Business Continuity Management
Details on the Topic
In response to the growing importance of Business Continuity Management (BCM), a number of best-practice guidelines have been developed to provide a standardized approach for the development of a BCM strategy.
An important reference is this context is the British Standard BS 25999. It is an internationally accepted standard based on the idea of a “Business Continuity Management System” (BCMS): Unlike a business continuity plan that focuses merely on the recovery from an interruption, a BCMS also comprises the development and implementation of policies and procedures to protect all assets of an organization. It provides controls to prevent the risk of an interruption occurring and recommends appropriate responses to an interruption. However, BS 25999 does not provide specific controls to implement.
On the basis of BS 25999, the German Federal Office for Information Security (BSI) developed its “BSI-Standard 100-4”. In contrast to BS 25999, BSI-Standard 100-4 does not only define an abstract approach, but also provides detailed implementation procedures.
Implementing the Standards
Across these standards, a set of best-practice implementation steps can be identified.
- Define your requirements, e.g. your strategic objectives, critical products or services, risk tolerance and obligations.
- Create a policy that documents your requirements as well as management commitment. Schedule regular reviews, and communicate the policy to the entire staff.
- Prepare resources by drafting your BCM organization and roles and providing training to your BCM team.
- Involve all employees by providing them with a minimum level of BCM information and training.
- Document your strategy and implement backup and revision controls.
- Implementing & Operating
- Conduct a Business Impact Analysis to define all critical processes, interdependencies between processes and resources, as well as the minimum resources required. It serves to identify the maximum tolerable disruption for each process and to derive recovery objectives.
- Perform Risk Assessment to evaluate the likelihood of threats resulting in an interruption of business processes and to determine the severity of a threat’s potential impact.
- Create a Risk Treatment Planto define how each risk is to be handled. The options are to:
- Knowingly accept the risk.
- Implement a suitable control.
- Avoid the risk i.e. do not undertake the associated business activity.
- Transfer the risk to another organization (e.g. through insurance or by contractual arrangements with a business partner).
- Define your Incident Response by determining resources and plans to trigger suitable business continuity actions and inform stakeholders.
- Develop a Business Continuity Plan to document how incidents will be managed, and how activities will be recovered or kept at a given level.
- Exercise your plans to verify their effectiveness and to provide training to your personnel.
- Monitoring & Reviewing
- Conduct internal audits to verify your strategy is in line with your objectives and is implemented and maintained correctly.
- Regular management reviews ensure continuing adequacy and effectiveness.
- Maintaining & Improving
- Implement corrective and preventive actions in response to any weaknesses identified in the course of monitoring and reviewing procedures.
- Commit to continual improvement through the on-going review of your policy and objectives, audit results, monitoring events, and implemented controls.