1051 NW 14th St., Suite 165
(UM mail routing R-26)
Miami, FL 33136
Hours: 830am - 500pm, M-F
Help Desk: 305-243-5999
General fax: 305-243-6417
Admin. fax: 305-243-2622
Business continuity management
Objective • Organizational policies and procedures should ensure timely resumption from, and if possible prevention of, interruptions to business activities and processes caused by failures of information systems.
Information security in the business continuity management process • A managed process should be developed and maintained for business continuity throughout the organization, that includes information security requirements needed for the organization's business continuity. This could include:
- identification of information assets involved in critical business processes;
- a risk assessment that addresses likely causes and consequences of information system failures;
- identification and consideration of preventive and mitigating controls in light of these risks;
- identification of sufficient financial, technical and human resources to address the preventive/mitigating control requirements;
- development and documentation of business continuity plans and processes, including assignment of responsibilities and incorporation of these into the organization's general processes and structure; and
- regular testing and updating of business continuity plans and processes.
Business continuity and risk assessment • Events that can cause interruptions to business processes should be identified, along with the probability and impact of such interruptions and their consequences for information security. This could include:
- identification of all significant risks and risk categories, including the probability and probable impact on operations in terms of scale, likely damage and recovery period;
- full involvement of owners of significant organizational assets in the assessment process;
- identification of acceptable and unacceptable losses and interruptions; and
- formal documentation of the assessment's results, and a plan for regular updating to ensure completeness and currency.
Developing and implementing continuity plans • Business continuity plans should be developed and implemented to maintain or restore operations, and ensure availability of information at the required level and in the required time, following interruptions to or failures of business processes. This could include:
- identification of and agreement on all responsibilities for development of operational procedures;
- specification of the disaster recovery/business continuity procedures to effect recovery and restoration of business processes;
- a data backup plan to ensure recovery of all data following process restoration, including the ability to replicate exact copies of data in its state prior to disruption of operations;
- specification of alternative operational procedures to follow pending completion of recovery and restoration, including methods for accessing all critical data;
- documentation of the above plan elements;
- appropriate training and awareness efforts for staff on the plan elements; and
testing and updating of the plan (see Testing, maintaining and re-assessing plans).
Business continuity planning framework • A single framework of business continuity plans should be maintained to ensure that all plans are consistent, consistently assess information security requirements, and to identify priorities for testing and maintenance. This could include:
- specification of conditions and criteria for activating the plans;
- formal assignment of responsibilities for making assessments about plan activation, choices among emergency procedures and processes, resumption procedures, etc.; and
- formal assignment of responsibilities for keeping the plan current (see next).
Testing, maintaining and re-assessing plans • Business continuity plans should be tested and updated regularly to ensure that they are up to date and effective. This could include:
- periodic testing that assures that all persons with significant responsibilities under the plans are aware of and competent to perform them;
- a range and frequency of testing exercises, from table-top to complete rehearsals, performed as necessary to ensure awareness and competence; and
- regular reviews and updating of the plan(s) in light of testing results.
SOURCES: ISO-27001/27002:2005 sects. 14.1.1-5.