.png)
As a decision-maker in today's highly digital world, you're all too aware of the importance of cyber security. Important aspect of every information security program is preparing for adverse events with good continuity planning and backups. This is a topic required in EU's NIS2 directive and extensively covered in ISO 27001 standard.
We're here to provide guidance, and to demystify this security topic. This article guides in creating your NIS2 required procedures for business continuity and backups by taking advantage of ISO 27001's battle-tested best practices.
Continuity planning is the process of developing prevention and recovery systems to ensure key business operations remain uninterrupted or quickly resumed after adverse events. An efficient plan helps minimize the impact of potential scenarios such as power outages, cyber attacks, or natural disasters.
In information security, continuity also refers to maintaining information security at an appropriate level during disruptions or other adverse events.
Backups, in the business continuity scope, refer to the process of creating copies of your data, systems, and software, safely storing them away from the primary business location. The objective is to ensure that, in the event of any catastrophic events, data breaches, operational malfunctions, or system failures, your business is able to quickly bring its systems back online, significantly reducing downtime and the potential losses associated with such incidents.
In NIS2 Directive continuity planning and backups have been grouped together into the same section. This logical as both approaches have a similar goal - efficient recovery from adverse events. However in many other security frameworks these are seen as separate topics, as backups takes a very data- and technology-focused view into continuity. Understanding the connection of these two is important, no matter how separately you implement them in your own operations.
Business continuity planning in information security isn't just about having a backup plan in case of a system meltdown or cyberattack. It’s about proactively ensuring that your processes and systems are resilient and can bounce back quickly from any kind of disruption.
The continuity of your operations is dependant on the availability of many different things: people, technology, partners, physical sites, data...
Continuity planning starts from understanding the continuity requirements for different parts of your data processing environment. Can you go 2 hours without a data system? For some you surely can, for others it might be very damaging.
Prioritization of your assets and other data processing environments key items should be done before diving into creating continuity plans to ensure you're planning for the right things.
You should be creating continuity plans e.g. for this kind of adverse events (that might danger your continuity):
Continuity plans are the concrete level of continuity planning. Your continuity plans should include:
You're building a critical part of your company's resilience. Incorporating these elements will ensure your business can adeptly navigate and swiftly recover from a disruption.
In the digital world of information technology, backups are equivalent to safety nets. They represent copies of your valuable and sensitive data, safely stored in various locations, providing a foolproof way to restore that data if lost or compromised. Backups are absolutely critical to any business continuity plan as they ensure that in the face of adverse events, your business downtime is greatly minimized, and operations can resume promptly without significant loss of information.
To ensure your backup processes are proportionate, there are several pivotal aspects you should think about. Be sure you can answer the following questions:
Here are some issue you can work to avoid in relation to continuity planning and backups.
Lack of management involvement and support: You should do your best to build awareness about the continuity planning benefits and encourage collaboration - so important adverse events can be identified from all point-of-views.
Limited resources (time, budget, personnel) and team work: When understanding the catastrophes continuity planning tries to control, you start to see its relevance. Decide separately on sufficient resources and the people needed on the work - with top management support.
Feel of complexity in IT infrastructure: Complex environment can make it feel like it's hard to get on top of your backup processes for example. But when you progress step-by-step - first documenting backup processes, then categorizing backup responsibilities for data systems, you'll be making steady progress and soon the topic won't seem so complex anymore.
Inadequate testing and maintenance of continuity plans: A plan is not too powerful if it's implemented for the first time in a real-life situation. All security framework mention practicing continuity plans and backup restoration regularly, so that the implementation in a stressful real-life situation can be successful.
ISO 27001 addresses continuity in several controls, pertaining to aspects like the safeguarding of information during disruptive events, readiness of the organizations' ICT for continuity, and redundancy of information processing facilities.
There's also another ISO standard, ISO 22301, that is exclusively dedicated to the management of business continuity. This standard supports planning for, reacting to, and recovering from disruptive incidents by offering a more overarching framework for continuity planning. If you see this as a core aspect of your information security program, you might want to get familiar with this standard also.
This control emphasizes the need for creating continuity plans to ensure information security remains at an appropriate level even during disruptions, aiming to safeguard information and related assets in challenging circumstances.
These continuity plans should have clear owners and they should be tested, and regularly reviewed to sustain or restore information security in critical business processes post-disruption.
This control highlights ensuring that organization's ICT readiness high-enough to be able to match business continuity objectives and ICT continuity requirements. Basically this means, that e.g. data systems needed for critical operations need to be restorable in the same timeframe that is required from the main process.
Organization must identify what recovery times and recovery points different ICT services must be able to achieve, taking into account the defined recovery goals for related processes, and ensure the ability to achieve them. In relation to previous control, continuity plans especially related to ICT services should be created, approved and are regularly tested.
Organizations need to monitor their ICT and other key resource usage. This helps them ensure they have enough information processing facilities, human resources, offices, and other facilities, considering the business criticality of the relevant systems and processes. It's beneficial to have early detection and alert systems, so problems can be spotted and projections for future capacity can align with e.g. business growth and technology trends.
This control emphasizes the need for spare systems key data processing resources to meet availability needs and keep operations running. The organization should plan and set up procedures for using redundant parts and facilities. Procedures should determine whether the redundant parts are always active or are activated automatically or manually in emergencies. It's important that redundant parts and facilities have the same level of security as the primary ones.
ISO 27001 addresses backups mostly in a single control 8.13. This control required regularly maintained and tested backups, but also provides many important tips in its implementation guidance, e.g. related to understanding business requirements for backup, backup storage locations, appropriate protection for backups and encryption.
Organization should ensure that backup copies of information, software, and systems are regularly maintained and tested, according to established policy on backups. This practice is important for recovering data or systems in case of loss.
You should map out your current backup processes and ensure you have proportionate answers for the key questions: What data is backed up? Where are the backups stored? How often the backups are done? How long should the backups be retained? Who is responsible?
Once you're happy with your backup process descriptions, the hard part is over. Then you just ensure the backups work, review their comprehensiveness and test the restoration regularly.
This control morely refers to secure configuration in general, but establishing and enforcing clear rules for encryption and key management related to backups is an important part of strong backup strategy.
When utilizing cloud services, the organization needs to ensure clear division of security-related responsibilities. Backing up data can often be the responsibility of the service provider, but things like selected plan and hosting type can affect the backup details. Make sure you're well aware of the comprehensiveness of backups provided for important systems.
To comply with NIS2 in relation to business continuity and backups, you will need to have proportionate, clearly documented and implemented measures for these security topics. By aligning your actions with the battle-tested best practices of ISO 27001, you can be you can be sure that you have implemented the topic appropriately and are improving your overall resilience and preparedness in the process.
Remember that continuity planning isn't just about ticking off a list. It's about creating a robust structure capable of withstanding adverse events and ensuring smooth operations. Things can go wrong; the key is to have a well-thought-out strategy to recover and continue. And while backup techniques do come in varying complexities, the primary consideration should be a reliable and secure system that ensures your important data remains accessible even during critical times.
So in essence, continuity planning and backups are measures for preventing and controlling the most terrible disasters in relation to your activities! From this point-of-view, you could well argue that they are one of the very key areas of any resilient information security program.
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
