CARM Compliance Essentials in IT Service Continuity Management

In this article we will understand how to achieve and maintain Control Assurance and Risk Management (CARM) compliance in IT Service Continuity Management (ITSCM) area for any organization. We’ll discuss about controls and supportive artifacts requirements which must be achieved to obtain all CARM compliance requirements. Our discussion includes controls, criticality levels and supportive artifacts essentially required to achieve and maintain CARM (Controls assurance and risk management) compliance.

Set the expectation and define ownership

It is always important to understand the expectations from the customer specially belonging to retail and also make the customer understand that, if one is heading towards CARM compliance achievement then the program to follow will be under customer’s official ownership. You or any vendor in IT Service continuity management team is merely facilitator, implementer or advisor. This expectation needs to be documented well. You need to assure customer, that, though IT Service Continuity team shall always standby, it is the customer who is going to ultimately face the auditor. All circulars, advisories, authorizations given under security program shall go from customer’s office. However, you must also understand that ownership is entirely yours, if scope of compliance requirement is defined as work carried out by you as vendor; however, such requirements are scarce.

However, ownership never means that as a service provider facilitating CARM (Control assurance and risk management) certification, we are relieved from our responsibilities. Once we talk about selection of CARM (Control assurance and risk management) controls, we shall touch upon how ownership of implementing, maintaining IT Service Continuity controls remains with applicable stakeholders who all report to owner for ensuring customer’s assurance w.r.t IT Service Continuity management program.

Understand about CARM (Controls assurance and risk management) compliance and mandatory controls in IT Service Continuity management

Let us understand something more about CARM (Control assurance and risk management) Compliance / standard before we actually go in for working steps.

If one is undergoing CARM (Control assurance and risk management) compliance certification then each and every statement written under this section is required to be complied with and is auditable during certification audit. Why? Because, these sections build base of an organization’s IT Service Continuity management program or in other words compliance to these sections shall assure an auditor that you have a reliable security framework in place to sustain your certification, if attained.

CARM Risk Details (High Criticality):

Design and Development of IT Service Continuity Process and Control is reviewed and approved by authorized approvers in Diageo on a periodic basis. Roles and responsibilities of individuals are clearly defined ITSCM process document. (C0483).

Supportive Evidence required- Ensure the ITSCM Process documentation, including role definitions and responsibilities is reviewed on a periodic basis (annually) and that approval is secured.

CARM Risk Details (Medium Criticality):

Lack of communication on roles and responsibilities of ITSCM staff may lead to lack of preparedness and inability to recover critical business systems and data in a timely manner. IT Service Continuity Process and Control documentation is communicated to all relevant stakeholders and is readily available (ISCM.C02)

Ensure there is an audit trail of the ITSCM documentation being communicated to stakeholders (PRB - Process Review Board & BRMs, 3rd Parties) on a periodic basis

CARM Risk Details (High Criticality):

Failure to design appropriate and business aligned continuity mechanisms and procedures to meet the agreed business continuity targets can lead to regulatory noncompliance and business disruption. ITSCM Plan (Disaster Recovery Criteria, Procedures, Test Strategy, Communication and Awareness Plan) exist and are in place through all locations (C0472)

Ensure the DR plans are aligned with the markets BCP and business approval is secured from the local markets and global markets Ensure a tracker is maintained for all Critical/Global /Regional DR Plans

CARM Risk Details (High Criticality):

Disaster recovery plans are not tested periodically to ensure viability which may result in the inability to recover critical business systems and data. A disaster recovery plan (DRP) exists and has been approved by management to provide timely restoration for Diageo critical systems. The DRP is tested annually and updated with lessons learned. Where new risks are identified, appropriate changes are made to disaster recovery plans (C0471)

Ensure the annual DR Test plan and report has been reviewed and approved by management and Ensure that all outstanding actions and risks are addressed and that there is an audit trail to support this.

CARM Risk Details (Medium Criticality):

Disaster recovery plans are not tested periodically to ensure viability which may result in the inability to recover critical business systems and data. Periodic training is performed to all relevant employees and stakeholders on ITSCM. Training records are archived and trainees evaluated (ISCM.C03).

Ensure there is evidence/audit trail to support that appropriate training was provided to all stakeholders on the ITSCM

CARM Risk Details (Low Criticality):

Failure to review and assess the adequacy and effectiveness of the disaster recovery plan (DRP) against business risks on a periodic basis may result in the inability to recover systems, processes and data in the event of a disaster. ITSCM processes are reviewed and audited on a periodic basis. Audit results are reviewed with stakeholders and published to senior management and stakeholders who are responsible for implementing and managing ITSCM (ISCM.C04).

Ensure there is a documented copy for DRP and Test report and all outstanding items actioned and signed off by senior management.

But some organizations shall say, though I am implementing CARM (Control assurance and risk management) in IT Service Continuity management systems and ISO 22301 for business continuity management systems, but don’t have a requirement of undergoing certification now or may be have a deferred plan, so do I still need to comply with these controls? Answer is, In case you are destined to go in for certification, sooner or later, the early you go in complying with these mandatory controls, the easier you find the way ahead. Even if, you are not in for a certification, I would suggest, still go for them, to the extent possible or may be in bit diluted manner, because as I said this article is the base of your entire IT service continuity management and business continuity/DR management program and who in this world doesn’t want a strong foundation. Still there is a difference in controls implementation in ISO 22301 Business continuity management and CARM (Control assurance and risk management) in IT Service Continuity program.

CARM compliance is equally important for below other ITIL based Process based domains with different set of Goals and expectations example like Access management/Capacity management/Availability management/Change management.

There are some web based automated tool which can support CARM (Control assurance and risk management) controls to be implemented. If you use those new generation IT Service continuity management software, it will be easy for you to achieve and maintain CARM compliance.

Authored by Rajib Das

Rate this article: 
Average: 1 (3 votes)
Article category: