What is ISO?
ISO is short for the International Organisation for Standardisation. This is an International, independent, non-government body that sets the global standards for standard operations of different businesses. It was founded on 23 February 1947, runs its operations in 165 countries and is based in Geneva, Switzerland.
In this article, we will discuss ISO 27001 disaster recovery plan.
ISO 27001 Disaster Recovery Plan
An ISO 27001 disaster recovery plan consists of steps an organisation should take to come back on track from an incident where information security has been compromised. A good recovery plan mostly consists of technology solutions like quick data recovery and cloud services.
This disaster recovery plan’s main function is to make the best feasible plan to restore IT infrastructure and services within a fixed timeframe. Some points to consider within an ISO 27001 disaster recovery plan are outlined below.
Disasters can be of any type such as natural disasters and human-made disasters. Encountering such difficulties require an organisation to have an eagle eye and prepare for future challenges. Disasters may include:
- Information leakage
- Change of trend
- Power outages
- Failure in plans
When developing an ISO 27001 disaster recovery plan, this is often done as a team exercise between relevant employees. They review risks for any possible disaster and define solutions to counter any disaster.
Create a Backup of Your Important Data
To deal with any type of data loss, an IT infrastructure must be used where recovery after any disaster is possible. Company data is very crucial information that must have a backup. In case of any disaster, if you have a data backup, the chance of recovery is enhanced.
Identify Critical Functions
Any business corporation must identify its basic and most critical functions within the organisation. This may include elements such as websites, cash registers, staff, machinery and customer records. Plans must be put in place to cover these critical functions in case of an incident.
Create a Strong Risk treatment Plan
ISO 27001 is a standard for information security and designs the framework for any organisation to cope with IT systems and risks. To achieve ISO 27001 compliance, organisations have to cover following areas amongst others.
- Assessing the scope of your organisation.
- Assigning managerial responsibilities to meet the protocols of ISO 27001.
- Make a plan to cope with IT risks.
- Financial support to meet the expenses of the system required.
- Make security policies.
- Evaluate the impact caused by policies.
- Continuous Improvements.
ISO 27001 Risk Treatment Plan
To cope with identified risks, every organisation must have a documented risk treatment plan. This plan helps organisations to form a structure to eradicate the potential risks by evaluating the impact, have ready to use strategies, assigned duty during a crisis, thus minimizing its effect. When creating an ISO 27001 risk assessment, there are different ways to mitigate any risks.
- Mold the Risk: By reducing the probability of its occurrence the risk is reduced. For example, to avoid the risk of devices issued to the workers being stolen, you can create a policy where laptops are to be kept on site unless approved to remove them by management.
- Avoid the Risk: By eliminating any operation that causes the risk, it can be avoided. For example, to avoid the risk of devices being removed from site and risk being stolen, stationary computers can be used where practical.
- Divide the Risk: Risks can be divided with a third-party organisation, as this will minimise the pressure on your organisation. For example, hiring a security agency to look after security protocols.
- Hold on to the Risk: If treating a risk cost more than the damage a risk cause, you can hold on to that risk. It is a necessary evil for your organisation and you have to live with it.
The main standard for risk treatment strategy is molding the Risk because it is cost-efficient. As part of the ISO 27001 standard, there is an Annex A included which lists 114 controls across 14 sections, where each one addresses the specific aspect of information security