This document is written with the assumption that the organization follows ISO and has implemented many of the controls (including Disaster Recovery), but may be lacking in the area of business continuity management. This document aims to consolidate and leverage the work already done for other ISO controls to jumpstart the BCP compliance efforts.
The first step in compliance is to develop and implement a BCP management process. The process needs to identify the critical business processes within the organization and incorporate management requirements.
- Identify critical business processes and associated assets. Create a template or leverage the disaster recovery (DR) documentation (Note: The DR information may not be complete enough as it usually only includes recovery of technology functions and may exclude important business functions or process that do not rely on technology.) and send to managers requiring them to document their critical business processes by location.
- Identify the consequences in the event of a disaster. Again most of this should be in a DR plan.
- Identify controls to reduce risk.
- Ensure information for business operations is available.
- Ensure BCP is integrated within business processes and includes security.
- Ensure that plans are updated and tested on a regular basis.
Below is a sample that can be used and quickly put together to help meet some of this compliance. Use Excel and list the critical business processes in a matrix associated with each geographic location as shown below.
The next step is to identity the results of different events by doing a business impact analysis. Continuity plans have to be developed to for quick restoration of operations and should be integrated with information security and other key management processes. Controls that can be put in place to reduce risk should be identified.
The Threat should define “Who”
The Event should define “What, Where, and When”
The table below is an expansion of the above. (Threats are repeated for consistency)
After the assessment the following must be done:
- Continuity plan(s) must be created.
- Roles and responsibilities must be documented. Most should have already been done for other ISO controls, but there may need to be a few short statements added to reflect business continuity compliance.
- Procedures and processes must be documented. Many of these should have already been documented as a part of incident response, disaster recovery, change control, and other standard operations. A few additional procedures may need to be created like the process of documenting and updating plans.
Plans must have the same framework. This means all departmental plans must be a on a standard template. A centralized escalation and evacuation plan should be developed. Evacuation plans can simply state follow building evacuation procedures. Escalation plans in most cases can follow standard disaster, emergency services, or incident response plans.
Plans need to address:
- Roles and responsibilities of key staff (i.e. BCP coordinator, executive management, and users)
- Summary pointing to the documents that have recovery procedures for operations. In many cases these procedures are in the disaster recovery area or part of the standard operating function.
- Testing of plans. This needs to track and schedule each element and when its tested.
- Storage of plans at alternate locations
- Ownership of plans
- Fallback procedures
- Resumption procedures
- Awareness and Training
- Review of plan(s)
Putting everything important together is the key to the business continuity plan. Many of the items above exist within many organizations but they have not been organized or consolidated in one area. A document detailing each of these items and consolidating them all in one location is the key to passing the assessment. If you are already working towards ISO compliance then Business Continuity Management is just one more minor component that can be accomplished quickly by consolidating a large amount of information in one place and creating a document (plan) that organizes and explains everything that needs to be done with these documents if there disruption to business operations. In some cases there may need to be department level plans that are a close mirror to the main plan but focus more on departmental operations. Some assessments will look for both centralized and departmental plans.
For more information you can also review that actual ISO/IEC 17799/27001 documentation and the BS 25999-2 Specification.