sürekliliği ile ilgili yapılan çalışmalarda incident hazırlık durumunuz için 22339, IT nin altyapısının güvenliği ve süreklilik için uyumu dikkate alınacaksa 27031, disaster recovery için de 24762 standardı dikkate alınmalıdır.

ISO’dan aldığım kısa özetlerini aşağıda paylaşıyorum.

ISO/PAS 22399:2007 provides general guidance for an organization — private, governmental, and nongovernmental organizations — to develop its own specific performance criteria for incident preparedness and operational continuity, and design an appropriate management system. It provides a basis for understanding, developing, and implementing continuity of operations and services within an organization and to provide confidence in business, community, customer, first responder, and organizational interactions. It also enables the organization to measure its resilience in a consistent and recognized manner.

ISO/PAS 22399:2007 is applicable to all sizes of public or private organizations engaged in providing products, processes, or services that wishes to:

  • understand the overall context within which the organization operates;
  • identify critical objectives;
  • understand barriers, risks, and disruptions that may impede critical objectives;
  • evaluate residual risk and risk tolerance to understand outcomes of controls and mitigation strategies;
  • plan how an organization can continue to achieve its objectives should a disruptive incident occur;
  • develop incident and emergency response, continuity response and recovery response procedures;
  • define roles and responsibilities, and resources to respond to an incident;
  • meet compliance with applicable legal, regulatory, and other requirements;
  • provide mutual and community assistance;
  • interface with first responders and the media;
  • promote a cultural change within the organization that recognizes that risk is inherent in every decision and activity and must be effectively managed.

ISO/PAS 22399:2007 presents the general principles and elements for incident preparedness and operational continuity of an organization. The extent of the application will depend on factors such as the policy of the organization, the nature of its activities, products and services, and the location where and the conditions under which it functions.

ISO/PAS 22399:2007, however, excludes specific emergency response activities following an incident, such as disaster relief and social infrastructure recovery that are primarily to be performed by the public sector in accordance with relevant legislation. It is important, however, that coordination with these activities be maintained and documented.

ISO/IEC 27031:2011 describes the concepts and principles of information and comunication technology (ICT) readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation) for improving an organization’s ICT readiness to ensure business continuity. It applies to any organization (private, governmental, and non-governmental, irrespective of size) developing its ICT readiness for business continuity program (IRBC), and requiring its ICT services/infrastructures to be ready to support business operations in the event of emerging events and incidents, and related disruptions, that could affect continuity (including security) of critical business functions. It also enables an organization to measure performance parameters that correlate to its IRBC in a consistent and recognized manner.

The scope of ISO/IEC 27031:2011 encompasses all events and incidents (including security related) that could have an impact on ICT infrastructure and systems. It includes and extends the practices of information security incident handling and management and ICT readiness planning and services.

ISO/IEC 24762:2008 provides guidelines on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management, applicable to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services.

ISO/IEC 24762:2008 specifies:

  • the requirements for implementing, operating, monitoring and maintaining ICT DR services and facilities;
  • the capabilities which outsourced ICT DR service providers should possess and the practices they should follow, so as to provide basic secure operating environments and facilitate organizations’ recovery efforts;
  • the guidance for selection of recovery site; and
  • the guidance for ICT DR service providers to continuously improve their ICT DR services.
Bu yazıyı paylaşmak mı istiyorsunuz? Ne duruyorsunuz: