BUSINESS CONTINUITY MANAGEMENTTHROUGH STANDARDS AND BEST PRACTICES

Jasmina Trajkovski, CISA, CISM

What is BCM?

holistic management process identifies potential impacts framework for resilience and response

capability safeguard interests of key stakeholders

or more simply…

Not just a paper plan, it also requires organisation, planning, assessment, training, rehearsal and more.

A process that establishes a secure and resilient business environment capable of mounting an immediate and

effective response to a major incident.

Objective of business continuity management

Time

Level of

busi

ness

Critical recovery

point

Fully tested

effective BCM

No BCM – ‘lucky’ escape

No BCM – likely

outcome

Impact of Downtime

Lost RevenueKnow the downtime costs (per hour, day, two days...)• Number of employees

impacted (x hours out * hourly rate)

Damaged Reputation

• Customers• Suppliers• Financial markets• Banks• Business partners

Financial Performance• Revenue recognition• Cash flow• Lost discounts (A/P)• Payment guarantees• Credit rating• Stock price

Other ExpensesTemporary employees, equipment rental, overtime costs, extra shipping costs, travel expenses...

• Direct loss• Compensatory payments• Lost future revenue• Billing losses• Investment losses

Lost Productivity

Availability Measurement – Levels of ‘9s’ Availability

% Uptime % Downtime Downtime per Year Downtime per Week

98% 2% 7.3 days 3hrs 22 min

99% 1% 3.65 days 1 hr 41 min

99.8% 0.2% 17 hrs 31 min 20 min 10 sec

99.9% 0.1% 8 hrs 45 min 10 min 5 sec

99.99% 0.01% 52.5 min 1 min

99.999% 0.001% 5.25 min 6 sec

99.9999% 0.0001% 31.5 sec 0.6 sec

Impact Scenarios7

Loss or denial of physical space Your work area has been destroyed

and/or become inaccessible Access to space, but loss of

technology Your area is intact, but without

data/power/water/etc. Both

Impact Categories8

Financial The cost to recover all functions

+ loss of revenue Example: BP oil spill cost billions to

clean + lost billions in product Operational

The ability to physically execute a critical business function

Impact Categories9

Legal/Regulatory The ability to be fined, sued, or shut

down Customer

The ability to retain customer base when operating in Emergency Mode

Reputation The ability to retain customer base

when the story gets out

The business continuity plan

Emergency response plan

Act

ivit

y

Crisis management/communication plan

Businessrecovery plan

Time objective

A

A successf

ul outcome

What is wrong with current plans Outdated or gathering dust

on the shelves Reads like a policy vs. a �

process to restore Recovery team is not aware �

of plan contents or been trained

Only addresses restoring IT �systems

Lacks an effective plan to:� restore connectivity between

locations manage communications to

customers, local media, employees

Never been tested� A large single document� Saved only on the �

network Does not address security �

incidents Too much focus on �

catastrophic disasters or natural disasters

Does not address �availability of critical vendors

One plan fits all �disruptions

Some survey results 2014

One-third of respondents experienced outages reported stated that critical applications were lost for hours and sometimes multiple days.

Even more alarming was that one in four respondents said they had lost most, if not all of their datacenter for hours and in some cases days.

Nearly one in four respondents never tested their DR plans, and one-third of those surveyed tests their plans only once or twice a year. When companies do test, more than 65% do not pass their own DR tests

http://drbenchmark.org/

BUT….. WHERE DO THE STANDARDS COME IN THE PICTURE?

Difference in objective / purpose

What has to be done

Agreed / accepted by a representative number of countries

Applicable to all types of organizations

What works well How an activity

can be done A compilation of

practices from various types of organizations

Standards Best practices

Standards….

ISO 22301:2012, "Societal security -- Business continuity management systems --- Requirements“

BS 25999-2:2007, “Specification for Business Continuity Management” - replaced by ISO 22301:2012.

NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs.

ASIS/BSI BCM.01:2010 published Dec 2010 ANSI/ASIS SPC.1-2009 Organizational Resilience.

Best practices….

Business continuity institute – Good practice guidelines Disaster recovery institute – reference materials BS 25777, “Information and communications technology continuity

management. Code of practice” – replaced with ISO27031: 2011, “Guidelines for information and communication technology readiness for business continuity”

ISO27002:2013, “Code of practice for information security controls” ISO 22313:2012, "Societal security -- Business continuity management

systems – Guidance“ ISO/IEC 27031:2011, "Information security - Security techniques —

Guidelines for information and communication technology [ICT] readiness for business continuity“

BS 25999-1:2006, “Business Continuity Management. Code of Practice” – replaced by ISO22313:2012

HB 292-2006: A practitioners guide to business continuity management HB 293-2006: Executive guide to business continuity management And many more….

ISO22301 Elements

ISO22301 clauses

Standards provides requirements for

Determining the context of the organization List of legal, regulatory and other requirements Scope of the BCMS (Business Continuity Management

System) and explanation of exclusions Business continuity policy and Business continuity objectives Competences of personnel Communication with interested parties Process for business impact analysis and risk assessment Business continuity procedures Incident response procedures Procedures for restoring and returning business from

temporary measures PDCA cycle

BCI Good Practice Guidelines

Policy and program management

Embedding business continuity

Analysis Design Implementation Validation

Management practices

Technical practices

Best practices

Final words

Do not just make the plan….

….. Test to see if it works

…. If it provides the required continuity

…. And if the right people know how to use it.

JASMINA TRAJKOVSKI, CISA, CISMjasmina.trajkovski@tpconsulting.com.mk