Business Continuity & Business Compliance Terms (Cont. 1)

August 27, 2009

Compliance
Certification or confirmation that the doer of an action (such as the writer of an audit report), or the manufacturer or supplier of a product, meets the requirements of accepted practices, legislation, prescribed rules and regulations, specified standards, or the terms of a contract.

Compliance audit
Audit undertaken to confirm whether a firm is following the terms of an agreement (such as a bond indenture), or the rules and regulations applicable to an activity or practice prescribed by an external agency or authority.

Compliance test
Audit undertaken to confirm whether a firm is following the rules and regulations (prescribed by its internal authority or control system) applicable to an activity or practice. See also substantive test.

Conformance
Certification or confirmation that a good, service, or conduct meets the requirements of legislation, accepted practices, prescribed rules and regulations, specified standards, or terms of a contract.

Supplier quality assurance
Confidence in a supplier’s ability to deliver a good or service that will satisfy the customer’s needs. Achievable through interactive relationship between the customer and the supplier, it aims at ensuring the product’s ‘fit’ to the customer’s requirements with little or no adjustment or inspection. The US quality guru Joseph Moses Juran (born 1904 in Romania ) divides the supplier quality assurance process into nine steps: (1) definition of the product’s quality requirements, (2) evaluation of alternative suppliers. (3) selection of the most appropriate supplier, (4) conduction of joint quality planning, (5) cooperation during relationship period, (6) validation of conformance to requirements, (7) certification of qualified suppliers, (8) conduction of quality improvement plans, (9) creation and use of supplier ratings.

Conflict resolution
Intervention aimed at alleviating or eliminating discord through conciliation.

Chronological division of work to be performed under a contract or subcontract in the completion of a project. Also called work scope.

Work scope
Alternative term for scope of work.

Information security
Safe-guarding an organization’s data from unauthorized access or modification to ensure its availability, confidentiality, and integrity.

Inherent risk
Probability of loss arising out of circumstances or existing in an environment.

Risk mitigation
Systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence. Also called risk reduction.

Business continuity
Ability of the key operations of a firm to continue without stoppage, irrespective of the adverse circumstances or events.

Business continuity planning (BCP)
Task of identifying, developing, acquiring, documenting, and testing procedures and resources that will ensure continuity of a firm’s key operations in the event of an accident, disaster, emergency, and/or threat. It involves (1) risk mitigation planning (reducing possibility of the occurrence of adverse events), and (2) business recovery planning (i.e. ensuring continued operation in the aftermath of a disaster).

Business continuity program
Ongoing management-level process to ensure that necessary steps are regularly taken to identify probable accidents, disasters, emergencies, and/or threats. It also involves (1) assessment of the probable effect of such events, (2) development of recovery strategies and plans, and (3) maintenance of their readiness through personnel training and plan testing. See also business impact analysis.

Business risk
Probability of loss inherent in a firm’s operations and environment (such as competition and adverse economic conditions) that may impair its ability to provide returns on investment. Business risk plus the financial risk arising from use of debt (borrowed capital and/or trade credit) equal total corporate risk.

Disaster recovery
Process of returning an organization, society, or system to a state of normality after the occurrence of a disastrous event.

Operational risk
Probability of loss occurring from the internal inadequacies of a firm or a breakdown in its controls, operations, or procedures.

System testing
The process of performing a variety of tests on a system to explore functionality or to identify problems. System testing is usually required before and after a system is put in place. A series of systematic procedures are referred to while testing is being performed. These procedures tell the tester how the system should perform and where common mistakes may be found. Testers usually try to “break the system” by entering data that may cause the system to malfunction or return incorrect information. For example, a tester may put in a city in a search engine designed to only accept states, to see how the system will respond to the incorrect input.

System analysis
Use of experimental approach (simulation) in understanding the behavior of an economy, market, or other complex phenomenon where mathematical analysis techniques are inadequate or unfeasible. See also system dynamics and systems analysis.

System dependability
Probability that a computer or other system will perform its intended functions in its specified environment without significant degradation.

