|
Description
Ensures that Suppliers Solutions are supported by robust business continuity plans and disaster recovery measures. |
Business Continuity and Disaster Recovery is a mandatory technical Standard. This Standard is in place to ensure that services can be maintained in the event of disruptions to normal business. Suppliers will need to ensure that they have taken appropriate steps to remove, reduce, or mitigate the likelihood of events detrimentally impacting the levels of services that are provided.
The Authority's Business Continuity and Disaster Recovery Standards have been developed to help Suppliers understand the minimum expectations that the Authority have for the maturity, scope and context of an organisation’s Business Continuity Management System (BCMS).
The BCMS is a management process that establishes, implements, operates, monitors, reviews, maintains and improves the organisation’s business continuity and should include organisational structure, policies and planning activities, responsibilities, procedures, processes and resources within its framework. This can be demonstrated by providing current ISO certifications or satisfactory audit reports.
Following receipt of the draft Business Continuity and Disaster Recovery (BCDR) Plan (see requirement BC-DR-18) from the Supplier, the Authority shall:
Review and comment on the draft BCDR Plan as soon as reasonably practicable
Notify the Supplier in writing that it approves or rejects their draft BCDR Plan no later than twenty (20) Working Days after the date on which the draft BCDR Plan is first delivered to the Authority
Requirements
Applicable Framework(s) | Requirement ID | Requirement Text | Level |
|---|---|---|---|
All | BC-DR-1 | Business Continuity Management System (BCMS) - methodology The Supplier’s organisation and the services provided will be underpinned by a robust Business Continuity Management System (BCMS). The Supplier must meet or exceed its recovery time objective, be fully accountable and responsible for its BCMS operational business continuity and IT Service continuity management plans and supporting procedures for all services delivered to its Service Recipients. | |
All | BC-DR-2 | BCMS - Information Security aspects of Business Continuity Management A valid ISO 27001 Certificate is required from a UKAS registered accreditation organisation, or IAF registered accreditation organisation in exceptional circumstances. | |
All | BC-DR-3 | BCMS - Maintenance Adequate staffing, facilities and technology resource will be deployed to establish, maintain and improve the organisation’s BCMS. This will need to be detailed as part of the BCMS submission. | |
All | BC-DR-5 | BCMS - Leadership Leadership at top management level and in other relevant management roles will be identified to enable the necessary governance, escalation and direction for the BCMS. | |
All | BC-DR-6 | BCMS - Protection The BCMS will be able to protect against, reduce the likelihood of occurrence, prepare for, respond to and recover from the full range of incidents, up to and including a potential or actual crisis. See the Business Continuity Institute for the Good Practice Guidelines. | |
All | BC-DR-8 | Infrastructure & Service-based Threat Assessments Infrastructure and service-based threat assessments will be undertaken on a regular basis to proactively identify risks to delivery of services within or across organisation and service location boundaries. | |
All | BC-DR-10 | Business Continuity (BC) Plans - Identify interdependencies between stakeholders Interdependencies between stakeholders, including outside organisations and third parties, will be identified within the BC plan and have appropriate plans in place to cover disruption to the supply chain. | |
All | BC-DR-11 | Business Continuity (BC) Plans - Supply chain continuity There will be processes in place to manage and assure supply chain continuity. | |
All | BC-DR-12 | Business Continuity (BC) Plans - Principles The principles of business continuity will be embedded within the organisation through training, exercising and raising staff awareness. See the Business Continuity Institute for the Good Practice Guidelines | |
All | BC-DR-13 | Business Continuity (BC) Plans - Impact analysis Organisation-wide business impact analysis will be undertaken and maintained to ensure that in the event of disruption, there are defined recovery time and recovery point objectives in place for all activities, including any internal business operations that could impact the continued delivery of services. | |
All | BC-DR-16 | Test and Exercise Programme - Business Continuity Test The Supplier will undertake a Business Continuity test at least annually in order to validate the effectiveness of its business continuity strategies. The Authority may wish to witness the test. | |
All | BC-DR-16A | Test and Exercise Programme - IT Service Continuity The Supplier will undertake Disaster Recovery testing of the system at least annually. The testing must demonstrate that, in the event of an incident impacting availability, the system can be maintained and recovered within the Recovery Time Objective and that data can be restored within the Recovery Point Objective in the event of an incident. The Authority may wish to witness the test. If requested, the Supplier must comply and provide full access and visibility of the execution of the test, including access to documentation and the execution of procedures throughout the whole test and the resolution of any issues that occur during the Testing window. | |
All | BC-DR-18 | BCM & IT Service Continuity Management Coverage The Supplier shall provide a copy of their BCDR Plan to the Authority. The BCDR plan can be developed as separate or combined BCM and IT Service Continuity Management (ITSCM) plans. Throughout the Standard, the references to the BCDR Plan applies whether BCM and ITSCM are separate plans or programmes or are a single, combined set of plans or programmes. However, the Supplier will make a clear statement as to how their BCDR Plan covers both their organisational Business Continuity and IT Service Continuity for the system they are providing. The documentation of the BCDR Plan shall:
| |
All | BC-DR-19 | BCM & IT Service Continuity Management (ITSCM) Coverage The BCDR plan must contain identification of potential disaster scenarios, the technical design and specification of the system, backup methodology including details of the data backup and data verification strategy, details of all relevant data networks and communication links, invocation process, service recovery procedures, and steps to be taken upon resumption of the services to address any prevailing effect of the failure or disruption to services. | |
All | BC-DR-20 | BCM & IT Service Continuity Management (ITSCM) Coverage The BCDR plan must set out the method(s) of recovering or updating data collected, or which ought to have been collected, during a failure or disruption to ensure that there is no more than the accepted amount of data loss and to preserve data integrity. | |
All | BC-DR-21 | BCM & IT Service Continuity Management (ITSCM) Coverage The BCDR plan must detail how the Supplier ensures compliance with security Standards ensuring that compliance is maintained for any period during which the BCDR plan is invoked. | |
All | BC-DR-22 | Liaison The Supplier must liaise with the Authority and at the Authority's request with any Related Service Provider with respect to issues concerning business continuity and disaster recovery where applicable. | |
All | BC-DR-23 | Plan review The Supplier shall review the BCDR plan and the risk analysis on which it is based on a regular basis and as a minimum once every 12 months or upon invocation of the plan or major changes. Upon update, the BCDR Plan shall be re-issued to the Authority. The Authority may wish to provide feedback to the Supplier. | |
All | BC-DR-24 | Data Centre inspection - colocation and provider own facilities The Supplier will, at the request of the Authority, facilitate an inspection of the data centre(s) hosting the services to validate that the hosting arrangements described in the BCDR plans are consistent with the configuration and capability of the data centre(s). Repeat inspections will be determined based on the outcome of the initial inspection. |
Capabilities
All Suppliers Solutions delivering any Capabilities will need to meet this Standard. |
Roadmap
Suppliers will not be assessed or assured on these Roadmap Items as part of Onboarding |