Establish and maintain a plan to enable the business and IT to respond to incidents and disruptions in order to continue operation of critical business processes and required IT services and maintain availability of information at a level acceptable to the enterprise.
Continue critical business operations and maintain availability of information at a level acceptable to the enterprise in the event of a significant disruption.
- Risk-related root causes
- Risk impact communications
- Policy and objectives for business continuity
- Disruptive incident scenarios
- Assessments of current continuity capabilities and gaps
- Business impact analyses
- Continuity requirements
- Approved strategic options
- Incident response actions and communications
- Test objectives
- Test exercises
- Test results and recommendations
- Results of reviews of plans
- Recommended changes to plans
- Training requirements
- Monitoring results of skills and competencies
- Test results of backup data
- Post-resumption review report
- Approved changes to the plans
- List of personnel requiring training
Define the Business Continuity Policy, Objectives and Scope.
- Identify internal and outsourced business processes and service activities that are critical to the enterprise operations or necessary to meet legal and contractual obligations.
- Identify key stakeholders and roles and responsibilities for defining and agreeing on continuity policy and scope.
- Define and document the agreed-on minimum policy objectives and scope for business continuity and embed the need for continuity planning in the enterprise culture.
- Identify essential supporting business processes and related IT services.
Maintain a Continuity Strategy
- Identify potential scenarios likely to give rise to events that could cause significant disruptive incidents.
- Conduct a business impact analysis to evaluate the impact over time of disruption to critical business functions and the effect that disruption would have on them.
- Establish the minimum time required to recover a business process and supporting IT-based on an acceptable length of business interruption and maximum tolerable outage.
- Assess the likelihood of threats that could cause loss of business continuity and identify measures that will reduce the likelihood and impact through improved prevention and increased resilience.
- Analyze continuity requirements to identify the possible strategic business and technical options.
- Determine the conditions and owners of key decisions that will cause the continuity plans to be invoked.
- Identify resource requirements and costs for each strategic technical option and make strategic recommendations.
- Obtain executive business approval for selected strategic options.
Develop and Implement a Business Continuity Response
- Define the incident response actions and communications to be taken in the event of a disruption. Define related roles and responsibilities, including accountability for policy and implementation.
- Develop and maintain operational BCPs containing the procedures to be followed to enable continued operation of critical business processes and temporary processing arrangements, including links to plans of outsourced service providers.
- Ensure that key supplier and outsource partners have effective continuity plans in place. Obtain audited evidence as required.
- Define the conditions and recovery procedures that would enable resumption of business processing, including updating and reconciliation of information databases to preserve information integrity.
- Define and document the resources required to support the continuity and recovery procedures, considering people, facilities, and IT infrastructure.
- Define and document the information backup requirements required to support the plans, including plans and paper documents as well as data files, and consider the need for security and off-site storage.
- Determine the required skills for individuals involved in executing the plan and procedures.
- Distribute the plans and supporting documentation securely to appropriately authorized interested parties and make sure they are accessible under all disaster scenarios.
Exercise, Test and Review the BCP
- Define objectives for exercising and testing the business, technical, logistical, administrative, procedural, and operational systems of the plan to verify completeness of the BCP in meeting business risk.
- Define and agree on with stakeholders exercises that are realistic, validate continuity procedures, and include roles and responsibilities and data retention arrangements that cause minimum disruption to business processes.
- Assign roles and responsibilities for performing continuity plan exercises and tests.
- Schedule exercises and test activities as defined in the continuity plan.
- Conduct a post-exercise debriefing and analysis to consider the achievement.
- Develop recommendations for improving the current continuity plan based on the results of the review.
Review, Maintain and Improve the Continuity Plan
- Review the continuity plan and capability on a regular basis against any assumptions made and current business operational and strategic objectives.
- Consider whether a revised business impact assessment may be required, depending on the nature of the change.
- Recommend and communicate changes in policy, plans, procedures, infrastructure, and roles and responsibilities for management approval and processing via the change management process.
- Review the continuity plan on a regular basis to consider the impact of new or major changes to enterprise organization, business processes, outsourcing arrangements, technologies, infrastructure, operating systems, and application systems.
Conduct Continuity Plan Training
- Define and maintain training requirements and plans for those performing continuity planning, impact assessments, risk assessments, media communication, and incident response. Ensure that the training plans consider the frequency of training and training delivery mechanisms.
- Develop competencies based on practical training, including participation in exercises and tests.
- Monitor skills and competencies based on the exercise and test results.
Manage Backup Arrangements
- Back up systems, applications, data, and documentation according to a defined schedule, considering:
- Frequency (monthly, weekly, daily, etc.)
- Mode of backup (e.g., disk mirroring for real-time backups vs. DVD-ROM for long-term retention)
- Type of backup (e.g., full vs. incremental)
- Type of media
- Automated online backups
- Data types (e.g., voice, optical)
- Creation of logs
- Critical end-user computing data (e.g., spreadsheets)
- Physical and logical location of data sources
- Security and access rights
- Ensure that systems, applications, data, and documentation maintained or processed by third parties are adequately backed up or otherwise secured. Consider requiring the return of backups from third parties. Consider escrow or deposit arrangements.
- Define requirements for on-site and off-site storage of backup data that meet the business requirements. Consider the accessibility required to back up data.
- Roll out BCP awareness and training.
- Periodically test and refresh archived and backup data.
Conduct Post-Resumption Review
- Assess adherence to the documented BCP.
- Determine the effectiveness of the plan, continuity capabilities, roles and responsibilities, skills and competencies, resilience to the incident, technical infrastructure, and organizational structures and relationships.
- Identify weaknesses or omissions in the plan and capabilities and make recommendations for improvement.
- Obtain management approval for any changes to the plan and apply it via the enterprise change control process.