Ensure DRP and BCP Compliance With Industry Standards
Cut through the noise to create an effective and compliant DRP and BCP.
- IT leaders are often responsible for not just the organization’s IT disaster recovery plan (DRP) but also the business continuity plan (BCP) and other elements of overall resilience.
- Adding to the challenge are industry regulations or internal mandates demanding that resilience plans are compliant with specific standards. It’s not enough to just have a plan that you think is good.
- Standards such as NIST, HIPAA, and PCI outline requirements for a range of resilience plans – not just security response (which is covered in our security research) but also DRP, BCP, and crisis management.
Our Advice
Critical Insight
- Start with a goal of developing concise, effective plans that will inherently meet most requirements of common standards.
- If you instead follow the standards verbatim, you will have redundant, voluminous plans that will be difficult to maintain and too large to be effective in a crisis.
- For example, NIST 800-34 specifies eight different plans required to support resilience and continuity. It does not specify what information might be common to all eight documents, which would reduce your effort significantly.
Impact and Result
- Boil down the standards into core requirements.
- Identify opportunities for one document to meet the requirements of multiple plans (e.g. a recovery playbook that can satisfy NIST’s requirement for a DRP and an information systems contingency plan).
- Leverage a concise checklist of tasks to complete to meet requirements and demonstrate compliance.
Ensure DRP and BCP Compliance With Industry Standards
Cut through the noise to create an effective and compliant DRP and BCP as part of your overall business continuity management program.
Analyst Perspective
Treat standards as a checklist, not an instruction manual
Don't let the verbose nature of standards documentation such as NIST, HIPAA, PCI, and others overcomplicate your mandate to ensure your business continuity management (BCM) program, including disaster recovery planning, business continuity planning, and crisis management, is compliant.
Standards documents are intended to be comprehensive, not concise, and that often leads to requirements that seem more daunting. Adding to the potential complexity is the challenge of interpreting the specific language of each standard.
For example, NIST requires that you have a disaster recovery plan for site-wide events and a contingency plan for individual critical system outages, but it does not make it clear that much of the same documentation will meet both requirements.
If you are obligated to comply with multiple standards, understanding your requirements becomes that much more challenging.
This deck and the associated guides cut through the noise to provide a roadmap of the specific tasks you need to complete to create concise, effective, and compliant plans, using the standards NIST, HIPAA, and PCI DSS as examples. This approach can be applied to other international or country-specific standards such as ISO 22301 and PIPEDA (the Canadian equivalent to HIPAA).
Frank Trovato
Research Director, Infrastructure & Operations
Info-Tech Research Group
STOP: This deck is focused on BCM compliance. For guidance on security compliance, see the resources below.
For security compliance assistance, use the blueprint Build a Security Compliance Program; it includes a Security Compliance Management Tool (screenshots to the right) that provides a single framework to align and track multiple compliance obligations.
To reduce the complexity of ensuring disaster recovery plan (DRP) and business continuity plan (BCP) compliance, continue with the guidance and resources referenced in this deck.
Security Compliance Management Tool
Executive Summary
Your Challenge
- IT leaders are often responsible for not just the organization's IT DRP but also the BCP and other elements of overall resilience.
- Adding to the challenge are industry regulations or internal mandates demanding that resilience plans are compliant with specific standards. It's not enough to just have a plan that you think is good.
- Standards such as NIST, HIPAA, and PCI outline requirements for a range of resilience plans – not just security response (which is covered in our security research) but also DRP, BCP, and crisis management.
Common Obstacles
- Terminology can vary between standards, making it difficult to understand exactly what's required.
- Standards can take a siloed approach, specifying requirements for individual plans but not showing you how to pull it all together.
- For example, NIST 800-34 specifies eight different plans required to support resilience and continuity. It does not specify what information might be common to all eight documents, which would reduce your effort significantly.
Info-Tech's Approach
- Boil down the standards into core requirements.
- Identify opportunities for one document to meet the requirements of multiple plans (e.g. a recovery playbook that can satisfy NIST's requirement for a DRP and an information systems contingency plan).
- Summarize the tasks into a concise checklist, supported by mapping documents that will demonstrate how your plans meet the specific requirements of a particular standard.
Info-Tech Insight
Start with a goal of developing concise, effective plans that will inherently meet most requirements of common standards. This deck will help you close any gaps. If you instead follow the standards verbatim, you will have redundant, voluminous plans that will be difficult to maintain and too large to be effective in a crisis.
Additional resources included in this research
NIST 800-34 ISCP Mapped to Info-Tech Resources
Use this guide to support your audit review and as a reference for the BCM Program Compliance Checklists tool
HIPAA Requirements for BCM Mapped to Info-Tech Resources
Use this guide to support your audit review and as a reference for the BCM Program Compliance Checklists tool
PCI DSS Requirements for BCM Mapped to Info-Tech Resources
Use this guide to support your audit review and as a reference for the BCM Program Compliance Checklists tool
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 1-phase advisory process. You'll receive 3 touchpoints with our researchers, all included in your membership.
- Call 1: Review your compliance requirements.
- Call 2: Modify the prepopulated checklists to suit your requirements.
- Call 3: Initiate appropriate projects (e.g. document your DRP) required to complete your checklist.
Create a Right-Sized Disaster Recovery Plan
Develop a Business Continuity Plan
Mitigate the Risk of Cloud Downtime and Data Loss
Ensure DRP and BCP Compliance With Industry Standards
Select the Optimal Disaster Recovery Deployment Model
Take a Realistic Approach to Disaster Recovery Testing
Implement Crisis Management Best Practices
Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind
Document and Maintain Your Disaster Recovery Plan
First 30 Days Pandemic Response Plan
10 Secrets for Successful Disaster Recovery in the Cloud
Develop a COVID-19 Pandemic Response Plan
Reinforce End-User Security Awareness During Your COVID-19 Response
Execute an Emergency Remote Work Plan
Prepare Your Organization to Successfully Embrace the “New Normal”
Responsibly Resume IT Operations in the Office
Tech Trend Update: If Contact Tracing Then Distributed Trust
Microsoft Teams Cookbook
Business Continuity Management Software Selection Guide
Maintain Continuity in a Power Outage