Professional Documents
Culture Documents
Introduction
As incidents such as malicious activism, terrorist attacks and environmental disasters among others garner
increased attention, so does the need for appropriate business continuity planning within organisations. Aside from
overall business closure, further motivation is gained from considering consequences of business continuity
disasters. These include decreased employee productivity, data loss, reductions in revenues and profits, and
overall damage to corporate reputation and customer relationships.
This paper provides an introduction to the Business Continuity Management (BCM) discipline and the critical
process steps involved in developing a continuity initiative throughout your organisation. This includes defining
what BCM is, discussing historical and emerging standards (particularly key changes in the new ISO 22301
standard versus predecessors) and the steps in planning and executing BCM initiatives. The impacts of emerging
technologies on business continuity planning are also highlighted.
The key guardians of BCM initiatives are also identified in this paper giving a high-level overview of typical
requirements for CEOs and other board-level executives, IT and Risk professionals, as well as project managers,
consultants, or other line managers potentially involved in endorsing and driving BCM initiatives.
Why BCM?
1) Proactively improves an organisations
resilience against the disruption of its ability to
achieve its key objectives.
Page | 1
Implementing an organisational BCM strategy has many advantages, supporting improvements such as:
A predictable and effective response to future crises
Protection of individuals
Maintenance of vital activities of the organisation
A better overall understanding of the organisation
Cost reduction
Respect of the interested parties
Protection of companys reputation and brand
Ensuring client confidence in the organisation
Increased competitive advantage
Better support for legal and regulatory compliance
Better assurance that various contractual obligations are met
Page | 2
There are a number of key differences between the present ISO 22301 and its predecessors. ISO 22301 places
greater emphasis on setting objectives, developing metrics and measuring performance, therefore placing further
emphasis on making top management levels accountable for Business Continuity processes. It also places
emphasis on defining necessary resources for ensuring business continuity, and as it is an international standard,
certification bodies are more likely to buy-in and push the standard, and should lead to greater popularity and
certification among implementers. Other overlapping standards in the BCM arena include ISO 22399, ISO 24762
(ICT disaster recovery focus), ISO 27031, NIST 800-34 and NFPA 1600.
Implementing BCM
The first stage towards implementing Business Continuity processes in an organisation is to set up an appropriate
management system. Like other management systems, a Business Continuity policy needs to be defined alongside
identification of key people and their relevant responsibilities, and definition of appropriate management processes
for planning, implementing, assessing, reviewing and improving Business Continuity efforts. Provision for relevant
documentation to support auditing is also necessary, as well as identification of the business continuity
management processes that are relevant to the organisation.
As with other ISO standards, ISO 22301 standard adopts the Plan-Do-Check-Act (PCDA) approach that is
applied to the structure of all processes in a management system. Stakeholder requirements and expectations are
fed to the cycle as input, leading to the necessary BCM actions and processes as output. Key elements of the
PDCA cycle in relation to BCM include:
Plan: Establish and agree the scope, identify within scope the information assets, roles and
responsibilities of staff members and conduct a Business Impact Analysis for the agreed scope.
Do: Implement and operate the policy, controls, processes and procedures of the management system.
Check: Assess and measure (where applicable) the process performances and report findings to
management for review.
Act: Undertake corrective and preventive actions on the basis of the overall process review, driving
continual improvement of the Business Continuity System.
Page | 3
'Plan'
Setup BCMS and Agree/Update
Scope
'Plan'
Ensure BCP is signed off by senior
management/board before
proceeding.
Act
External Certification audit, Stage 1 &
Stage 2 is required for ISO 22301
certification.
'Plan'
Identify key roles and responsibilities
Act
Feedback Improvements and
changes into BCP
'Plan'
Indentify all information assets in
scope
Check
Review and monitor the BCP.
Conduct Internal audit, management
reviews and measurements and
metrics
'Plan'
Conduct business impact analysis/
risk assessment exercise for the
scope agreed
'Do'
Implement BCP Testing
'Plan'
Analyse and evaluate the risks to
determine unacceptable risks.
