Data Centres get CPNI Guidance to boost resilience and security

Business Continuity Forum

It is rare these days to find any organisation which does not rely in some way on computer data. From the very largest corporate through to the very smallest business the need to maintain access to information is absolutely vital. This seems pretty straightforward and it could be said almost simplistic, obvious even. Maybe so, but what about the data that has been removed from your direct control, that exists on the huge banks of servers and hard disks that are located across commercial data centres both in the UK and internationally.


A dependency on information requires that those responsible for storing it are taking the necessary steps to avoid disruption to their services, threats to its security and for many the nightmare scenario of losing it completely. This prompts the question though what steps are data centres taking to preserve client data?


For many years Data Centres have seen incredible growth as more and more of us use converged services, advanced networking, mobile computing and, of course, through offsite storage and high availability systems. There is doubtless a considerable competitive advantage to Data Centres that offer performance, security and high availability, but the bar is being raised as the Centre for the Protection of National Infrastructure has recently issued new guidance on the issues faced.  This is partly in response to our economy is growing dependency on data, but also possibly a reaction to the inconsistencies seen across the sector.


The CPNI's view is that Data Centres  are increasingly part of our national infrastructure and and that more thought needs to be in to their design and the measures and processes used to ensure their security and resilience. Consequently, they have issued new advice and recommendations relating to the protection measures and both business continuity and risk dimensions that need to be addressed.


The guide treats the protection of data centres holistically, covering the protection principles from the initial site selection through to design, build and operation. It covers all the elements required without prescription as individual requirements will vary. It details the general approach that should be taken towards Data Centre protection which includes a formal risk and threat assessment, which combines threats, hazards, vulnerability and weaknesses and sets control is proportionate to identified risks. This consolidated approach developed and operational requirements that can be agreed by the business and demonstrated to stakeholders both internally and externally. Using this model the measures are able to be effective and fully cost justified.


The Data Centre guide treats people, processes and technology as factors that can combine to deliver an enhanced level of protection and resilience that secures the service delivered by the Data Centre and protects the owner's investment.


In addition, Data Centres that are able to demonstrate high levels of resilience and business continuity capability should benefit commercially as they will be very well-placed to differentiate themselves in markets where both risk management and business continuity are increasingly significant in the decision-making process.


To download the Centre for the Protection of National Infrastructure guide please click here.


Continuity Forum Comment


It is good to see official guidance coming from the CPNI, when one company has a problem that impacts on the availability or integrity of its data it's bad enough, but Data Centres have the capability to disrupt hundreds or even thousands of organisations should they encounter a problem. Many of those within the sector will already have extensive experience from an IT perspective, but not more broadly. This means that there is a disconnect in their risk management and business continuity measures. Over the course of the past year, we have seen a number of Data Centres affected by an assortment of events that has caused disruption to many of their clients. 


By raising the profile of these issues we hope that all organisations will place a far greater weight on the continuity and resilience measures the Data Centre should be investing in when they are considering contracts. All too often contracts are decided on capacity and bandwidth, with only the most simple assessment undertaken on matters such as site vulnerability and the continuity planning the company has in place.  Undervaluing the value of their investment in resilience and business continuity may well turn out to cost you far, far more should your data be impacted by their failure.


If you would like to comment on this article or have any observations on their Centre for the Protection of National Infrastructures guidance please e-mail us at