Quality management system (QMS)
Collective policies, plans, practices, and the supporting infrastructure by which an organization aims to reduce and eventually eliminate non-conformance to specifications, standards, and customer expectations in the most cost effective and efficient manner.

Niche marketing

This is the practice of concentrating all marketing efforts on a small but specific and well defined segment of the population. Niches do not ‘exist’ but are ‘created’ by identifying needs, wants, and requirements that are being addressed poorly or not at all by other firms, and developing and delivering goods or services to satisfy them. As a strategy, niche marketing is aimed at being a big fish in a small pond instead of being a small fish in a big pond.

Regulations

A type of “delegated legislation” promulgated by a state, federal or local administrative agency given authority to do so by the appropriate legislature. Regulations generally are very specific in nature; they are also referred to as “rules” or simply “administrative law.”

Source: Georgetown Law School

Best Practices

Methods and techniques that have consistently shown results more superior than those achieved with other means, and which are used as benchmarks to strive for.

Source: Business Dictionary, COM

Standards

Documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines or definitions of characteristics, to ensure that materials, products, processes and services are fit for their purpose.

Source: International Standards Organization – ISO

Spoliation

Spoliation, in a legal context, is any act that renders potential evidence invalid, either intentionally or through negligence. In the case of a document, for example, destroying, altering or hiding it would all be considered spoliation if the document were relevant to current litigation.

Spoliation is illegal in many countries, including the United States, and is punishable by fine and/or incarceration. Furthermore, the legal system has established through case law that when spoliation has occurred it may be inferred that the evidence was unfavorable to the responsible party. As a result, that inference may be factored into the decision of the case.

Spoliation comes from the Latin spoliare, meaning to plunder. The use of the word in its current legal context dates back to a Roman rule of conduct, Omnia praesumuntur contra spoliatorem, which translates, roughly, as “Let everything be presumed against the spoiler of evidence.”

SearchCIO.com Definitions (Powered by WhatIs.com)

Cold site

In business continuity planning, empty building equipped with electric power, air conditioning, telephone connections, water, etc., but without computers, office equipment, and furniture. A cold site provides a less timely response to a disaster because it must be converted into a hot-site for use.

Source: Business Dictionary, COM

Hot site

Fully-equipped alternative computer center, office, work space or industrial facility that can be made immediately available to continue critical business functions affected by a disaster at the primary location. See also cold site and warm site.

Source: Business Dictionary, COM

Internal Audit

An audit conducted by, or on behalf of, the organization itself for management review and other internal purposes, and which might form the basis for an organization’s self-declaration of conformity.

Source: International Standards Organization – ISO

Organization

A group of people and facilities with an arrangement of responsibilities, authorities and relationships. An organization can be public or private.

Source: International Standards Organization – ISO

Process

A set of interrelated or interacting activities which transforms inputs into outputs.

Source: International Standards Organization – ISO

Recovery time objective (RTO)

A target time set for resumption of product, service or activity delivery after an incident.

Source: International Standards Organization – ISO

Resiliency

The ability of an organization to resist being affected by an incident.

Source: International Standards Organization – ISO

System

A set of interrelated or interacting elements.

Source: International Standards Organization – ISO

Incident

A situation that might be, or could lead to, a business disruption, loss, emergency or crisis.

Source: International Standards Organization – ISO

Critical activities

Those activities which have to be performed in order to deliver the key products and services which enable an organization to meet its most important and time-sensitive objectives.

Source: International Standards Organization – ISO

Consequence

The outcome of an incident that will have an impact on an organization’s objectives. There can be a range of consequences from one incident. A consequence can be certain or uncertain and can have positive or negative impact on objectives.

Source: International Standards Organization – ISO

Cost-benefit analysis

A financial technique that measures the cost of implementing a particular solution and compares this with the benefit delivered by that solution. The benefit may be defined in financial, reputational, service delivery, regulatory or other terms appropriate to the organization.

Source: International Standards Organization – ISO

Disruption

An event, whether anticipated or unanticipated, which causes an unplanned, negative deviation from the expected delivery of products or services according to the organization’s objectives.

