Understanding IT business continuity management systems

In this excerpt from "BS25999: A Pocket Guide," learn about business continuity management systems and how to test a BC plan.

While it's essential to have a business continuity plan in the event of a disaster or breach, it doesn't matter...

how thorough the plan if it doesn't work.

In this excerpt from "BS25999: A Pocket Guide," learn about business continuity management systems and how to use them to test a business continuity plan.

BS25999: A Pocket Guide
CHAPTER 3: The Business Continuity Management System

Chapter 1 refers to the key deliverable of business continuity planning as a business continuity plan that actually works. Every organisation should satisfy itself that its BCP is fit for purpose, otherwise the investment in developing the plan will have been wasted.

The BCMS is designed to ensure that the plan is, indeed, fit for purpose. It does this by:

  • Understanding and analysing the business recovery requirements, so that the impact resulting from an incident or interruption is properly understood and balanced across the organisation
  • Identifying and planning the resources that would be required in the worst possible situation, and ensuring that they would be available
  • Creating a documented plan that is based upon valid assumptions, delivers the required recovery outcomes and is properly understood, or ‘owned’, by those that are likely to need to use it
  • Testing the plan, resources and people involved so that everything remains up to date, capabilities are tested and the best level of assurance can be given as to the fitness for purpose of the plan.

These four key components will be well understood by anyone involved in running an organisation. However, a potential weakness in such a system has to do with the fact that the business continuity plan may never be needed. BCM is a contingent discipline and not ‘core business’ to any organisation except those involved in providing BCM products and services. It is quite likely, therefore, not to get the attention that it requires if it is to be reliable at the point of need.

A comprehensive BCMS therefore goes further than the functional components listed above. It includes policy, commitment and engagement from senior management, creating the ‘ownership’ throughout the organisation that makes the plans and arrangements operable in practice.

All these aspects were embodied into a code of practice published by BSI in the 1990s called PAS 56. This rather complex document was the forerunner of BS25999 and proposed something called the ‘Business Continuity Management Life Cycle’, which has been carried forward into the new standard.

This ‘life cycle’ is really just a way of saying that BCM is a reiterative process, rather than a one-off project.

The following illustration of the ‘life cycle’ model included in BS25999 is really saying that:

  • BCM is a programme, not a project, so you need programme management.

  • First, understand your organisation; analyse its processes, their criticalities, their resource dependencies and their recovery requirements.

  • Work out a strategy for how you will recover business processes and their supporting resources (for example, having your own dedicated stand-by facilities or entering into a contract with a third-party provider).

  • Draw up documented plans setting out what to do in the event of incidents and interruptions, referencing the strategies established in the previous phase.

  • Finally, test, maintain and review all of this regularly to make sure that it remains fit for purpose.

By ‘embedding’ BCM in your organisation’s culture, you will also ensure that the planning assumptions are validated by the right people, that those involved in managing the response to an incident are familiar with what they should do, and that contributions to these arrangements become part of day-to-day business life.

Click to enlarge.
Doubleclick to restore.

This extract and the original text it is taken from are both subject to IT Governance Publishing copyright. It may not be reproduced in any form without prior written consent from IT Governance Ltd.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.