As a decision-maker in today's highly digital world, you're all too aware of the importance of cyber security. Important aspect of every information security program is preparing for adverse events with good continuity planning and backups. This is a topic required in EU's NIS2 directive and extensively covered in ISO 27001 standard.
We're here to provide guidance, and to demystify this security topic. This article guides in creating your NIS2 required procedures for business continuity and backups by taking advantage of ISO 27001's battle-tested best practices.
Brief introduction to business continuity and backups
What is continuity planning?
Continuity planning is the process of developing prevention and recovery systems to ensure key business operations remain uninterrupted or quickly resumed after adverse events. An efficient plan helps minimize the impact of potential scenarios such as power outages, cyber attacks, or natural disasters.
In information security, continuity also refers to maintaining information security at an appropriate level during disruptions or other adverse events.
What do backups mean?
Backups, in the business continuity scope, refer to the process of creating copies of your data, systems, and software, safely storing them away from the primary business location. The objective is to ensure that, in the event of any catastrophic events, data breaches, operational malfunctions, or system failures, your business is able to quickly bring its systems back online, significantly reducing downtime and the potential losses associated with such incidents.
Continuity planning vs. backups
In NIS2 Directive continuity planning and backups have been grouped together into the same section. This logical as both approaches have a similar goal - efficient recovery from adverse events. However in many other security frameworks these are seen as separate topics, as backups takes a very data- and technology-focused view into continuity. Understanding the connection of these two is important, no matter how separately you implement them in your own operations.
Continuity planning 101
Business continuity planning in information security isn't just about having a backup plan in case of a system meltdown or cyberattack. It’s about proactively ensuring that your processes and systems are resilient and can bounce back quickly from any kind of disruption.
Understand the requirements for the continuity of your operations
The continuity of your operations is dependant on the availability of many different things: people, technology, partners, physical sites, data...
Continuity planning starts from understanding the continuity requirements for different parts of your data processing environment. Can you go 2 hours without a data system? For some you surely can, for others it might be very damaging.
Prioritization of your assets and other data processing environments key items should be done before diving into creating continuity plans to ensure you're planning for the right things.
What are examples of adverse events you should prepare for?
You should be creating continuity plans e.g. for this kind of adverse events (that might danger your continuity):
- External disasters: Biological / chemical / natural disasters, criminal activity / terrorist attacks, pandemics
- Internal technical disasters: Data leak / data breach, database failure, other cyber attacks
- Internal physical disasters: Fire in a facility with critical resources, key person out of reach for a long time
- Partner-related disasters: Key partner bankruptcy, other partner service outage, key data system prolonged outage, power outage on a key data center
What should be included in your continuity plans?
Continuity plans are the concrete level of continuity planning. Your continuity plans should include:
- Goals of the plan: Through BIA (business impact analysis) you can confirm the needed response and recovery times by identifying the effects of disruptions on related business functions and processes. Your organization should be prioritizing the most time-sensitive or critical business functions in continuity plans.
- Responsible people and partners: Who are responsible and who are needed in carrying out the plan.
- Immediate response actions: Your plan must outline step-by-step which actions will be done immediately to reduce the impact of the adverse event and prevent most catastrophic damages.
- Recovery steps: Your plan must outline specific tactics for recovering critical systems, resources, and processes. These may call for arrangements like contracted third party service providers, alternate worksites or alternative ways of operation.
- Testing, exercises and training: Simulated disruption scenarios can test your company's preparedness and the effectiveness of the plan. This should be followed by relevant training of the workforce to make sure they’re well-equipped to respond when a disruption happens.
You're building a critical part of your company's resilience. Incorporating these elements will ensure your business can adeptly navigate and swiftly recover from a disruption.
Backups 101
In the digital world of information technology, backups are equivalent to safety nets. They represent copies of your valuable and sensitive data, safely stored in various locations, providing a foolproof way to restore that data if lost or compromised. Backups are absolutely critical to any business continuity plan as they ensure that in the face of adverse events, your business downtime is greatly minimized, and operations can resume promptly without significant loss of information.
What are the key questions for each backup processes?
To ensure your backup processes are proportionate, there are several pivotal aspects you should think about. Be sure you can answer the following questions:
- What data needs to be backed up? The answer largely depends on your specific business, but as a rule of thumb, any data needed to recover business operations should be included.
- Where will the backups be stored? A good practice is to store your backups in a separate location from your primary data. This could be in an off-site area, or possibly in a cloud-based storage system. Keep in mind, the chosen location should comply with relevant data residency requirements and promises you've given customers.
- How often should backups occur? The frequency of backups will be guided by how often the data changes and the risk of data loss. If no data can be lost, you will need to think about real-time database replication. In some cases e.g. weekly backups may be enough.
- How long should the backups be retained? Especially personal data shouldn't be retained without a proper reason. What is a realistic timeframe for needing the backups?
- Who is responsible for managing backups? Clear lines of accountability need to be set, which defines who is responsible for setting up, overseeing and restoring backups when needed. This may be a dedicated team, or an individual, depending on the size and complexity of your business.
