Get Instant Access
to This Blueprint

Infrastructure Operations icon

Ensure DRP and BCP Compliance With Industry Standards

Cut through the noise to create an effective and compliant DRP and BCP.

  • IT leaders are often responsible for not just the organization’s IT disaster recovery plan (DRP) but also the business continuity plan (BCP) and other elements of overall resilience.
  • Adding to the challenge are industry regulations or internal mandates demanding that resilience plans are compliant with specific standards. It’s not enough to just have a plan that you think is good.
  • Standards such as NIST, HIPAA, and PCI outline requirements for a range of resilience plans – not just security response (which is covered in our security research) but also DRP, BCP, and crisis management.

Our Advice

Critical Insight

  • Start with a goal of developing concise, effective plans that will inherently meet most requirements of common standards.
  • If you instead follow the standards verbatim, you will have redundant, voluminous plans that will be difficult to maintain and too large to be effective in a crisis.
  • For example, NIST 800-34 specifies eight different plans required to support resilience and continuity. It does not specify what information might be common to all eight documents, which would reduce your effort significantly.

Impact and Result

  • Boil down the standards into core requirements.
  • Identify opportunities for one document to meet the requirements of multiple plans (e.g. a recovery playbook that can satisfy NIST’s requirement for a DRP and an information systems contingency plan).
  • Leverage a concise checklist of tasks to complete to meet requirements and demonstrate compliance.

Ensure DRP and BCP Compliance With Industry Standards Research & Tools

1. Ensure DRP and BCP Compliance With Industry Standards – A step-by-step guide to identify core requirements.

Cut through the noise to identify core requirements, using NIST 800-34, HIPAA, and PCI DSS as examples.

2. BCM Program Compliance Checklists – Prepopulated with checklists to follow to comply with NIST 800-34, HIPAA, and PCI DSS.

Modify the prepopulated checklists to meet your specific requirements. For standards not already covered in this tool, use one of the existing checklists as a starting point, as many requirements are common to multiple standards.

3. Info-Tech Resources Mapping Guides – Compliance requirements mapped to the research, tools, or templates needed to meet the standard.

Use the cross-referencing between compliance standards and Info-Tech research, tools, and templates to demonstrate compliance to auditors.


Ensure DRP and BCP Compliance With Industry Standards

Cut through the noise to create an effective and compliant DRP and BCP as part of your overall business continuity management program.

Analyst Perspective

Treat standards as a checklist, not an instruction manual

Don't let the verbose nature of standards documentation such as NIST, HIPAA, PCI, and others overcomplicate your mandate to ensure your business continuity management (BCM) program, including disaster recovery planning, business continuity planning, and crisis management, is compliant.

Standards documents are intended to be comprehensive, not concise, and that often leads to requirements that seem more daunting. Adding to the potential complexity is the challenge of interpreting the specific language of each standard.

For example, NIST requires that you have a disaster recovery plan for site-wide events and a contingency plan for individual critical system outages, but it does not make it clear that much of the same documentation will meet both requirements.

If you are obligated to comply with multiple standards, understanding your requirements becomes that much more challenging.

This deck and the associated guides cut through the noise to provide a roadmap of the specific tasks you need to complete to create concise, effective, and compliant plans, using the standards NIST, HIPAA, and PCI DSS as examples. This approach can be applied to other international or country-specific standards such as ISO 22301 and PIPEDA (the Canadian equivalent to HIPAA).

This is a picture of Frank Trovato

Frank Trovato
Research Director, Infrastructure & Operations
Info-Tech Research Group

STOP: This deck is focused on BCM compliance. For guidance on security compliance, see the resources below.

For security compliance assistance, use the blueprint Build a Security Compliance Program; it includes a Security Compliance Management Tool (screenshots to the right) that provides a single framework to align and track multiple compliance obligations.
To reduce the complexity of ensuring disaster recovery plan (DRP) and business continuity plan (BCP) compliance, continue with the guidance and resources referenced in this deck.

Security Compliance Management Tool

This is a screenshot of three tables found in the Security Compliance Management Tool

Executive Summary

Your Challenge

  • IT leaders are often responsible for not just the organization's IT DRP but also the BCP and other elements of overall resilience.
  • Adding to the challenge are industry regulations or internal mandates demanding that resilience plans are compliant with specific standards. It's not enough to just have a plan that you think is good.
  • Standards such as NIST, HIPAA, and PCI outline requirements for a range of resilience plans – not just security response (which is covered in our security research) but also DRP, BCP, and crisis management.

Common Obstacles

  • Terminology can vary between standards, making it difficult to understand exactly what's required.
  • Standards can take a siloed approach, specifying requirements for individual plans but not showing you how to pull it all together.
  • For example, NIST 800-34 specifies eight different plans required to support resilience and continuity. It does not specify what information might be common to all eight documents, which would reduce your effort significantly.

Info-Tech's Approach

  • Boil down the standards into core requirements.
  • Identify opportunities for one document to meet the requirements of multiple plans (e.g. a recovery playbook that can satisfy NIST's requirement for a DRP and an information systems contingency plan).
  • Summarize the tasks into a concise checklist, supported by mapping documents that will demonstrate how your plans meet the specific requirements of a particular standard.

Info-Tech Insight

Start with a goal of developing concise, effective plans that will inherently meet most requirements of common standards. This deck will help you close any gaps. If you instead follow the standards verbatim, you will have redundant, voluminous plans that will be difficult to maintain and too large to be effective in a crisis.

Additional resources included in this research

This is a screenshot of NIST 800-34 ISCP Mapped to Info-Tech Resources.

NIST 800-34 ISCP Mapped to Info-Tech Resources

Use this guide to support your audit review and as a reference for the BCM Program Compliance Checklists tool

This is a screenshot of HIPAA Requirements for BCM Mapped to Info-Tech Resources

HIPAA Requirements for BCM Mapped to Info-Tech Resources

Use this guide to support your audit review and as a reference for the BCM Program Compliance Checklists tool

This is a screenshot of PCI DSS Requirements for BCM Mapped to Info-Tech Resources

PCI DSS Requirements for BCM Mapped to Info-Tech Resources

Use this guide to support your audit review and as a reference for the BCM Program Compliance Checklists tool

Ensure DRP and BCP Compliance With Industry Standards preview picture

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 1-phase advisory process. You'll receive 3 touchpoints with our researchers, all included in your membership.

  • Call 1: Review your compliance requirements.
  • Call 2: Modify the prepopulated checklists to suit your requirements.
  • Call 3: Initiate appropriate projects (e.g. document your DRP) required to complete your checklist.

Author

Frank Trovato

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019