After completing the first step towards ISO 27001 Certification, risk assessment, the second step in the process is the implementation of a Business Continuity Management plan. Business Continuity Management (BCM) is aggregate management process of identifying potential threats to a business entity and the impact to operations those threats pose, and the necessary steps needed to carry on business operations during disruption.
The following is a suggested guideline for implementing a BCM plan, aimed at achieving ISO 27001 Certification.
1. Understand the organization
Define the scope of the business continuity management system. Are you planning for the entire company or only for a sub section? Upon determining the scope, you will need to assign the members of your business continuity team. It is also important to understand the nature of the business (organizational objectives), to identify the stakeholders, and to identify compliance requirements defined by regulatory and statutory bodies.
2. Identify strategic factors and resources
Identify the vital revenue sources of your organization and how your products and services may be affected by the disruption. Examples of areas to consider are; profitability, contractual obligations, compliance issues, business commitments, brand image, and customer service, to name a few. It is important to understand the activities that support the strategic factors, how the organization operates, and how the business processes are applied in production, sales and services. Further, internal and external dependencies need to be identified, such as customers, suppliers, or third parties.
3. Determine and define the level of impact a disruption may cause
It is important to have a grasp on the potential impact of a disruption to your organization. When analyzing said impact, you should use consistent evaluation criteria to define the level of impact. You need to decide which processes are the most critical for organizational operations and document them. By doing so, you can realize the impact of a change to the organization in the occurrence of a disruption.
4. Complete an Impact Analysis
Identify the maximum tolerable period of disruption (MTPoD) for each strategic factor or resource. Then, determine the recovery time objective (which must be less than the MTPoD) and the resource requirements needed to meet that objective, such as equipment, skills, buildings, information and activities. Finally, determine the minimal service level needed to meet customer and stakeholders´ expectations.
5. Determine business continuity arrangements with external parties
Determine which business continuity arrangements rely on external dependencies and ensure your organization can rely on the external dependencies to support critical tasks.
6. Perform and document a risk assessment
As an ongoing measure to mitigate threats, a risk assessment should be completed. This leads to continuous improvement, a key factor in risk management. An important factor here is to consider threats and vulnerabilities to critical activities and supporting resources. Decide the impact to the business if the threats you have identified in the risk assessment occur.
7. Incident Response and Risk Treatment
Develop and implement a plan to address disruptions in business operations to shorten the period of disruption and limit the impact of disruption. This should be conducted by creating business continuity plans, where each step of the plan is identified. When identifying steps it is important to assign the responsibility for conducting each step to the appropriate team. The team has to be made aware of its responsibilities so it can react in a timely manner during a disruption. Further, in the step identification process, an estimation of the time it will take to complete each step should be made. Plan tasks and actions should be prioritized and the intended results summarized. This allows organizations to conclude which steps are most critical to ensure business operations can continue. Next, perform a risk treatment to determine the measures to modify the risk, e.g. avoid risk, reduce risk, transfer risk, or accept risk.
8. Test Business Continuity Management Plans
Periodical test of your BCM plans should be held and the results should be recorded. To do this, disruption scenarios should be carried out and the plans should be tested against these scenarios. During the test, the timeframes of each step (estimated in step 7) should be reviewed to see if they provide an accurate picture of the time it takes to respond in reality. This is an important step, as continuous improvement is vital, with the purpose of the test being to achieve organizational acceptance that the business continuity plan satisfies your organization’s recovery requirements.
Business Continuity Planning is one of three steps required for a full implementation of ISO/IEC 27001. The other two are Risk Assessment and the development of Organizational Manual such as procedures, processes and policies.
RM Studio, Simplifying Risk Management