Source: International Standards Organization – ISO

Exercise

An activity in which the business continuity plan(s) is rehearsed in part or in whole to ensure that the plan(s) contains the appropriate information and produces the desired results when put into effect. An exercise can involve invoking business continuity procedures, but is more likely to involve the simulation of a business continuity incident, announced or unannounced, in which participants role-play in order to assess what issues might arise, prior to a real invocation.

Source: International Standards Organization – ISO

Invocation

An act of declaring that an organization’s business continuity plan needs to be put into effect in order to continue delivery of key products or services.

Source: International Standards Organization – ISO

>Maximum Tolerable Period of Disruption

The duration after which an organization’s viability will be irrevocably threatened if product and service delivery cannot be resumed.

Source: International Standards Organization – ISO

Nonconformity

The non-fulfillment of a requirement. A nonconformity can be any deviation from relevant work standards, practices, procedures, legal requirements, etc.

Source: International Standards Organization – ISO

Emergency planning

The development and maintenance of agreed procedures to prevent, reduce, control, mitigate and take other actions in the event of a civil emergency.

Source: International Standards Organization – ISO

Likelihood

The chance of something happening, whether defined, measured or estimated objectively or subjectively, or in terms of general descriptors (such as rare, unlikely, likely, almost certain), frequencies or mathematical probabilities. Likelihood can be expressed qualitatively or quantitatively. The word “probability” can be used instead of “likelihood” in some non-English languages that have no direct equivalent.

Source: International Standards Organization – ISO

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Community Projects, Glossary, Tools & Resources | Leave a Comment

Business Continuity & Business Compliance Terms

August 24, 2009

Audit:

au·dit (ôdt)

1. An examination of records or financial accounts to check their accuracy.

2. An adjustment or correction of accounts.

3. An examined and verified account.

v. au·dit·ed, au·dit·ing, au·dits

v.tr.

1. To examine, verify, or correct the financial accounts of: Independent accountants audit the company annually. The IRS audits questionable income tax returns.

2. To attend (a course) without requesting or receiving academic credit.

v.intr.

To examine financial accounts.

[Middle English (influenced by auditor, auditor), from Latin audtus, a hearing, from past participle of audre, to hear; see au- in Indo-European roots.]

au dit·a·ble adj.

Audit Business Continuity

An organization should provide for the independent audit if its Business Continuity Management system’s competence and capability to identify actual and potential shortcomings. It should establish, implement and maintain procedures for dealing with these. Independent audits should be conducted by competent persons, whether internal or external

Source: BS25999-1:2006; 9.5.5

Business Continuity

Business Continuity is the strategic capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-defined level.

Source: BS25999-1:2006; 2.2

Business Continuity Institute

The Business Continuity Institute (BCI) was established in 1994 to enable individual members to obtain guidance and support from fellow business continuity practitioners. The BCI currently has over 4000 members in 85+ countries.

Professional membership of the BCI provides internationally recognized status as this valued certification demonstrates the members’ competence to carry out business continuity management (BCM) to a consistent high standard.

In order to apply for full membership of the Institute it is necessary to first obtain a ‘Pass with Merit’ of the Certificate of the Business Continuity Institute. Following the introduction of the BCI Certificate in 2007, a non-membership credential was launched in April 2008 – CBCI. Holders of the CBCI have achieved success in the BCI Certificate demonstrating a through knowledge and understanding of the BCI’s Good Practice Guidelines. Holders of the CBCI may proceed to professional membership of the BCI if they can also prove practical experience of BCM to supplement their knowledge and understanding.

2007 also saw the launch of the BCI Partnership enabling organizations to work more closely with the Business Continuity Institute to deliver the overall BCI mission of:

Promoting the art and science of business continuity management worldwide

The wider role of the BCI and the BCI Partnership is to promote the highest standards of professional competence and commercial ethics in the provision and maintenance of business continuity planning and services.

The BCI is the world’s most eminent BCM institute and the name is instantly recognized as standing for good practice and professionalism.

From: Wikipedia, the free Encyclopedia

Business Continuity Management

Business Continuity Management (BCM) is a holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.

Additionally, it involves managing the recovery or continuation of business activities in the event of a business disruption, and management of the overall program through training, exercises and reviews to ensure the business continuity plan(s) stays current and up-to-date.

