Business Continuity

Business continuity should make focus on incidents that are not frequent but may cause a big impact on the organization.

A Business Continuity Plan (BCP) is a plan used by an organization to respond to disruption of critical business process.

Main steps within the BCP, according to CISSP:

1. Project scope and planning
2. Business impact analysis (BIA)
3. Continuity Planning
4. Approval and implementation

Steps to create a BCP:

1. Inventory of assets
2. Risk analysis with Business Impact Analysis (BIA) of the assets
3. Recovery Strategy Development
4. Implementation of BCP
5. Recovery Procedures / Disaster Recovery Plan (DRP)
6. Periodical Test/Simulations

Create a BCP is an iterative and continuous process, so the previous steps may be repeated in cycles.

The recovery steps are not considered within BCP; they are taken in the DRP. BCP is usually managed by the business, and DRP by IT.

Risk analysis provides a broad view of potential risks and threats across the organization, helping prioritize where to focus resources for mitigation.

BIA zooms in on the specific impacts of disruptions to critical business functions, guiding the development of business continuity plans and ensuring resources are allocated effectively to maintain essential operations.

Business Impact Analysis

Identify processes, and then threads and likelihood of that it occurs.

Concepts related to Business Continuity

Disaster Recovery Plan (DRP) covers the technological aspects of business continuity and document the detail procedure of the recovery operations.

Maximum Tolerable Period of Disruption (MTPD)

MTBF

MTTR

Recovery Time Objective (RTO)

Recovery Point Objective (RPO)

Critical Success Factor (CSF)

Key Performance Indicator (KPI) and Key Risk Indicators (KRI)

Risk capacity = Risk Tolerance + Risk Appetite

Individuals with specific business cotinuity roles should receive training on at least an annual basis.

Standards related to Business Continuity

Standards related to business continuity:

• ISO 22301 covers a Business Continuity Management System (BCMS)
• ISO 22317 covers a Business Impact Analysis (BIA)
• ISO 31000 covers overall risk management
• ISO 27005 covers risk management oriented to IT

You might also be interested in…

• IT Security
• What is the difference between Risk Assessment and Business Impact Analysis

External References

• Various authors; “CISA Review Manual 15th Edition“, ISACA, 2016
• Sherifat Akinwonmi, Geary Sikich; “ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Management“, PECB