This chapter is from the book
This chapter is from the book
This chapter is from the book
Chapter Summary
This chapter discusses the process of business continuity planning—preparing for the worst possible events that could happen to an organization. Many organizations give BCP a low priority for a host of reasons, including cost, inability to quantify some potential threats, and the belief that the organization can somehow escape these events.
The first step, initiation, requires that senior management establish business continuity as a priority. Developing and carrying out a successful business continuity plan takes much work and effort and should be done in a modular format. The business impact analysis is the next step. Although auditors are unlikely to be directly involved in this process, they can be of help here in providing data on the impact to the business if specific systems are unavailable. The goal of business impact analysis is to determine which processes need to happen first, second, third, and so on. Each step of the business continuity process builds on the last; the BCP team members must know the business and need to work with other departments and management to determine critical processes.
Recovery strategies must also be determined. For example, in case of loss of power, will a generator be used, or might the process continue at another location that has power? With these decisions made, a written plan must be developed that locks into policy whatever choices have been made. When the plan is implemented, the process is still not complete; the team must test the plan. During the test, an IS auditor should be present to observe the results. No demonstrated recovery exists until the plan has been tested. Common test methods include paper tests, preparedness tests, and full operation tests. To make sure these plans and procedures do not grow old or become obsolete, disaster recovery should become part of the decision-making process so that when changes are made, issues that may affect the policies can be updated. Business continuity and disaster recovery plans can also be added to job responsibilities and to yearly performance reviews.
