22 years of ITSCM consulting

Established IT Service Continuity Management (ITSCM) with the basic elements of IT emergency preparedness and IT emergency response means you are optimally prepared for critical IT incidents.

IT Service Continuity Management

ITSCM, also known as IT contingency management or IT disaster recovery management, is a fundamental discipline within IT service management processes. In today's IT technology-driven world, many business processes are heavily dependent on functioning IT services. A failure of IT infrastructures, IT systems or applications can lead to interruptions in business processes, which can result in considerable financial and reputational damage (e.g. brand image). Many industries such as banking, insurance and critical infrastructure companies are also subject to strict regulatory requirements that dictate a robust business continuity plan.

With an established IT Service Continuity Management (ITSCM) with the basic elements of IT emergency preparedness and IT emergency management, you are optimally prepared for critical IT incidents.

The IT services required for your business operations are not interrupted, or only for a short time, during the transition to emergency IT operations and your company's economic existence remains secure even in the event of a major incident.

Although the implementation of an ITSCM requires initial investment, the long-term savings from avoiding lengthy IT outages can be considerable. Furthermore, by implementing IT service continuity management, you send a clear signal of reliability to customers and contractual partners - even in the event of a critical IT incident. This can represent a significant competitive advantage over other companies.

Our ITSCM consulting services

We work with you to develop customised solutions tailored to your requirements in this complex IT environment. It goes without saying that we also consider the corresponding interfaces to other management disciplines such as Business Continuity Management (BCM), Information Security Management (ISM), Cyber Incident Response Management (CIRM) and Crisis Management (KM). With our many years of experience, we support you in the introduction, further development or evaluation of your existing IT service continuity management system (ITSCMS). Our approach is based on internationally recognised standards (ISO 27031 and BCI Good Practice Guideline), ITIL and best practice models from our many years of project experience.

Our ITSCM coaching

When implementing projects, our IT experts always focus on building up in-house expertise. Our aim is for you to learn the necessary knowledge about the management process from us during the implementation of the project and then be able to put what you have learnt directly into practice. New processes are not always met with an undivided positive response. In our many years of experience, the best way to overcome internal scepticism is to raise awareness among employees. Just like the quote from Antoine de Saint-Exupéry: „If you want to build a ship, don't drum up men to procure wood, assign tasks and divide up the work, but teach the men to long for the wide, endless sea“ – Feel free to contact us if you need support in preparing and implementing awareness measures.

What are the three most important arguments in favour of ITSCM?

ITSCM as a management process creates organisational and personnel structures for the prevention and management of critical IT incidents. With an established ITSCM, you are able to:
  • react to critical IT incidents in a structured manner

  • to ensure an IT emergency operation

  • to restart your IT infrastructures, IT systems and applications within an acceptable time window

Why is ITSCM so important

When IT/IT infrastructures fail, the time factor plays a major role. The longer the IT services required for critical business processes are unavailable, the greater the financial and/or reputational damage. For some companies, the time window before their existence is threatened is very small. An established ITSCM reduces the probability of ITSCM damage scenarios occurring, creates structures for dealing with critical IT incidents and gives you the security of being able to restart IT within the specified time window.

What exactly is ITSCM?

ITSCM as a management process proactively plans all aspects required for the continuation, restart or recovery of your IT infrastructures, IT systems and/or applications. In support of and in coordination with the BCM process, risks to IT services are reduced and the restart of IT services is planned, prepared and tested. As a result, ITSCM strengthens the resilience, continuity and stability of your critical IT services. ITSCM is part of Business Continuity Management (BCM) with a focus on IT failure.

What are the goals of ITSCM?

  • Ensuring the availability of the necessary IT infrastructures, IT systems and applications even in the event of a critical IT incident or IT emergency

  • Minimisation of risks that could lead to critical IT incidents or IT emergencies

  • Strengthen the resilience, continuity and stability of your critical IT services against external influences

  • Creating security for customers and contractual partners

What advantages does a company with an established ITSCM have?

  • Avoidance or minimisation of downtime of critical IT services, as a result of which business processes are affected

  • Minimising and shortening restart times

  • Reduce current and future threats and provide effective response processes

  • Strengthening the resilience of IT

  • Meeting legal, regulatory and customer requirements

  • Proven resilience towards customers and suppliers

We already have BCM. Do I still need ITSCM?

The answer to this question is a resounding yes. BCM identifies a company's time-critical business processes and ensures that these can be continued in the event of an incident. ITSCM ensures the availability of the IT services required for time-critical business processes. So while BCM as a holistic management process for the failure of IT/IT infrastructures „only“ plans manual „recovery measures, ITSCM is concerned with maintaining the availability or the fastest possible restart of IT infrastructures, IT systems and applications.

What about ISM? Do I still need ITSCM in addition?

