|
|
|
| BS: Business Continuity
|
|
| Introduction |
|
Business continuity management (BCM) is a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.
Business Continuity Planning (BCP) is an interdisciplinary peer mentoring methodology used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined time after a disaster or extended disruption. The logistical plan is called a Business Continuity Plan.
In December 2006, the British Standards Institute released a new independent standard for BCP — BS 25999. Prior to the introduction of BS25999, BCP professionals relied on BSI information security standard BS7799, which only peripherally addressed BCP to improve an organization's information security compliance. BS25999's applicability extends to organizations of all types, sizes, and missions whether governmental or private, profit or non-profit, large or small, or industry sector.
BS 25999 Part 2 contains requirements that can be audited. Demonstration of successful implementation of the standard can be used to assure other parties that appropriate business continuity arrangements are in place. Organisations implementing BS25999 must be able to provide evidence of compliance, usually through records or demonstrable activities.
The BCMS must as a minimum contain a number of documents which may be combined or maintained separately.
A business continuity policy
The scope of the BCMS
Terms of reference
Business Impact Analysis
Risk Assessment
BCM strategies
Planning, operation and control procedures for the business continuity process
Business continuity and incident management plans
Contact and mobilisation details
Change control procedures
Risk and issues register
Test schedule and results/actions register
Incident log
Training programme
Response structure
Any other relevant documentation
The development of a BCP manual can have five main phases:
|
| Analysis |
|
The analysis phase in the development of a BCP manual consists of an impact analysis, threat analysis, and impact scenarios with the resulting BCP plan requirement documentation.
An impact analysis results in the differentiation between critical and non-critical organization functions. A function may be considered critical if the implications for stakeholders of damage to the organization resulting are regarded as unacceptable.
After defining recovery requirements, documenting potential threats is recommended to detail a specific disaster’s unique recovery steps.
After defining potential threats, documenting the impact scenarios that form the basis of the business recovery plan is recommended. In general, planning for the most wide-reaching disaster or disturbance is preferable to planning for a smaller scale problem, as almost all smaller scale problems are partial elements of larger disasters. A typical impact scenario like 'Building Loss' will most likely encompass all critical business functions, and the worst potential outcome from any potential threat.
After the completion of the analysis phase, the business and technical plan requirements are documented in order to commence the implementation phase. A good asset management program can be of great assistance here and allow for quick identification of available and re-allocateable resources.
|
| Solution Design
|
|
The goal of the solution design phase is to identify the most cost effective disaster recovery solution that meets two main requirements from the impact analysis stage.
|
| Implementation
|
|
The implementation phase, quite simply, is the execution of the design elements identified in the solution design phase. Work package testing may take place during the implementation of the solution, however; work package testing does not take the place of organizational testing.
|
| Testing and Organizational Acceptance
|
|
The purpose of testing is to achieve organizational acceptance that the business continuity solution satisfies the organization's recovery requirements. Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements, solution design flaws, or solution implementation errors.
|
| Maintenance
|
|
Maintenance of a BCP manual is broken down into three periodic activities. The first activity is the confirmation of information in the manual, roll out to ALL staff for awareness and specific training for individuals who's roles are identified as critical in response and recovery. The second activity is the testing and verification of technical solutions established for recovery operations. The third activity is the testing and verification of documented organization recovery procedures.
|
|