- How will backups be tested? Regular testing of backups is crucial to ensure they can be successfully restored when needed. A plan must be in place outlining how and when these tests will take place.
Common challenges in implementing continuity planning and backups
Here are some issue you can work to avoid in relation to continuity planning and backups.
Lack of management involvement and support: You should do your best to build awareness about the continuity planning benefits and encourage collaboration - so important adverse events can be identified from all point-of-views.
Limited resources (time, budget, personnel) and team work: When understanding the catastrophes continuity planning tries to control, you start to see its relevance. Decide separately on sufficient resources and the people needed on the work - with top management support.
Feel of complexity in IT infrastructure: Complex environment can make it feel like it's hard to get on top of your backup processes for example. But when you progress step-by-step - first documenting backup processes, then categorizing backup responsibilities for data systems, you'll be making steady progress and soon the topic won't seem so complex anymore.
Inadequate testing and maintenance of continuity plans: A plan is not too powerful if it's implemented for the first time in a real-life situation. All security framework mention practicing continuity plans and backup restoration regularly, so that the implementation in a stressful real-life situation can be successful.
ISO 27001: Continuity planning best practices to implement
ISO 27001 addresses continuity in several controls, pertaining to aspects like the safeguarding of information during disruptive events, readiness of the organizations' ICT for continuity, and redundancy of information processing facilities.
There's also another ISO standard, ISO 22301, that is exclusively dedicated to the management of business continuity. This standard supports planning for, reacting to, and recovering from disruptive incidents by offering a more overarching framework for continuity planning. If you see this as a core aspect of your information security program, you might want to get familiar with this standard also.
5.29: Information security during disruption
This control emphasizes the need for creating continuity plans to ensure information security remains at an appropriate level even during disruptions, aiming to safeguard information and related assets in challenging circumstances.
These continuity plans should have clear owners and they should be tested, and regularly reviewed to sustain or restore information security in critical business processes post-disruption.
5.30: ICT readiness for business continuity
This control highlights ensuring that organization's ICT readiness high-enough to be able to match business continuity objectives and ICT continuity requirements. Basically this means, that e.g. data systems needed for critical operations need to be restorable in the same timeframe that is required from the main process.
Organization must identify what recovery times and recovery points different ICT services must be able to achieve, taking into account the defined recovery goals for related processes, and ensure the ability to achieve them. In relation to previous control, continuity plans especially related to ICT services should be created, approved and are regularly tested.
8.6: Capacity management
Organizations need to monitor their ICT and other key resource usage. This helps them ensure they have enough information processing facilities, human resources, offices, and other facilities, considering the business criticality of the relevant systems and processes. It's beneficial to have early detection and alert systems, so problems can be spotted and projections for future capacity can align with e.g. business growth and technology trends.
8.14: Redundancy of information processing facilities
This control emphasizes the need for spare systems key data processing resources to meet availability needs and keep operations running. The organization should plan and set up procedures for using redundant parts and facilities. Procedures should determine whether the redundant parts are always active or are activated automatically or manually in emergencies. It's important that redundant parts and facilities have the same level of security as the primary ones.
ISO 27001: Backup best practices to implement
ISO 27001 addresses backups mostly in a single control 8.13. This control required regularly maintained and tested backups, but also provides many important tips in its implementation guidance, e.g. related to understanding business requirements for backup, backup storage locations, appropriate protection for backups and encryption.
8.13: Information backup
Organization should ensure that backup copies of information, software, and systems are regularly maintained and tested, according to established policy on backups. This practice is important for recovering data or systems in case of loss.
You should map out your current backup processes and ensure you have proportionate answers for the key questions: What data is backed up? Where are the backups stored? How often the backups are done? How long should the backups be retained? Who is responsible?
Once you're happy with your backup process descriptions, the hard part is over. Then you just ensure the backups work, review their comprehensiveness and test the restoration regularly.
8.24: Use of cryptography
This control morely refers to secure configuration in general, but establishing and enforcing clear rules for encryption and key management related to backups is an important part of strong backup strategy.
5.23: Information security for use of cloud services
When utilizing cloud services, the organization needs to ensure clear division of security-related responsibilities. Backing up data can often be the responsibility of the service provider, but things like selected plan and hosting type can affect the backup details. Make sure you're well aware of the comprehensiveness of backups provided for important systems.
Conclusion
To comply with NIS2 in relation to business continuity and backups, you will need to have proportionate, clearly documented and implemented measures for these security topics. By aligning your actions with the battle-tested best practices of ISO 27001, you can be you can be sure that you have implemented the topic appropriately and are improving your overall resilience and preparedness in the process.
Remember that continuity planning isn't just about ticking off a list. It's about creating a robust structure capable of withstanding adverse events and ensuring smooth operations. Things can go wrong; the key is to have a well-thought-out strategy to recover and continue. And while backup techniques do come in varying complexities, the primary consideration should be a reliable and secure system that ensures your important data remains accessible even during critical times.
So in essence, continuity planning and backups are measures for preventing and controlling the most terrible disasters in relation to your activities! From this point-of-view, you could well argue that they are one of the very key areas of any resilient information security program.