Business continuity is concerned with maintaining critical operations during any interruption in a service.
It should make focus on incidents that are not frequent but may cause a big impact on the organization, such as a disaster.
Disaster recovery focuses on resumption of operations after an interruption due to disaster.
Continuity management is a term that groups both business continuity and disaster recovery.
A Business Continuity Plan (BCP) is a plan used by an organization to respond to disruption of critical business process.
Main steps within the BCP, according to CISSP:
- Project scope and planning
- Business impact analysis (BIA)
- Continuity Planning
- Approval and implementation
Steps to create a BCP:
- Inventory of assets
- Risk analysis with Business Impact Analysis (BIA) of the assets
- Recovery Strategy Development
- Implementation of BCP
- Recovery Procedures / Disaster Recovery Plan (DRP)
- Periodical Test/Simulations
Create a BCP is an iterative and continuous process, so the previous steps may be repeated in cycles.
The recovery steps are not considered within BCP; they are taken in the DRP. BCP is usually managed by the business, and DRP by IT.
Risk analysis provides a broad view of potential risks and threats across the organization, helping prioritize where to focus resources for mitigation.
BIA zooms in on the specific impacts of disruptions to critical business functions, guiding the development of business continuity plans and ensuring resources are allocated effectively to maintain essential operations.
Business Impact Analysis
Identify processes, and then threads and likelihood of that it occurs.
Concepts related to Business Continuity
Disaster Recovery Plan (DRP) covers the technological aspects of business continuity and document the detail procedure of the recovery operations, as for example:
- restoring from backup tapes
- restarting business operations
- relocation
Maximum Tolerable Period of Disruption (MTPD)
MTBF
MTTR
Recovery Time Objective (RTO)
Recovery Point Objective (RPO)
Critical Success Factor (CSF)
Key Performance Indicator (KPI) and Key Risk Indicators (KRI)
Risk capacity = Risk Tolerance + Risk Appetite
Individuals with specific business cotinuity roles should receive training on at least an annual basis.
Standards related to Business Continuity
Standards related to business continuity:
- ISO 22301 covers a Business Continuity Management System (BCMS)
- ISO 22317 covers a Business Impact Analysis (BIA)
- ISO 31000 covers overall risk management
- ISO 27005 covers risk management oriented to IT
You might also be interested in…
External References
- Various authors; “CISA Review Manual 15th Edition“, ISACA, 2016
- Sherifat Akinwonmi, Geary Sikich; “ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Management“, PECB
- M. Chapple, D. Seidl; “CCSP Study Guide Third Edition“; chapter “Business continuity”, pp. 231-240; Wiley, 2021