IT service continuity planning

Sometimes an unexpected event, such as a fire, flood, or equipment failure, can cause downtime. In order to be able to continue operations as quickly and smoothly as possible, continuity planning is carried out, i.e. planning the operations in advance for these exceptional situations.

Each continuity plan shall contain at least the following information:

• Event for which the plan has been made
• Goal for recovery time
• Responsible persons and related stakeholders and contact information
• Planned immediate actions
• Planned recovery steps

The organization has a clear process, according to which it identifies the most critical functions in terms of its operations (e.g. services offered to customers), which are subject to the highest continuity requirements.

Items in the IT environment that are necessary for these activities (such as information systems, data reserves, operating processes, partners, units, hardware) are classified as critical.

Critical functions are considered with the highest priority, e.g. in continuity planning, and stricter safety requirements can be applied to them than to other objects in the environment.

Continuity requirements for ICT services are derived from continuity plans that are created for core processes (e.g. related to the provision of organization's products and services) and the recovery time goals included in them.

Organization must identify what recovery times and recovery points different ICT services must be able to achieve, taking into account the defined recovery goals for related processes, and ensure the ability to achieve them.

The planning must take into account in particular:

• responsibilities are defined for preparing for, managing and responding to disruptions in ICT services
• in particular continuity plans related to ICT services have been created, approved and are regularly tested
• continuity plans contain information on performance requirements, recovery time requirements and recovery actions for each important ICT service, as well as recovery point requirements and restoring actions for each important ICT service

The organisation should regularly, at least annually, test and review its information security continuity plans to ensure that they are valid and effective in adverse situations.

Testing of continuity plans shall involve, as appropriate, stakeholders critical to each plan. The organisation should identify and document the necessary contacts with suppliers and partners

In addition, the adequacy of continuity plans and associated management mechanisms should be reassessed in the event of significant changes in operations.

The organization must maintain a top-level strategy for continuity planning. The strategy should include at least:

• Guidelines for defining continuity planning recovery time objectives and the adverse events requiring continuity plans
• Management commitment to continuity planning and improvement
• Description of the organization's risk appetite

In order to develop a strategy, it may be necessary to make use of general good practices, such as ISO 22300.

The organisation should include the following topics into their continuity planning:

• Plans for (D)DoS attacks
• Plans for succesful ransomware attacks and other sabotage
• System failures
• Natural disasters

Continuity planning should take into account alternate communication options for situations primary communication means aren't operational. There should also be alternative options for storage, power and network strategies.