Source: BS25999-1:2006; 2.3

Business Continuity Manager

The individual in charge of a group of individuals functionally responsible for directing the development and execution of the business continuity plan, as well as responsible for declaring a disaster and providing direction during the recovery process, both pre-disaster and post-disaster.

Disaster Recovery Journal (DRJ)

Business Continuity Methodology

A holistic process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of that organization’s key stakeholders, reputation, brand and value creating activities.

Business Continuity Plan

A Business Continuity Plan (BCP) is a documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical activities at an acceptable pre-defined level.

Source: BS25999-1:2006; 2.6

Business Continuity Planning

Business continuity planning (BCP) is the creation and validation of a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. The logistical plan is called a business continuity plan.

In plain language, BCP is working out how to stay in business in the event of disaster. Incidents include local incidents like building fires, regional incidents like earthquakes, or national incidents like pandemic illnesses.

BCP may be a part of an organizational learning effort that helps reduce operational risk associated with lax information management controls. This process may be integrated with improving information security and corporate reputation risk management practices.

In December 2006, the British Standards Institution (BSI) released a new independent standard for BCP — BS 25999-1. Prior to the introduction of BS 25999, BCP professionals relied on BSI information security standard BS 7799, which only peripherally addressed BCP to improve an organization’s information security compliance. BS 25999’s applicability extends to organizations of all types, sizes, and missions whether governmental or private, profit or non-profit, large or small, or industry sector.

In 2007, the BSI published the second part, BS 25999-2 “Specification for Business Continuity Management”, that specifies requirements for implementing, operating and improving a documented Business Continuity Management System (BCMS).

In 2004, the United Kingdom enacted the Civil Contingencies Act 2004, a statute that instructs all emergency services and local authorities to actively prepare and plan for emergencies. Local authorities also have the legal obligation under this act to actively lead promotion of business continuity practices amongst its geographical area.

From: Wikipedia, the free Encyclopedia

Business Continuity Process

That process that provides guidance on good practices that cover the whole Business Continuity Management (BCM) lifecycle and combines five (5) key elements: (1) Understanding your business, (2) BCM strategies, (3) Developing a BCM response, (4) Establishing a BCM culture, and (5) Exercising, Maintenance and Audit.

Disaster Recovery Journal (DRJ)

Business Continuity Strategy

An approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major outage. Plans and methodologies are determined by the organization’s strategy. There may be more than one solution to fulfill an organization’s strategy. Examples: Internal or external hot-site, or cold site, Alternate Work Area reciprocal agreement, Mobile Recovery, Quick Ship / Drop Ship, Consortium-based solutions, etc.

Disaster Recovery Journal (DRJ)

Business Impact Analysis (BIA)

A process designed to prioritize business functions by assessing the potential quantitative (financial) and qualitative (non-financial) impact that might result if an organization was to experience a business continuity event.

Disaster Recovery Journal (DRJ)

Compliance

-noun

1. the act of conforming, acquiescing, or yielding.

2. a tendency to yield readily to others, esp. in a weak and subservient way

3. conformity; accordance; in compliance with orders.

4. cooperation or obedience: Compliance with the law is expected of all.

5. Physics: (a) the strain of an elastic body expressed as a function of the force producing the strain; and (b) a coefficient expressing the responsiveness of a mechanical system to a periodic force.

Contingency Plan

A plan used by an organization or business unit to respond to a specific systems failure or disruption of operations.

Disaster Recovery Journal (DRJ)

Contingency Planning

A process of developing advanced arrangements and procedures that enable an organization to respond to an undesired event that negatively impacts the organization.

Disaster Recovery Journal (DRJ)

Crisis Management

The overall coordination of an organization’s response to a crisis, in an effective, timely manner, with the goal of avoiding or minimizing damage to the organizations’ profitability, reputation, and ability to operate.

Disaster Recovery Journal (DRJ)

Disaster Recovery

The ability of an organization to respond to a disaster or an interruption in services by implementing a disaster recovery plan to stabilize and restore the organization’s critical functions.

