This fact sheet replaces the Whole-of-government business continuity management and disaster recovery implementation guideline.
Every agency is responsible for creating, validating and maintaining ICT Disaster Recovery (ICT DR) and Business Continuity Plans (BCP) including mitigation of ICT related disruptions.
In the event of a disaster, agencies must be able to function effectively and ICT is a substantial component of this.
For business continuity and ICT disaster recovery to be relevant to the organisation, sustainable and achievable, practitioners need to approach the planning process in the context of providing certainty over the delivery of business outcomes (services).
To achieve this, departments must establish a process for identifying all deliverables for which they are responsible, prioritising those outcomes and identifying the key dependencies along with vulnerabilities that might expose the organisation to failure.
This factsheet provides high level advice as to how this can be achieved from the perspective of ICT dependent delivery. It is critical to emphasise that ICT alone will not ensure the ongoing resilience of the organisation and that ICT DR planning must be conducted in the context of the agency’s all hazards approach to continuity planning.
The development of robust and effective business continuity and ICT Disaster recovery arrangements are articulated as accountable officer obligations:
- Financial Accountability Act 2009 (section 61 risk management provisions)
- Financial and Performance Management Standard 2009 (section 28 risk management provisions)
- Queensland Government Information Standard18 – Information Security (IS18) (principle 9)
- Queensland government information security policy – mandatory clauses (section 9).
Current policies and guidelines
Principle 9 of IS18 states:
‘a managed process including documented plans must be in place to enable information and ICT assets to be restored or recovered in the event of a disaster or major security failure’.
This outcome is delivered through adherence to the IS18 mandatory clauses listed below:
9.1.1 – Methods must be developed to reduce known risks to information and ICT assets including undertaking a business impact analysis.
9.1.2 - Business continuity plans must be maintained and tested to ensure information and ICT assets are available and consistent with agency business and service level requirements.
9.2.2 - Plans and processes must be established to assess the risk and impact of the loss of information and ICT assets in the event of a security failure or disaster to enable information and ICT assets to be restored or recovered.
9.2.4 - ICT disaster recovery plans must be maintained and tested to ensure information and ICT assets are available and consistent with agency business and service level requirements.
To assist agencies with ICT DR and BCP with regards to third parties, GITC Module 10 clause 16 covers important contract considerations for the security and recovery of infrastructure and data services handled by third parties.
Understanding the business
The development of a detailed business impact analysis (BIA) will help the agency to identify the critical outputs of the agency and the vulnerabilities that threaten the ongoing delivery of those outcomes. In doing this, the BIA will support decisions around investments in making services more resilient. Decisions relevant to service maintenance during periods of disruption and prioritisation of restoration activities following on from a critical service failure, will also be supported by the intelligence contained within the BIA.
A BIA will identify:
- Critical and non-priority services across the agency through a standardised methodology.
- The risk associated with service failure.
- Service priorities, evaluating impact over time.
- Common resources and infrastructure dependencies shared across multiple areas/services (including ICT, people, buildings and utilities).
- Common vendor dependencies.
- Agency exposure to potential failure of individual vendors.
- Opportunities to ensure the agency can manage the business continuity arrangements from a supply chain perspective.
- Gaps between corporate enabling services and business area (client) requirements and expectations.
During the development of agency business continuity and ICT DR arrangements the BIA will identify points of reliance (dependencies) that may undermine the delivery of outcomes across the agency.
This information will help to identify strategies to deliver appropriate levels of resilience across the agency. These decisions will include justification for decisions to increase levels of redundant infrastructure or to accept the risk and employ alternate recovery strategies that are proportionate to the value of the data and processes supported by the dependencies.
The BIA supports effective management of 3rd party (outsourced) dependencies through the establishment of specifications that outline meaningful metrics and expectations. For Infrastructure as a Service and Software as a Service the GITC Module 10 clause 16. For other procured services and resources, advice on appropriate contract clauses should be sought from agency procurement units.
Some of the key definitions you may consider listed in the QGEA glossary.
For assistance in writing business continuity plans and disaster recovery plans the below links will provide guidance:
Business Continuity Institute
Australian National Audit Office
ISO22301:2012 Societal security – business continuity management systems (paid service)