The answer to this question is also clearly yes. Information Security Management (ISM) aims to protect all of a company's information, regardless of its type and origin. ISM proactively plans the prevention of security incidents or breaches of the defined security objectives, such as confidentiality, integrity, continuity and authenticity. These are therefore requirements for normal operation. Separate plans for dealing with security issues are not normally created. This very often creates a dangerous gap. The ITSCM organisational structures and the plans for alerting and managing critical IT incidents can, of course, also be used to manage security incidents. Our general process model for IT service continuity management is based on our many years of project experience and industry best practice models. Below we describe the individual stages of the model, which aims to establish ITSCM in your company.

What does an ITSCM implementation look like?

Our process model for IT service continuity management is based on our many years of project experience and industry best practice models. On the following pages, we describe the individual stages of the model, which aims to establish ITSCM in your company.

The aim of the ITSCM process is to enable an organisation to make failed time-critical IT services available again within a predetermined time window and agreed minimum IT service level in order to support the minimum business requirements.

Since 2011, an international standard for IT contingency planning (ITSCM) has been available in the form of ISO 27031. The very title „Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity“ indicates that there must be close cooperation between the BCM and ITSCM disciplines in the company from the outset.

We take this interface issue into account in our ITSCM process model. This aims to establish the ITSCM process in the company in the form of a project. In addition to our practical experience from over 20 years of consulting work, we always incorporate requirements from the process descriptions according to ITIL „ITSCM“, from information security (especially according to ISO 27001) and from standards such as the German BSI standard 200-4 „Business Continuity Management“ into our concepts.

ITSCM method

  ITSCM Initiation

The initiation is the foundation of a successful IT emergency planning project. With an ITSCM Policy, management instructs the IT department to establish ITSCM in the company (in the form of an ITSCM Policy). The necessary steps to the process are documented in an ITSCM Guideline. Additionally, measures for the maintenance of the ITSCM process, its monitoring and its continuous improvement are documented.

  Analysis and Concept

“Analysis and Concept” deals with establishing the goals and solutions for the recovery plans.

Gap Analysis
During the analysis phase the target requirements for the availability of IT services (IT applications) should be taken from BCM and be compared to the currently implemented possibilities for IT emergency preparation. The main criterion for the availability in emergency mode is the recovery time objective (RTO) of an IT service. This can be determined from a Business Impact Analysis or from Service Level Agreements. In some IT areas the documentation required for the analysis will not be available. In these cases we will use proven alternative methods to create this data.

ITSC Solution Concept
The ITSC solution concept describes the selected solution options. These solution options serve as the basis for creating the ITSC plans.

  Implementation

During the Implementation Phase, the agreed (upon) measures are put into practice.

IT Preventative Measures
In the context of preventative measures for IT one could, for example, set up additional data backups, create WAN connections, build clustered systems, organise backup work spaces or even rent a new data centre location. Priority during the implementation goes towards those measures that result in improvements to the IT service availability of many different systems, and also measures that mitigate risks with a high damage potential.

Crisis and ITSCM Organisation
For use during an emergency, an independent crisis and ITSCM organisational structure (shadow organisation) must be set up. The aim of this organisational form is to enable arriving at precise and quick decisions in critical situations based on fewer levels of hierarchy. Additionally, a separate escalation process will be defined for this emergency organisation.

ITSCM Processes and Interfaces
After the conclusion of the project, management processes must be defined in order to integrate the regularly recurring tasks into normal daily operations.

 Planning

Within the Planning phase the IT Emergency Manual is created. This can consist of various documents, depending on the size and number of data centres. In any case, equally applicable procedures for the IT Crisis Management must be described for all scenarios.

Per outage scenario (e.g., Outage DC Room 1, Outage WAN, etc.) a scenario manual should exist. This should contain detailed technical descriptions on the recovery of IT services. These descriptions must be in agreement with the coordination plans for Business Continuity Management and the plans of the IT Service Providers.

 Validation

Regularly executing relevant IT continuity tests is crucial in estimating the effectiveness of the IT emergency plans. In this way, one can judge whether the provided redundant resources and the recovery plans would allow for the management of a real emergency.

A test and exercise strategy specifies the commitments in the ITSCM policy regarding the frequency and scope of IT continuity tests and exercises that are to be performed. To simplify the test plans test types are defined (e.g. Functional test and real test).

How each IT resource is to be tested is specified in the form of test concepts (type of switch-off or switch-over, risks during test execution, etc).

During the test planning, dates are established for each precise test to be executed within a year including the initial test, and their test goals are defined.

 Initial Test

Before moving the ITSCM project into operational mode a Initial Test must be performed. The scope of the test is determined by the previously agreed upon test planning. It is important for this initial test that all planned activities are executed in relation to the test:

  • Determine test aims

  • Planning test preparations

  • Planning test execution

  • Planning analysis of test results and of wrap-up

Contact