IT and information security professionals have a new
best friend. That indispensable buddy is, believe it or not, a
standard: business continuity management standardBS 25999to be precise.
Let me explain.
BS 25999 was launched in December 2006 (part 1, code of
practice) and November 2007 (part 2, specification). It outlines
how to implement a
business continuity management programme in an organisation and
advocates use of a technique called
business impact analysis.
Among other things, business impact analysis attempts to
understand an organisation's critical activities and the resources
required, including IT systems and services, to keep those
activities running at an acceptable level should a serious
incident, such as a malicious act causing destructive loss of
premises, occur.
A
gap analysis is then conducted to determine any differences
between the resources the business needs over time from the point
of the incident, and the current recovery capability. In effect,
the analysis identifies the
recovery
time objectives and recovery point objectives. The former
describe how soon after an outage each system or service needs to
be operational, while the latter identify the pre-incident point in
time the data needs to be recovered to.
The recovery time and point objectives define the availability
requirements of the business, which is an essential element of
information security management.
Potential solutions are then explored to fill any gaps
discovered. The gap analysis provides a good appreciation of how IT
systems and services could be adversely affected by an incident and
addresses any misconceptions the business may have regarding the IT
department's ability to recover systems and services.
In my experience as a consultant, such misconceptions are common
yet can have major implications for the organisation's wellbeing.
Should a serious incident occur, and the business be unable to
recover its critical activities quickly enough to keep impacts
within acceptable levels, the consequent loss of credibility,
direct financial loss, breach of contracts, and so on, could
ultimately damage the bottom line.
The business impact analysis helps business managers gain a
better understanding of the extent to which they rely on IT systems
and services. The gap analysis allows the IT department to propose
ways of filling any existing gaps in recovery time objectives or
recovery point objectives through targeted solutions.
Senior management can then either accept the current risk
exposure where gaps exist or else provide the IT department with
the necessary budget to close the gaps. Either way, senior
management will understand the IT recovery capability and how it
relates to business need, eliminating any misconceptions.
BS 25999 is the fastest-selling British standard ever. When part
2 was launched, 100 companies had already pre-registered for an
accreditation audit. If your organisation doesn't yet have a
business continuity management programme in place, then you should
recommend it implements one. The benefits to be gained by the IT
department - indeed, the organisation as a whole - make the
standard a powerful management tool, with the business impact
analysis element helping to improve information security.
Embrace BS 25999. It's your new best friend.
Brian Davey is a senior consultant with Teed Business
Continuity
Business continuity: the expert view >>
When disaster recovery's down to you ≥≥