Business Continuity

Business continuity should make focus on incidents that are not frequent but may cause a big impact on the organization.

A Business Continuity Plan (BPC) is a plan used by an organization to respond to disruption of critical business process.

Steps to create a BCP:

1. Inventory of assets
2. Risk analysis with Business Impact Analysis (BIA) of the assets
3. Recovery Strategy Development
4. Implementation of BCP
5. Recovery Procedures / DRP
6. Periodical Test/Simulations

Create a BCP is an iterative and continuous process, so the previous steps may be repeated in cycles.

Concepts related to Business Continuity

Disaster Recovery Plan (DRP) covers the technological aspects of business continuity and document the detail procedure of the recovery operations.

Maximum Tolerable Period of Disruption (MTPD)

MTBF

MTTR

Recovery Time Objective (RTO)

Recovery Point Objective (RPO)

Critical Success Factor (CSF)

Key Performance Indicator (KPI)

Risk capacity = Risk Tolerance + Risk Appetite

Standards related to Business Continuity

Standards related to business continuity:

• ISO 22301 covers a Business Continuity Management System (BCMS)
• ISO 22317 covers a Business Impact Analysis (BIA)
• ISO 31000 covers overall risk management
• ISO 27005 covers risk management oriented to IT

You might also be interested in…

• What is the difference between Risk Assessment and Business Impact Analysis

External References

• Various authors; “CISA Review Manual 15th Edition“, ISACA, 2016
• Sherifat Akinwonmi, Geary Sikich; “ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Management“, PECB