Disaster Recovery Journal (DRJ)

Disaster Recovery Training

Methods, classes and/or coursed that teach you the methods in identifying vulnerabilities and takes appropriate countermeasures to prevent and mitigate failure risks for an organization. It also provides the networking professional with a foundation in disaster recovery principles, including preparation of a disaster recovery plan, assessment of risks in the enterprise, development of policies, and procedures, and understanding of the roles and relationships of various members of an organization, implementation of the plan, and recovering from a disaster.

Information Security

The securing or safeguarding of all sensitive information, electronic or otherwise, which is owned by an organization.

Disaster Recovery Journal (DRJ)

Information Security Policy

A guideline document written by an organization intended to help it’s employees determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of the organization without proper authorization.

SANS Institute

Risk Analysis

The process of identifying the risks to an organization, assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.

Disaster Recovery Journal (DRJ)

Risk Assessment

Disaster Recovery Journal (DRJ)

Risk Management

The culture and processes and structures that are put in place to effectively manage potential negative events. As it is not possible or desirable to eliminate all risk, the objective is to reduce risks to an acceptable level.

Disaster Recovery Journal (DRJ)

Security

security. (n.d.). The Free On-line Dictionary of Computing. Retrieved, from Dictionary.com website: http://dictionary.reference.com/browse/security

security. Dictionary.com. The Free On-line Dictionary of Computing. Denis Howe. http://dictionary.reference.com/browse/security .

“security.” The Free On-line Dictionary of Computing. Denis Howe. 13 Aug. 2009. <Dictionary.com http://dictionary.reference.com/browse/security>.

Dictionary.com, “security,” in The Free On-line Dictionary of Computing. Source location: Denis Howe. http://dictionary.reference.com/browse/security. Available: http://dictionary.reference.com.

BibTeX Bibliography Style (BibTeX)

@article {Dictionary.com2009,
title = {The Free On-line Dictionary of Computing},
month = {Aug},
day = {13},
year = {2009},
url = {http://dictionary.reference.com/browse/security},

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Community Projects, Glossary, Tools & Resources | Leave a Comment

Audit Guide: BS 25999

August 24, 2009

The following audit module is typical of the form used by BS 25999 assessors

This working document is intended as a reference/checklist for the Assessor when conducting BS 25999 Assessments.

There is a section after each element to make notes on areas investigated for conformity, noted areas of conformity or nonconformity, and follow up notations for the next auditor. It may be helpful to note evidence of conformity, such as procedures/work instructions, dates, and specific observations.

Make sure to note specific areas that may need further investigation and/or areas that were checked thoroughly. These notes should be placed in the comment section to assist the next auditor. You can keep track of these in the area provided after each element.

Please take note the checklists must include:

i) No blank boxes/no “N/A.”

ii) As many comments as possible should be written. In no event shall the auditor recommend specific solutions. This applies to all audits conducted on behalf of PJR.

If “NO” is checked, an explanation must follow in the comments section at the end of the element.

If additional questions arise during the audit, indicate them (and the appropriate responses) either in the blank working document pages at the end of this document or in the empty rows included in some of the sections.

