Get 4 FREE months of Conformio to implement ISO 27001

IT Service Continuity Plan – Why do you need it?

Most of the mid-size and large companies I work with have financial planning. That includes their monetary expenditures in the planning period (usually for the next 1-3 years), human resources, assets, projects, income … But, I rarely found that those same organizations planned the continuity of their IT services. Even worse, when I asked about it, I heard: “What? What do you mean, planning IT service continuity?” The exceptions were organizations who already had ISO 27001 / ISO 22301 / ISO 20000 in place.

The IT Service Continuity Plan is an important foundation for continuity activities. Let’s see the ITIL (i.e. ISO 20000) approach to this plan.

What is it, and where does it come from?

The IT Service Continuity Plan is a company’s formal plan for how to restore one or more IT services. By having such a plan, an ITSM organization prevents an ad-hoc approach or individual appraisal in case an emergency situation takes place and continuity of IT services needs to be ensured.

Both ITIL and ISO 20000 require companies to consider their business operations while establishing an IT Service Continuity Plan. That’s good, and pretty important. While integrating an IT Service Continuity Plan and business operations, you will ensure that the IT Service Continuity Plan exists because – the business needs it. Otherwise, it would be a plan with questionable purpose.



ITIL emphasizes the relationship between IT Service Continuity Management (which is, by the way, responsible for creating and maintaining the IT Service Continuity Plan) and Business Continuity Management. Theoretically, that’s excellent, but it looks a bit different in real life. Actually, most of the companies rarely document business continuity (of course, except the ones that have ISO 22301 in place). That doesn’t mean that it doesn’t exist, but it’s rather in management’s head (they know what is important for the continuity of the company’s business operations). So, while setting up the IT Service Continuity Plan, IT Service Management (ITSM) will have to talk to the business end to get inputs.

ISO 20000 has quite a similar approach. It requires talking to the customers and interested parties, identifying and agreeing on service continuity requirements, and taking into consideration business plans.

Based on inputs from the business, IT Service Continuity Management will create the plan. In the scope of the activities that precede the creation of the plan, the following will be done:

  • Business Impact Analysis (BIA) – this is a set of activities that will help ITSM to understand the business services, their importance, and their dependencies. Read the article Business Impact Analysis in ITIL – Know what’s important to learn more about BIA.
  • Definition of minimum agreed service level – this is one of the most important activities of the IT Service Continuity Management in order to create an efficient IT Service Continuity Plan. For example, ITSM will get input from the business that it is acceptable for the company that (in case of emergency) in first the 24 hours only 20% of employees have email service, in the next 24 hours another 20%, etc. In this way, the IT Service Continuity Plan will define how to fulfill this requirement.

IT Service Continuity Plan – Why do you need it? - 20000AcademyFigure: IT Service Continuity and Business Continuity are strongly related

The content

If you are implementing ISO 20000, it’s much easier to define the content of the IT Service Continuity Plan. Namely, ISO 20000-1 (set of requirements) defines (quite clearly) what the content of the plan should be:

  1. defined procedure(s) that will be implemented in case of the plan’s activation
  2. defined targets (related to the availability of the services) that needs to be achieved
  3. definition of the recovery requirements
  4. definition of how to return to normal working conditions

ITIL is not that explicit in listing requirements, but it provides more details in order to develop and establish the IT Service Continuity Plan, as well as activities of the IT Service Continuity Management process. So, the following items are important to ensure the continuity of IT services, and therefore should be defined in the plan:

  • Organization – This defines the members of the IT Service Continuity Management Team and their responsibilities.
  • IT Service Continuity requirements – These are the results of the BIA, risk assessment, or inputs from the SLA and how to approach them; i.e., defined targets (e.g., minimum agreed service level, time within which agreed service level must be established, etc.) and how to achieve them.
  • Definition of how to activate/deactivate plan – This includes related roles and their responsibilities.
  • Recovery options – They will be different for each organization and include, e.g., alternative site or hot standby with two mirrored data centers. Read the article ITIL risk response measures and recovery options from catastrophic events to learn more.
  • Test – The plan needs to be tested for the ITSM organization to be confident that it works. Define timing, scope, responsibilities, etc.
  • Communication – Who communicates, what, when, to whom, etc.

And, one more thing – involve your suppliers, either in your plan or relate their plan with your own. If you use them for service delivery – you’ll need them in case of the plan’s activation.

Use of the plan

Once a disruptive event takes place (and the IT Service Continuity Plan gets activated) – that’s the moment of truth, i.e., an appraisal of the quality of work invested in the plan’s creation. Invocation of the plan needs to ensure that agreed service levels are achieved and that the (ITSM) organization can continue its activities.

When establishing a plan and performing (regular) tests of the plan, you will get inputs and ideas for what could be done better (on existing services) and initiate improvement initiatives. Additionally, while informing and educating members of the IT Service Continuity Management Team, they will get an understanding of how IT services and business operations are related (which is important for decisions on IT budgets, resources, investment in technology or people, etc.).

The approach towards, and content of, the plan vary from organization to organization. There are a lot of parameters that influence its content. It is important that the company doesn’t get surprised (i.e., that the plan exists) and that everyone involved knows what to do. And, don’t forget – practice makes perfect. The same is valid for your IT Service Continuity Plan.

Use this free  IT Service Continuity Plan template to see what this plan looks like.

Advisera Branimir Valentic
Author
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.