'Do'
Implement BCP training and
awareness for ISMS
'Plan'
Identify appropriate controls to
mitigate these risks and obtain
management approval.
'Do'
Implement Physical controls*
'Plan'
Define BCP framework, objectives,
methodology
'Do'
Develop of BC and DR strategy,
policies, procedures and plan, and
other administrative controls
'Do'
Implement Technical controls *
* Completed in parallel
PDCA diagram Author Karn G.
Bulsuk
Page | 4
Page | 5
Page | 6
Cost-benefit analysis is a crucial component of developing this strategy, in particular weighing the cost of being
without a given service at various points in time versus the cost of the continuity solution. Various ways of
introducing backup redundancy support for business critical operations should be considered, and appropriate
approaches identified. This can include having dedicated backup sites that become active when primary sites are
compromised, or having two active sites that can failover onto each other if needed. Several hybrid variants of
these two options are also possible depending on scenario and business needs.
Developing a continuity strategy around the organisations business-critical technology elements is a crucial part of
any plan, and for most organisations, there will be both internal and external technology-based assets and services
that need consideration. Strategies for handling continuity might involve spreading technology geographically so
that a disaster event is less likely to affect entire infrastructures, holding older equipment as emergency
replacement or spares, or adding particular risk mitigation for sensitive unique or long lead time equipment. By
extension, chosen technology continuity strategies need to consider elements such as:
The required recovery time for key systems and applications
Location and distance between technology sites
Remote access requirements and required telecoms connectivity
Failover requirements - are system downtime and manual intervention required? Does the continuity
switchover need to be instantaneous?
Virtualisation
A key benefit that virtualisation allows in relation to BCM is that it can greatly reduce the number of
physical servers or other hardware that an organisation needs to manage and worry about. Virtual
machines and applications can be replicated more easily, and switched more easily between physical
resource pools such as processors, memory and storage. In addition, desktop virtualisation technologies
such as Citrix and DVI, combined with secure tunnelling, can facilitate employees working remotely away
from core premises in the case of a disaster event.
Cloud Computing
Developments in cloud computing can facilitate significant benefits around continuity planning. For
example organisations are now able to combine external SaaS options with private cloud infrastructures,
switching seamlessly between different internal and external cloud scenarios as needed for continuity. For
example baseline operating scenarios might operate on a private cloud infrastructure, but a downtime
event or a need to scale up requirements may automatically transition the infrastructure to an external
cloud provided by service providers. While this creates new possibilities, it also creates new IT
management challenges, and appropriate SLAs with external service providers should be arranged. It is
important to note that gaining insight into the site recovery capabilities of external providers may be a
challenge.
Page | 7
Mobile Computing
Business Continuity thought leaders increasingly see mobile devices as a key medium in supporting
workforce recovery during a business recovery event. Mobile devices can alert employees to information
such as the current status of recovery, locations to which employees should be in response to the event,
applications and services to which they can access. Mobile sales personnel can also be supported in
continuing remote work with minimal disruption. Aside from these communication aspects, mobile devices
are increasingly subsuming much of the functionality traditionally associated with PCs, allowing them to
support actual work tasks when PC-based sites are unavailable.
Social Networks
The role that social networking platforms such as Twitter, Facebook, LinkedIn, Skype and others can play
around BCM is still emerging. Its potential as a mass communications channel for supporting incident
management and disaster recovery is self-evident, particularly in relation to mobilising employees and other
key stakeholders. However, it can also be harmful from a PR perspective if misleading, inappropriate or
untimely information around a disaster event is made available to the public.
Page | 8
Page | 9
About Espion
Espion are Corporate Information
specialists. We work with
organisations across all industries
and business functions to provide
advice and assistance relating to
the holistic compliance, protection
and management requirements of
their most valuable asset
information. This allows our clients
to focus on their core business and
ultimately achieve greater success.
Espion Headquaters
Corrig Court, Corrig Road,
Sandyford Industrial Estate,
Dublin 18, Ireland
+353 (01) 2101711
www.espiongroup.com