Understanding the Information System Contingency Plan

Larry Wlosinski
Author: Larry G. Wlosinski, CISA, CISM, CRISC, CDPSE, CISSP, CCSP, CAP, PMP, CBCP, CIPM, CDP, ITIL v3
Date Published: 4 November 2021

There has been increasing discussion around and occurrences of ransomware, a new and very costly cyberthreat (which I discussed in “Ransomware Response, Safeguards and Countermeasures”). It seems that almost every type of organization, including schools, police departments, hospitals, healthcare organizations, local governments and large government agencies, is a target. Often in these ransomware events, organizations’ backups are useless (i.e., encrypted) and most organizations are forced to pay the ransom or lose their business or ability to provide services. However, there are many other types of catastrophic events that can affect businesses and government organizations and their ability to recover from the loss of their data to keep the organization operating.

System and data backups are not the only components of concern when preparing for and planning a recovery. An information system contingency plan (ISCP) can be created and used to prepare for a quick recovery from various attack vectors (e.g., ransomware) that could severely impact an organization’s ability to provide services, as well as non-planned events, including natural (e.g., tornado) and environmental (e.g., power, building) crises. An ISCP contains information about the system hardware and software, application and data backups, dependent processes, data interfaces, support staff and vendors, recovery priorities and plan maintenance.

In building an ISCP, it is helpful to understand what can be controlled and the source of the threat while also considering areas of risk, planning considerations, prevention guidance, cost and budget concerns, data movement agreements, types of backups, benefits of a business impact analysis (BIA), the contents of the ISCP, ISCP coordinator responsibilities (for larger organizations), staff training, plan testing and exercises and ISCP maintenance. The BIA is sometimes overlooked, but it is essential to planning because it identifies and prioritizes what needs to be addressed (i.e., hardware, software, purchases, response action taken). BIAs can be written for each system and compiled into one overarching analysis for all the systems of concern.

An ISCP is crucial for organizations to prevent disastrous situations and prepare for a quick recovery and return to normal.

Editor’s note: For further insights on this topic, read Larry G. Wlosinski’s recent Journal article, “Information System Contingency Planning Guidance ,” ISACA Journal, volume 3, 2021.

Don't forget—Members can earn free CPE from ISACA Journal quizzes!

ISACA Journal