After completing the previous phases towards ISO 27001 Certification, the final step in the process is the implementation of a Business Continuity Management plan. Business Continuity Management (BCM) is a holistic management process of identifying potential threats to a business entity (based on the Risk Assessment), the impact to operations those threats pose and the necessary steps needed to recover business operations after a disruption. The BCM provides a framework for building organizational resilience against disruptions in operations due to events such as fire, cyber-attacks and other attacks with malicious intent. In short it provides for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.
The Business Continuity Plan (BCP) outlines procedures and instructions an organization must follow in the event of a disruption or disaster; BCP includes business processes, assets, human resources, business partners and more.
We present to you our best practices for implementing a BCM plan, designed to meet the requirements of the ISO 27001 Certification.
1. Understand the organization
Define the scope of the business continuity management system. Are you planning for the entire company or only for a sub section? Upon determining the scope, you will need to assign the members of your business continuity team. It is also important to understand the nature of the business (organizational objectives), to identify the stakeholders, and identify compliance requirements defined by regulatory and statutory bodies, such as the ISO 27001.
2. Identify strategic factors and resources
Identify the vital revenue sources of your organization and how your products and services may be affected by the disruption. Examples of areas to consider are; profitability, contractual obligations, compliance issues, business commitments, brand image, and customer service, to name a few. It is important to understand the activities that support the strategic factors, how the organization operates, and how the business processes are applied in production, sales and services. Further, internal and external dependencies need to be identified, such as customers, suppliers, or third parties.
3. Determine and define the level of impact a disruption may cause
It is important to have a grasp on the potential impact of a disruption to your organization. When analyzing said impact, you should use consistent evaluation criteria to define the level of impact. You need to decide which processes are the most critical for organizational operations and document them. By doing so, you can realize the impact of a change to the organization in the occurrence of a disruption.
4. Complete an Impact Analysis
Identify the maximum tolerable period of disruption (MTPoD) for each strategic factor or resource. Then, determine the recovery time objective (which must be less than the MTPoD) and the resource requirements needed to meet that objective, such as equipment, skills, buildings, information and activities. Finally, determine the minimal service level needed to meet customer and stakeholders´ expectations.
5. Determine business continuity arrangements with external parties
Determine which aspects of your BCP rely on external dependencies to support critical tasks and ensure your organization has the arrangements and contracts in place. The use of external parties should maintain the operations as seamlessly as possible resulting in a business as usual feel for the organization.
6. Perform and document a risk assessment
As an ongoing measure to identify and mitigate threats, a risk assessment should be completed and if you’ve followed our best practices to this point, then you already have a complete RA. An important factor here is to consider threats and vulnerabilities to critical activities and supporting resources. Determine the impact to the business operations if there is a risk event.
7. Incident Response and Risk Treatment
Develop and implement a plan to address disruptions in business operations to shorten the period of disruption and limit the impact of disruption. Create the BCPs with a step-by-step process in mind. When identifying steps it is important to assign the responsibility for conducting each step to the appropriate team. The team has to be made aware of its responsibilities so it can react in a timely manner during a disruption. Another feature in the BCP step identification process is the estimation of the time it will take to complete each step. The BCP procedures should be prioritized and the intended results summarized, which allows your organization to conclude which steps are most critical to ensure business operations can continue. Utilize your risk treatment with the BCP as a means of better determining how to modify the risks.
8. Test Business Continuity Management Plans
Periodically test your BCM plans and record the results. To do this, execute mock disruption scenarios and apply the plans against these scenarios. During the test, the timeframes of each step (estimated in step 7) should be reviewed to see if they provide an accurate picture of the time it takes to respond in reality. The importance of this step can’t be understated, as continuous improvement is vital, with the purpose of the test being to achieve organizational acceptance that the business continuity plan satisfies your organization’s recovery requirements.
This concludes our guide towards ISO 27001 certification, but it should be noted that these articles are only meant as guidelines and are in no way comprehensive. There are multiples of other factors that need to take place in order to qualify for ISO 27001 certification. It is our goal that these articles serve as an architectural framework for your organization to build upon towards your goal of ISO 27001 Certification.