Scribd
Upload
181 views6 pages

Iso Iec 27031

This document describes the ISO/IEC 27031 standard, which provides guidance on how information and communication technologies (ICT) can ensure business continuity. The standard suggests a framework for organizations to improve ICT preparedness and information security to ensure business continuity in the face of any incident or disaster. The standard also aligns business continuity processes, disaster recovery, and incident security management.

Uploaded by

ScribdTranslations
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
181 views6 pages

Iso Iec 27031

This document describes the ISO/IEC 27031 standard, which provides guidance on how information and communication technologies (ICT) can ensure business continuity. The standard suggests a framework for organizations to improve ICT preparedness and information security to ensure business continuity in the face of any incident or disaster. The standard also aligns business continuity processes, disaster recovery, and incident security management.

Uploaded by

ScribdTranslations
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

27031:2011 Information technology ISO / IEC - Techniques of

security - Guidelines for information and communications


technological preparation for business continuity.

Introduction

ISO / IEC 27031 provides guidance on concepts and principles


behind the role of communication technology to ensure the
business continuity and information.

The standard:

Suggest a structure or framework (actually a set of methods and


processes) for any organization - private, governmental and non
governmental.

Identify and specify all relevant aspects, including the criteria


of performance, design, and implementation details, to improve the
preparation for ICT within the framework of the organization's SGSI, helping
to ensure business continuity.

Allows an organization to measure its ICT continuity, security, and by


so willing to survive a disaster in a consistent manner and
recognized.
Scope of application and objective

The standard covers all events and incidents (not just security of the
related information) that could have an impact on the infrastructure and
the ICT systems. Therefore, it extends to security practices
the information and the handling of incident management, the planning and the
TIC preparation services.

TIC Preparation for Business Continuity (RBC) [a general term


for the processes described in the standard ] supports Continuity Management
of the Business (BCM) " by ensuring that the ICT services are such
resistant as appropriate and can be recovered to pre-levels
determined within the required and agreed deadlines by the organization.

TIC arrangements are important for continuity purposes.


business due to:

ICTs are prevalent organizations and many are highly


TIC dependents at the service of critical business processes;
ICT also supports incidents, business continuity, disasters and
the emergency response, and the related management processes;
Business continuity planning is incomplete without consideration
and properly protect the availability and continuity of ICT.
TIC provision includes:

Preparation of the organization's ICT (i.e., IT infrastructure,


the functioning and the applications), as well as the processes and the people
associated, against unpredictable events that could change
the risk and impact environment of ICT and business continuity;
Utilization and rationalize resources among the continuity of
business, disaster recovery, emergency response and response
on ICT security incidents and management activities.
The ICT provision must, of course, reduce the impact (that is, the scope,
the duration and/or consequences of security incidents
information in the organization.

The standard incorporates the beloved Deming PDCA cyclical approach of ISO 9000.

expanding the business continuity planning process


conventional to take ICT more into account. It incorporates 'failure modes of
evaluation scenarios", such as FMEA (Failure Mode and Effects Analysis)
Effects), focusing on the identification of 'triggering events'.
that could precipitate more or less serious incidents.

The 27 SC team responsible for ISO / IEC 27031 got in touch with
the ISO 233 technical committee for business continuity, to ensure the
alignment and avoid overlaps or conflicts. The FCD advised: "If a
organization is using ISO / IEC 27001 to establish a system of
Information Security Management (ISMS), and/or the use of ISO
2239PAS or ISO 23301 to establish a continuity management system
business (BCMS), the establishment of iRBC should take precedence in
count the existing or planned processes related to these standards. This
linkage can support the establishment of iRBC and prevent processes
dual for the organization.

State of the standard

ISO / IEC 27031 was originally intended to be a multi-standard


parts, but this was changed to two parts (a formal specification,
more a guide) and finally reduced to a single part (just the guide) that is
published in March 2011.

An ISO / IEC standard on ICT disaster recovery has been released.


like ISO / IEC 24762:2008, outside the ISO27k family. For more
information consult the page of others standards.

ISO TC233 is working on other business continuity standards,


like ISO 22301.

the main concern is that at the level of information security,


allows to carry out tasks to prevent, avoid or at least reduce the
probability of incidents affecting information assets. In its
Most are intended to work before the incidents. They are fine.
served by the ISO27k and other standards.

Incident and crisis management controls cover the period for-


incident. They are also very well covered by ISO27k and others.
norms. Resilience controls the work during this time period as well,
ensure that vital business operations are not substantially
degraded or detained due to the incidents, but until this regulation was
released, which have not been well covered by ISO27k.
Personally, I believe there is much more to say about resistance.
This standard does not go far enough in that regard. I'm not sure.
The ISO 22301 standard even mentions the word resilience.

Disaster recovery controls take effect after the


, generally a little later, when they failed or
seriously degraded ICT systems, services, business processes,
etc are bootstrapped. The period between disasters and the
recovery can cause serious problems for organizations
interested: in the worst case, they cannot survive. DR has been
punished to death by the previous rules insofar as the DR,
instead of avoidance / prevention and resilience, it is often considered
the main control for disasters. That is simply bad for me.
As far as I'm concerned, it is about the management of DR discontinuity.
BIBLIOGRAPHY

http://www.iso27001securityty.com/html/27031.html

You might also like