Audit No. _____________________ Date(s): ____________________________

Client/Auditee: _______________________________________________________

Address: ________________________________________________________

Contact/Management Rep.: ___________________________________________________

Lead Auditor: ________________________________________________________

Audit Team: ________________________________________________________

Technical Expert: ________________________________________________________

BS 25999 Req.	Characteristic	Yes	No	Specific comments regarding deficiencies/ effectiveness
4.0	Business Continuity Management
4.1	General Requirements Has the organization developed, implemented, maintained and continually improved its documented BUSINESS CONTINUITY MANAGEMENT in accordance with 4.2 to 4.4?
4.2	Establishing and Managing the BUSINESS CONTINUITY MANAGEMENT SYSTEM
4.2.1	Has the organization established: requirements for business continuity taking into account organization objectives, obligations and legal duties; business continuity objectives and plans; the scope of business continuity in terms of products and services?
4.2.2	Has the organization assured itself that key suppliers and outsource partners have effective BUSINESS CONTINUITY MANAGEMENT arrangements in place?
4.2.3	BUSINESS CONTINUITY MANAGEMENT Policy
4.2.3.1	Has top management established and demonstrated its commitment to a BUSINESS CONTINUITY MANAGEMENT policy?
4.2.3.2	Does the BUSINESS CONTINUITY MANAGEMENT policy include or make reference to: the objectives of business continuity within the organization; the scope of business continuity, including limitations and exclusions
4.2.3.3	Is the policy approved by top management, communicated to all persons working for or on the behalf of the organization, and made available to relevant stakeholders?
4.2.3.4	Is the policy reviewed at planned intervals, and when significant changes occur?
4.2.4	Provision of Resources
4.2.4.1	Has the organization determined and provided resources to establish, implement, operate and maintain the BUSINESS CONTINUITY MANAGEMENT SYSTEM?
4.2.4.2	Have BUSINESS CONTINUITY MANAGEMENT roles, responsibilities, competencies and authorities been clearly defined?
4.2.4.3	Has top management: appointed a person with appropriate seniority and authority to be accountable for BUSINESS CONTINUITY MANAGEMENT policy and implementation; appointed one or more persons be responsible for implementing and maintaining the BUSINESS CONTINUITY MANAGEMENT SYSTEM, irrespective of other duties; determined and documented the acceptable level of risk relative to its BC scope; conducted management reviews of the BUSINESS CONTINUITY MANAGEMENT; communicated the program to stakeholders; communicated to the organization the importance of meeting BUSINESS CONTINUITY MANAGEMENT objectives, conforming to BUSINESS CONTINUITY MANAGEMENT policy, and continual improvement
4.2.5	Training, awareness and competency
4.2.5.1	Has the organization ensured that all personnel with responsibilities defined in the BUSINESS CONTINUITY MANAGEMENT SYSTEM are competent by: determining the necessary competencies for work affecting the BUSINESS CONTINUITY MANAGEMENT SYSTEM; conducting training needs analysis on staff assigned BUSINESS CONTINUITY MANAGEMENT SYSTEM roles; providing training; evaluating training effectiveness, and; maintaining records of education, training, skills, experience and qualifications.
4.3	Embedding BUSINESS CONTINUITY MANAGEMENT in the organization’s culture
4.3.1	Management and Training
4.3.1.1	Has the organization ensured that BUSINESS CONTINUITY MANAGEMENT is part of its core values and effective management?
4.3.1.2	Does the organization : ensured that relevant personnel are aware of the importance of their BUSINESS CONTINUITY MANAGEMENT activities and how they contribute to achievement of BUSINESS CONTINUITY MANAGEMENT SYSTEM objectives; raise, enhance and maintain awareness through an on-going BUSINESS CONTINUITY MANAGEMENT education and information program for all staff, including evaluation of the effectiveness of the BUSINESS CONTINUITY MANAGEMENT awareness delivery methods; have a process for identifying and delivering BUSINESS CONTINUITY MANAGEMENT training requirements of BUSINESS CONTINUITY MANAGEMENT-staff and non-BUSINESS CONTINUITY MANAGEMENT staff who need skills to undertake incident response and business recovery. conduct and evaluate the effectiveness of practical response training with active participatory exercises.
4.4	BUSINESS CONTINUITY MANAGEMENT SYSTEM documentation and records
4.4.1	BUSINESS CONTINUITY MANAGEMENT SYSTEM documentation
4.4.1.1	Is there a documented procedure established to define the management actions needed to ensure the approval, confidentiality, integrity, availability and currency of all documents required by the BUSINESS CONTINUITY MANAGEMENT SYSTEM?
4.4.1.2	The organization shall have as a minimum, the following BUSINESS CONTINUITY MANAGEMENT SYSTEM documentation: BC policy; Scope of the BUSINESS CONTINUITY MANAGEMENT SYSTEM, and procedures and controls in support of the BUSINESS CONTINUITY MANAGEMENT SYSTEM; BUSINESS CONTINUITY MANAGEMENT SYSTEM terms of reference; Business impact analysis report; Risk assessment report; Details of BUSINESS CONTINUITY MANAGEMENT strategies; Procedures for effective planning, operation and control of the BUSINESS CONTINUITY MANAGEMENT processes; Business continuity and incident management plans; Up to date contact information for resources required to support response; Change control procedures; Risk and issues register; Test schedule / test actions register; Incident log; Training program; Response structure; Any other documents required to support implementation of this standard.
