IT and information security professionals have a new best friend. That indispensable buddy is, believe it or not, a standard: business continuity management standard BS 25999 to be precise.
Let me explain.
BS 25999 was launched in December 2006 (part 1, code of practice) and November 2007 (part 2, specification). It outlines how to implement a business continuity management programme in an organisation and advocates use of a technique called business impact analysis.
Among other things, business impact analysis attempts to understand an organisation's critical activities and the resources required, including IT systems and services, to keep those activities running at an acceptable level should a serious incident, such as a malicious act causing destructive loss of premises, occur.
A gap analysis is then conducted to determine any differences between the resources the business needs over time from the point of the incident, and the current recovery capability. In effect, the analysis identifies the recovery time objectives and recovery point objectives. The former describe how soon after an outage each system or service needs to be operational, while the latter identify the pre-incident point in time the data needs to be recovered to.
The recovery time and point objectives define the availability requirements of the business, which is an essential element of information security management.
Potential solutions are then explored to fill any gaps discovered. The gap analysis provides a good appreciation of how IT systems and services could be adversely affected by an incident and addresses any misconceptions the business may have regarding the IT department's ability to recover systems and services.
In my experience as a consultant, such misconceptions are common yet can have major implications for the organisation's wellbeing. Should a serious incident occur, and the business be unable to recover its critical activities quickly enough to keep impacts within acceptable levels, the consequent loss of credibility, direct financial loss, breach of contracts, and so on, could ultimately damage the bottom line.
The business impact analysis helps business managers gain a better understanding of the extent to which they rely on IT systems and services. The gap analysis allows the IT department to propose ways of filling any existing gaps in recovery time objectives or recovery point objectives through targeted solutions.
Senior management can then either accept the current risk exposure where gaps exist or else provide the IT department with the necessary budget to close the gaps. Either way, senior management will understand the IT recovery capability and how it relates to business need, eliminating any misconceptions.
BS 25999 is the fastest-selling British standard ever. When part 2 was launched, 100 companies had already pre-registered for an accreditation audit. If your organisation doesn't yet have a business continuity management programme in place, then you should recommend it implements one. The benefits to be gained by the IT department - indeed, the organisation as a whole - make the standard a powerful management tool, with the business impact analysis element helping to improve information security.
Embrace BS 25999. It's your new best friend.
Brian Davey is a senior consultant with Teed Business Continuity