Business Continuity Planning
Cyber Security Associates
Providing Cyber Security Solutions designed to Protect your People
Written By Henry Kibirige
Quite often we see that organisations are good at making plans about where they see themselves in the future; about what the ideal situation should look like and about what can be done to improve and grow. Business Plans, Strategic Objectives, KPI reporting and Mission Statements are usually scrutinized and modified to the nth degree.?
However there should always be someone within that Board meeting, who asks the difficult but important questions, such as “what happens if our IT goes down?” or “what happens if we lose a key employee?” or “what happens if there is another pandemic?”.??
Providing answers to these questions is critical if a business wishes to have some level of stability during a disruption.??
So this is were Business Continuity Plans, Disaster Recovery Plans and Business Impact Assessments come into play. A Business Continuity Plan will outline what the organisation will do to maintain it’s key activities during a disruption, whilst a Disaster Recovery Plan provides detail on what will be done to recover the business back to normal operation. In addition to these, Business Impact Assessments can be completed to assess in detail the knock-on effect of a disruption and the organisation’s tolerance levels and contingency plans.??
If an organisation really wanted to excel, undergoing an ISO 22301 audit would be something to think about. ISO 22301 is an internationally recognized standard that outlines industry best practices, and if certified, an organisation will be able to showcase to the rest of the market that effective business continuity planning measures are in place.??
Anyone new to all of this may find the whole thing daunting. I therefore thought it would be useful to outline some key points that should be thought about at all stages.??
Risk Assessments?
It is important for organisations to consider the likelihood and impact of an event. This will mean that the correct level of resource can be allocated to mitigate a particular risk. It would not be effective to spend the majority of your IT budget on something that will probably never happen, or that will have minimal impact on the business if it materialized.??
Risk assessments are a way to perform quantitative and qualitative analysis, and visually outline what should be prioritized. Furthermore these assessments should be repeated at regular intervals to take into account any internal and external changes that could affect the risk levels.???
Business Continuity Team?
Someone needs to be in charge of all of this and ideally it wouldn’t be down to one person. Instead, there should be a team of people, commonly known as the Business Continuity Team.? The roles are responsibilities for each member should be clear. These include and are not limited to:?
领英推荐
Members of the Business Continuity Team should be outlined within the Business Continuity Plan with up to date contact information.??
A structured Business Continuity Team will increase the likelihood of an organisation handling a disruption in a controlled manner.??
Testing and Verification?
Agreeing on what your business continuity measures are is the first step. What should happen afterwards is the regular testing and verification of these processes. As with everything, it is when we try and test things that we learn where the gaps are and what can be done to improve things. If an IT department is relying upon a separate data center, or a particular back-up solution, or another supplier, these measures should be tested where possible to ensure that they are as effective as they should be.???
Business Continuity or Disaster Recovery tests should be documented. You’ll need to be able to look back and determine what went wrong and what has since been implemented. This information could then be reported to senior management when required.??
If you have found that something needs to change and you have implemented the changes, make sure that your business continuity documentation is updated accordingly.??
Contingency Planning?
Testing and verification is completed on what the organisation has determined to be it’s contingency plans or workarounds. If a particular system is down, is there another one that can used? If one member of staff is not available, can someone else take over? If access to a building is compromised, can people work from home instead???
When determining what the best option is, a risk assessment should be considered as outlined above.??
?
Cyber Security Associates have several experts in the Consultancy team who are here to guide you through the development and implementation of your business continuity processes and related documentation. Furthermore, with our qualified Lead Auditors, we are here to assist you to obtain and maintain certification to the ISO 22301 standard.??
For more information about how we can help you, please send an enquiry to [email protected] or call us on 0300 303 4691.???