animind - Fotolia
The COVID pandemic has shown just how difficult it is to plan a recovery from the unthinkable. A recovery plan for ransomware attacks or natural disasters may prepare an organization in some regard, but if it does not have a pandemic plan in place, there are bound to be blind spots.
The well-established global standards set by the International Organization for Standardization (ISO) cover topics including operational quality, cybersecurity and business continuance and offer a great starting point for building sound plans and more comprehensive operations. Quality management and disaster recovery standards are useful as the effects of the pandemic continue to unfold, and they will likely be helpful when operations resume on-site.
The ISO 9000 family of standards covers quality management. Organizations can use these standards to ensure that they meet the right compliance and regulatory requirements for customers and/or stakeholders. The current COVID-19 pandemic is unprecedented, but standards such as ISO 9001 can provide some guidance for where to start with business continuity and disaster recovery (BCDR) planning.
Is it time for a BCDR overhaul?
With the COVID-19 pandemic, "the very definition of business continuity has been challenged significantly," said Thomas Johnson, CISO at ServerCentral Turing Group, a colocation, cloud and DR services provider. Static work environments have become dynamic overnight, and people are accessing more new services from more locations than ever before, he said.
BCDR traditionally involves quarterly or annual testing of a plan to ensure it is up to date, but that may no longer be enough. As organizations adapt their BCDR plan to new circumstances, more frequent testing is required to make sure that all bases are covered. In the current pandemic, an organization's on-site and remote strategies may be changing every couple of weeks, adapting to new regulations and guidelines. Testing a DR plan from even as recently as February 2020 won't cut it anymore.
Johnson believes the time is right to completely rethink BCDR, perhaps within the structure of continuous integration and continuous deployment.
"There is no better time to start than now -- when everything is already sideways and ripe for innovation," he said.
Using ISO 9001 for DR planning
ISO 9001 deals with process documentation standards and is critical because it supports consistency and repeatability.
"'You can't manage what you can't measure' is an old adage," Johnson said. With DR, you can't execute what you don't have planned. "If the process doesn't exist and it isn't defined in often painstaking detail, the opportunity for inconsistency is high," he said.
"We do think ISO can actually be very supportive of what we do -- ISO 9001 in particular," said Chris Yetman, COO at Vantage Data Centers. As an example, Yetman said neither he nor his organization ever expected to have to deal with a pandemic. When the COVID-19 pandemic struck earlier this year, Yetman said he and his team opened their 9001 documentation to see if there was anything useful.
"It was neat; we actually had a couple of pages on a pandemic situation already baked in," he said. "I can't say it was that extensive, only a couple of pages, but it gave us a good place to start immediately."
With that as a starting point, Yetman said he and his team went through their existing planning checklist and noted what they needed to add and update.
"What started as two pages will be a chapter when we are done, and if this ever happens again or if we have a resurgence, we will be in a much better place to respond," he said.
"ISO 9001 invites us to see an organization as a set of processes that help us think about what could go wrong, what could hinder results and what can help us avoid negative outcomes," said Carlos Pereira da Cruz, an independent ISO consultant who works with training organization Advisera. He said the key is that ISO disaster recovery standards encourage organizations to examine how they handle people, equipment and processes. This can lead to a systematic plan for dealing with many different situations.
Global DR standards aid effective planning
According to Mark Acton, a data center consultant based in the U.K., one of the key challenges globally for IT in general -- and for DR in particular -- has been the historical variation in standards internationally.
"One thing ISO does is bring us all much closer toward a true set of universal standards, and I think that offers greater cohesion and a framework that can be applied consistently," he said.
Acton said a strength of ISO is that all of its different standards tend to dovetail. "For example, the quality management standard works well with the standards for energy management and efficiency and even cybersecurity," he said.
Acton said, for larger organizations in particular, having a single set of business continuity and disaster recovery standards available in most local languages avoids potential confusion and makes it more likely that they will work anywhere.
"In Europe, when we try to apply U.S. standards, we often run into problems because they reference things like the National Fire Protection Association codes that simply don't work here," he said.
Other standards often seen in the BCDR world include those created by the British Standards Institution (BSI). BSI is based in the U.K. but operates globally. Its many standards cover areas including BC, IT resilience, risk management and quality requirements.
ISO standards are just a starting point
Focusing further on DR challenges, Stephen Manley, chief technologist at Druva, cited ISO 22301:2019, Security and resilience -- Business continuity management systems -- Requirements. That standard, Manley noted, begins as it should, with including leadership commitment to BCDR, "since a BCDR plan can only succeed with the broad support and investment of the leaders across the organization -- people, process and technology."
Stephen ManleyChief technologist, Druva
ISO 22301:2019 requires documentation of the planning process, the recovery operation and the results of the BCDR plan.
"With the shift to remote work, businesses need to reevaluate what people, processes and technology may have become newly business-critical," Manley said. Then, BCDR standards require exercising and measuring, and the results should be evaluated. "During times of change, it is even more important to meet those guidelines," he added.
Echoing that point, Rahul Pawar, VP of product management at Commvault, said that ISO and similar standards can provide valuable guidance on how to build a quality management system that ensures DR and other IT processes are repeatable, defensible and cost-effective. "Their adoption should be at or near the top of every data center operator's to-do list if they have not been adopted already."
Standards are just a starting point on the road to quality management success, Pawar said.
"These standards will not build a quality management system for data center operators or account for every problem they might encounter during a disaster," he said. Also, they can't ensure they are following the latest DR best practices.
"They can help data center operators chart a path to developing and implementing the robust IT processes needed to avoid data loss during a disaster like COVID," Pawar said. "But data center operators still need to walk this path themselves."