{"id":4623,"date":"2013-09-24T00:42:20","date_gmt":"2013-09-24T00:42:20","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/20000academy\/blog\/2013\/09\/24\/service-continuity-management-waiting-big-one\/"},"modified":"2025-05-27T16:35:21","modified_gmt":"2025-05-27T16:35:21","slug":"service-continuity-management-waiting-big-one","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/20000academy\/blog\/2013\/09\/24\/service-continuity-management-waiting-big-one\/","title":{"rendered":"IT Service Continuity Management \u2013 waiting for the big one"},"content":{"rendered":"<p>Rarely do I find <a href=\"https:\/\/staging.advisera.com\/20000academy\/what-is-itil\/\" target=\"_blank\" rel=\"noopener noreferrer\">ITIL<\/a> to be identified with service continuity. Considering the extent of ITIL \u2013 it&#8217;s understandable. As the name implies, something shouldn\u2019t be stopped or broken in continuity, as most likely it has consequences. What are they, to what extent, and why?<\/p>\n<p><!--more--><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">It&#8217;s difficult to avoid IT Service Continuity<\/h2>\n<p>Consider processes inside your company&#8230;or services that you use or your company provides. Is it possible that they exist without information technology? Probably not. This means if (supporting) IT services fail, the same will happen with business processes and respective services. Therefore, continuity of business services is highly dependent upon continuity of IT services. There is some logic behind it, isn\u2019t there?<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><br \/>\nThis points to two things:<\/p>\n<ol>\n<li>Continuity of IT services cannot be neglected \u2013 whenever I talk to admins, they never have any doubts with backup. To the contrary, they always have some kind of solution and they don\u2019t see it as an open issue. This means they already took some steps with regards to IT service continuity \u2013 quite important ones, I would say.<\/li>\n<li>IT service continuity is coupled with business continuity \u2013 according to ITIL, the purpose of the IT Service Continuity Management (ITSCM) process is to support overall Business Continuity Management (BCM). In the real world, I have found quite often that ITSCM (fully or to some extent) is already a \u201cteenager,\u201d while BCM is still in the \u201cembryo\u201d phase.<\/li>\n<\/ol>\n<p>ITIL supports the importance of (IT) service continuity and therefore dedicates one of its processes inside\u00a0<a href=\"https:\/\/staging.advisera.com\/20000academy\/blog\/2013\/06\/25\/service-design-itil\/\" target=\"_blank\" rel=\"noopener noreferrer\">Service Design phase<\/a>\u00a0of the service lifecycle \u2013 IT Service Continuity Management.<\/p>\n<p style=\"text-align: center;\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-10570\" src=\"https:\/\/staging.advisera.com\/wp-content\/uploads\/\/sites\/6\/2015\/07\/ITSCM_and_BCM_are_running_together1.png\" alt=\"ITSCM_and_BCM_are_running_together\" width=\"526\" height=\"283\" \/><em>Figure: ITSCM and BCM are running together<\/em><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">What is ITSCM all about?<\/h2>\n<p>In essence, it\u2019s about risk and recovery. It sounds complicated \u2013 but it\u2019s not.<\/p>\n<p>Risk means that there are certain threats to which IT services are exposed whose impact needs to be reduced to an (agreed) acceptable level (although, what I see is that <a href=\"https:\/\/staging.advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=relationship-and-agreement-processes&#038;doc=service-level-agreement-sla-\" target=\"_blank\" rel=\"noopener\">SLAs<\/a> rarely have IT service continuity parameters inside them). The distinction has to be made here between situations where risks are significant and have major impact on the business, and risks that are minor technical faults and should be treated by the\u00a0<a href=\"https:\/\/staging.advisera.com\/20000academy\/blog\/2013\/05\/21\/incident-management-itil-solid-foundations-operational-processes\/\" target=\"_blank\" rel=\"noopener noreferrer\">Incident Management<\/a>\u00a0process.<\/p>\n<p>Recovery means that <a href=\"https:\/\/staging.advisera.com\/20000academy\/\" target=\"_blank\" rel=\"noopener noreferrer\">plans<\/a> and preparation for recovery have to be available. A common situation is that backup of critical data exists and could be restored if needed. In more complex environments, or I would say where business processes are heavily dependent on IT services (e.g. banks) this means that there is a secondary location in place with an alternative data center, and all data are mirrored and available immediately upon IT service continuity plan invocation.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Where does it come from?<\/h2>\n<p>A critical moment in ITSCM is to define requirements. This should ensure that business requirements are understood and that the impact of loss of IT services on the business is clear and quantified. Quantified means that financial loss can be calculated, or some other form of intangible consequence can be defined, like loss of competitive advantage or disrupted image.<\/p>\n<p><a href=\"https:\/\/staging.advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=service-assurance-processes&amp;doc=business-impact-analysis-and-recovery\" target=\"_blank\" rel=\"noopener\">Business Impact Analysis (BIA)<\/a> and <a href=\"https:\/\/staging.advisera.com\/20000academy\/documentation\/risk-assessment-and-treatment\/\" target=\"_blank\" rel=\"noopener noreferrer\">Risk Assessment<\/a> are used to define requirements.