Certified System Availability and Effectiveness of Disaster Prevention and Mitigation Processes

Germany’s ccTLD Registry Operator, DENIC (.de), has taken another logical step towards sustainable societal security and reliability: On 28 November 2016, the German certification body TÜV Nord confirmed DENIC's successful Business Continuity Management (BCM) certification in accordance with ISO 22301.

Published in 2012, the international ISO 22301 standard specifies the requirements for planning, establishing and implementing such measures in the framework of corporate planning that are to ensure continued operation of a business in case of disruptive incidents when they arise. This approach shall reduce the downtimes resulting from major disturbances of information systems or disasters to a minimum or even prevent or entirely exclude such incidents, in line with the requirements imposed by risk management and information security.

Already in 2014, DENIC had had its Information Security Management System (ISMS) certified according to ISO/IEC 27001. Combined with the first-time certification of its Business Continuity Management, DENIC now passed the annual ISMS surveillance audit successfully for a second time.

In their final report, the TÜV Nord auditors particularly emphasised DENIC's systematic and well integrated operation of both management systems, i.  e. Information Security and Business Continuity, together with the embedded risk management approach. Also, the operationalisation and related practical implementation of the normative requirements were found to meet high standards.

"The BCM certificate proves the high availability of our systems, the effectiveness of our disaster recovery processes and DENIC's compliance with laws, regulations and requirements. This, together with the ISMS organised along these lines, will further strengthen interested parties' trust in our company, be it DENIC’s member companies, regulatory bodies or eventually the entire German Internet Community," says Boban Kršić, DENIC's Chief Information Security Officer, who, together with his team, has played a leading role in the preparation and execution of the certification audit.

A holistic, structured BCM approach forms the framework for developing all the processes, procedures and requirements that are necessary to react appropriately to the failure of individual, critical business processes and their supporting applications, systems or infrastructure components that may occur in the event of major disruptions. Appropriate disaster recovery plans and scenarios, in conjunction with regular audits and testing, help to minimise the impact of disruptive incidents or total breakdown. Thus, the continued availability of critical business activities is ensured and business operation is restored to normal as fast as possible.