Unlock Ensure DRP and BCP Compliance With Industry Standards
Get Instant Access
Our systems detected an issue with your IP. If you think this is an error please submit your concerns via our contact form.
Our systems detected an issue with your IP. If you think this is an error please submit your concerns via our contact form.
Ensure DRP and BCP Compliance With Industry Standards
Cut through the noise to create an effective and compliant DRP and BCP.
- IT leaders are often responsible for not just the organization’s IT disaster recovery plan (DRP) but also the business continuity plan (BCP) and other elements of overall resilience.
- Adding to the challenge are industry regulations or internal mandates demanding that resilience plans are compliant with specific standards. It’s not enough to just have a plan that you think is good.
- Standards such as NIST, HIPAA, and PCI outline requirements for a range of resilience plans – not just security response (which is covered in our security research) but also DRP, BCP, and crisis management.
Our Advice
Critical Insight
- Start with a goal of developing concise, effective plans that will inherently meet most requirements of common standards.
- If you instead follow the standards verbatim, you will have redundant, voluminous plans that will be difficult to maintain and too large to be effective in a crisis.
- For example, NIST 800-34 specifies eight different plans required to support resilience and continuity. It does not specify what information might be common to all eight documents, which would reduce your effort significantly.
Impact and Result
- Boil down the standards into core requirements.
- Identify opportunities for one document to meet the requirements of multiple plans (e.g. a recovery playbook that can satisfy NIST’s requirement for a DRP and an information systems contingency plan).
- Leverage a concise checklist of tasks to complete to meet requirements and demonstrate compliance.
Ensure DRP and BCP Compliance With Industry Standards Research & Tools
1. Ensure DRP and BCP Compliance With Industry Standards – A step-by-step guide to identify core requirements.
Cut through the noise to identify core requirements, using NIST 800-34, HIPAA, and PCI DSS as examples.
2. BCM Program Compliance Checklists – Prepopulated with checklists to follow to comply with NIST 800-34, HIPAA, and PCI DSS.
Modify the prepopulated checklists to meet your specific requirements. For standards not already covered in this tool, use one of the existing checklists as a starting point, as many requirements are common to multiple standards.
3. Info-Tech Resources Mapping Guides – Compliance requirements mapped to the research, tools, or templates needed to meet the standard.
Use the cross-referencing between compliance standards and Info-Tech research, tools, and templates to demonstrate compliance to auditors.
Ensure DRP and BCP Compliance With Industry Standards
Cut through the noise to create an effective and compliant DRP and BCP as part of your overall business continuity management program.
Analyst Perspective
Treat standards as a checklist, not an instruction manual
Don't let the verbose nature of standards documentation such as NIST, HIPAA, PCI, and others overcomplicate your mandate to ensure your business continuity management (BCM) program, including disaster recovery planning, business continuity planning, and crisis management, is compliant.
Standards documents are intended to be comprehensive, not concise, and that often leads to requirements that seem more daunting. Adding to the potential complexity is the challenge of interpreting the specific language of each standard.
For example, NIST requires that you have a disaster recovery plan for site-wide events and a contingency plan for individual critical system outages, but it does not make it clear that much of the same documentation will meet both requirements.
If you are obligated to comply with multiple standards, understanding your requirements becomes that much more challenging.
This deck and the associated guides cut through the noise to provide a roadmap of the specific tasks you need to complete to create concise, effective, and compliant plans, using the standards NIST, HIPAA, and PCI DSS as examples. This approach can be applied to other international or country-specific standards such as ISO 22301 and PIPEDA (the Canadian equivalent to HIPAA).
Frank Trovato
Research Director, Infrastructure & Operations
Info-Tech Research Group
STOP: This deck is focused on BCM compliance. For guidance on security compliance, see the resources below.
For security compliance assistance, use the blueprint Build a Security Compliance Program; it includes a Security Compliance Management Tool (screenshots to the right) that provides a single framework to align and track multiple compliance obligations.
To reduce the complexity of ensuring disaster recovery plan (DRP) and business continuity plan (BCP) compliance, continue with the guidance and resources referenced in this deck.
Security Compliance Management Tool
Executive Summary
Your Challenge
- IT leaders are often responsible for not just the organization's IT DRP but also the BCP and other elements of overall resilience.
- Adding to the challenge are industry regulations or internal mandates demanding that resilience plans are compliant with specific standards. It's not enough to just have a plan that you think is good.
- Standards such as NIST, HIPAA, and PCI outline requirements for a range of resilience plans – not just security response (which is covered in our security research) but also DRP, BCP, and crisis management.
Common Obstacles
- Terminology can vary between standards, making it difficult to understand exactly what's required.
- Standards can take a siloed approach, specifying requirements for individual plans but not showing you how to pull it all together.
- For example, NIST 800-34 specifies eight different plans required to support resilience and continuity. It does not specify what information might be common to all eight documents, which would reduce your effort significantly.
Info-Tech's Approach
- Boil down the standards into core requirements.
- Identify opportunities for one document to meet the requirements of multiple plans (e.g. a recovery playbook that can satisfy NIST's requirement for a DRP and an information systems contingency plan).
- Summarize the tasks into a concise checklist, supported by mapping documents that will demonstrate how your plans meet the specific requirements of a particular standard.
Info-Tech Insight
Start with a goal of developing concise, effective plans that will inherently meet most requirements of common standards. This deck will help you close any gaps. If you instead follow the standards verbatim, you will have redundant, voluminous plans that will be difficult to maintain and too large to be effective in a crisis.
Additional resources included in this research
NIST 800-34 ISCP Mapped to Info-Tech Resources
Use this guide to support your audit review and as a reference for the BCM Program Compliance Checklists tool
HIPAA Requirements for BCM Mapped to Info-Tech Resources
Use this guide to support your audit review and as a reference for the BCM Program Compliance Checklists tool
PCI DSS Requirements for BCM Mapped to Info-Tech Resources
Use this guide to support your audit review and as a reference for the BCM Program Compliance Checklists tool

About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 1-phase advisory process. You'll receive 3 touchpoints with our researchers, all included in your membership.
- Call 1: Review your compliance requirements.
- Call 2: Modify the prepopulated checklists to suit your requirements.
- Call 3: Initiate appropriate projects (e.g. document your DRP) required to complete your checklist.
Author
Frank Trovato
Related Content: DR and Business Continuity
Unlock Ensure DRP and BCP Compliance With Industry Standards
Get Instant Access
Our systems detected an issue with your IP. If you think this is an error please submit your concerns via our contact form.
This content is exclusive to members.
Get instant access by signing up!
Our systems detected an issue with your IP. If you think this is an error please submit your concerns via our contact form.
Search Code: 100558
Last Revised: February 14, 2023
TAGS:
NIST 800-34 compliance, HIPAA compliance, PCI compliance, PCI DSS compliance, DRP compliance, BCP compliance, BCM compliance, regulatory requirements, industry requirements, industry regulations, DRP regulations, BCP regulations, BCM regulations, DRP roadmap, BCP roadmap, BCM roadmap, disaster recovery, business continuity, disaster recovery plan, business continuity plan, LFBPBook an Appointment
IT Research & Advisory Services
Our systems detected an issue with your IP. If you think this is an error please submit your concerns via our contact form.