<\/p>\n<p><a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2010\/06\/10\/five-tips-for-successful-business-impact-analysis\/\" target=\"_blank\" rel=\"noopener noreferrer\">BIA<\/a>\u00a0\u2013 BIA quantifies the impact on the business that the loss of IT service would have. It may not be done orderly and documented, but I see that most of the IT service providers do some kind of BIA. Except (tangible and intangible) loss, BIA identifies staff and their <a href=\"https:\/\/staging.advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=sms-related-documents&amp;doc=training-and-awareness-plan\" target=\"_blank\" rel=\"noopener\">skills<\/a> that are needed to enable critical business processes to run at an acceptable (usually degraded) level, time when minimum, as well as all services should be recovered and \u00a0priority for the recovery of the services. Sometimes it is not possible or necessary that complete service is recovered. For example, for a web-trading company it is essential that the web-shop is available and functional a.s.a.p., but invoicing can be established at some later moment (of course, not too late, but it is feasible that invoices are sent in the next day or two). Therefore, BIA defines services and their recovery options, as well as the full recovery timescale.<\/p>\n<p><a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/iso-27001-risk-assessment-treatment-6-basic-steps\/\" target=\"_blank\" rel=\"noopener noreferrer\">Risk Assessment<\/a>\u00a0\u2013 assessment of level of threat and the extent to which an organization is vulnerable to that threat. There are many risk management and assessment techniques. In general, risk assessment results in defined responses to certain risks, and risk reduction measures that should reduce risk to an acceptable level or mitigate the risk. In praxis \u2013 you know that a network (as a service, but also as a group of components) is vulnerable to physical threats (e.g. fire, earthquake, flood, power failure), but also to technology failure, denial of service attack\u2026 etc. For those threats, risk reduction or mitigation measures should be defined (e.g. power failure can be mitigated by implementing an uninterruptable power system \u2013 UPS).<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">What to do with IT Service Continuity?<\/h2>\n<p>After requirements are defined, ITSCM plan should be developed and implemented. This is an ongoing process and should be integrated with business continuity plans.<\/p>\n<p>When you have a <a href=\"https:\/\/staging.advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=service-assurance-processes&amp;doc=it-service-continuity-management-plan\" target=\"_blank\" rel=\"noopener\">plan<\/a> and ongoing operational services, it is important that you <a href=\"https:\/\/staging.advisera.com\/20000academy\/documentation\/it-service-continuity-plan-test-and-review-report\/\" target=\"_blank\" rel=\"noopener noreferrer\">test the plan<\/a> and that you know exactly what to do in case the IT service continuity plan is invoked. Once I had a situation where recovery procedures were defined, but never tested. When a disastrous situation took place everything was clear \u2013 and unsatisfactory. After recovery was complete, the next project was a redesign of recovery plans and procedures. And \u2013 test, test, test\u2026<\/p>\n<p><em>To implement ISO 20000 easily and efficiently, use our<\/em> <a href=\"https:\/\/staging.advisera.com\/20000academy\/iso-20000-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener\">ISO 20000 Documentation Toolkit<\/a> <em>that provides step-by-step guidance for full ISO 20000 compliance.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Rarely do I find ITIL to be identified with service continuity. Considering the extent of ITIL \u2013 it&#8217;s understandable. As the name implies, something shouldn\u2019t be stopped or broken in continuity, as most likely it has consequences. What are they, to what extent, and why?<\/p>\n","protected":false},"author":32,"featured_media":4624,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[432,344,346],"class_list":["post-4623","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-continuity","tag-itil","tag-service-design"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/20000academy\/wp-json\/wp\/v2\/posts\/4623","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/20000academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/20000academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/20000academy\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/20000academy\/wp-json\/wp\/v2\/comments?post=4623"}],"version-history":[{"count":3,"href":"https:\/\/staging.advisera.com\/20000academy\/wp-json\/wp\/v2\/posts\/4623\/revisions"}],"predecessor-version":[{"id":18335,"href":"https:\/\/staging.advisera.com\/20000academy\/wp-json\/wp\/v2\/posts\/4623\/revisions\/18335"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/20000academy\/wp-json\/wp\/v2\/media\/4624"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/20000academy\/wp-json\/wp\/v2\/media?parent=4623"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/20000academy\/wp-json\/wp\/v2\/categories?post=4623"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/20000academy\/wp-json\/wp\/v2\/tags?post=4623"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}