4.4.2	BUSINESS CONTINUITY MANAGEMENT SYSTEM records
4.4.2.1	Does the organization identify the controls for identification, storage, protection, retrieval, retention time and disposition of records? A process shall determine the need and extent for records.
4.4.2.2	Are records kept for all business interruptions and incidents related to the BUSINESS CONTINUITY MANAGEMENT SYSTEM?
5	Implement and operate the BUSINESS CONTINUITY MANAGEMENT SYSTEM
5.1	Understanding the organization
5.1.1	Business impact analysis
5.1.1.1	Has the organization defined a documented process for determining impacts of disruption for key products and services that is appropriate to the organization? Are findings and conclusions documented?
5.1.1.2	Has the organization: identified activities that support key products and services; identified impacts that relate to these activities; assessed how these activities are impacted over time; established minimum tolerable period of disruption (MTD) for each activity by: identifying the maximum time period after disruption within which each activity needs to be resumed; identifying minimum levels of performance after resumption; identified the time within which normal operational levels need to be resumed; identified all dependencies relevant to each critical activity, including suppliers and outsource partners; identified critical activities and prioritized them for recovery; estimated the resources each critical activity will require for resumption, taking into account the needs of stakeholders; set recovery time objectives for resumption within the maximum tolerable period of disruption; reviewed the adequacy of the business impact analysis at planned intervals, and when significant changes occur to management or its activities.
5.2	Risk assessment
5.2.1	Risk assessment process
5.2.1.1	Is there a defined and documented process for risk assessment that enables the organization to understand threats and vulnerabilities, as well as impacts, of its critical activities and supporting resources?
5.2.1.2	With respect to critical activities and supporting resources, has the organization: identified threats; identified vulnerabilities; documented the impacts associated with the identified threats and vulnerabilities and determined the risks; established and maintain a register of risks; identified and documented loss mitigation and risk treatment measures appropriate to the level of risk acceptance; reviewed the adequacy of the risk assessment at planned intervals, and when significant changes occur to management or its activities.
5.2.2	Determining choices
5.2.2.1	For each critical activity, has the organization determined potential loss mitigation and risk treatment that: reduces the likelihood of disruption; shortens the period of disruption; limits the impact of disruption on key products and services.
5.2.2.2	Has the organization chosen appropriate risk treatments for each critical activity?
5.3	Determining business continuity strategy
5.3.1	Has the organization defined how it will provide for the recovery of its critical activities for which business continuity is the chosen risk treatment and take account of those activities not defined as critical?
5.3.2	Has the organization: defined a fit for purpose, predefined and documented incident response structure that will enable effective response and recovery from disruptions; determined how it will recover each critical activity within its Recovery Time Objective and the resources needed for resumption; determined how it will manage relationships with key stakeholders and external parties involved in the recovery.
5.4	Developing an implementing a BUSINESS CONTINUITY MANAGEMENT response
5.4.1	Incident response structure
5.4.1.1	Has the organization identified incident response personnel who have the necessary seniority, authority and competence to take control of situations and communicate with stakeholders?
5.4.1.2	Are (do) incident response personnel: capable of confirming the nature and extent of the incident, the incident; and managing the incident; responsible for triggering an appropriate business continuity response; have plans, processes and procedures to manage an incident; have plans for the activation, operation, coordination and communication of the incident response; have resources available to support the plans, processes and procedures to manage the incident.
5.4.2	Plans
5.4.2.1	Does the organization have documented plans that detail how it will mange the incident, and how it will recover or maintain its activities to a predetermined level in the vent of a disruption?
5.4.2.1	Are the plans: accessible to those with responsibilities defined within; agreed to by top management and understood by those who will implement the plans; owned by a named person with responsibility for review, update and approval; under version control with formal change notification and distribution records; reviewed at planned intervals, when significant changes occur to the organization or its activities; aligned with other contingency arrangements external to the organization.
5.4.2.2	Do the plans contain: identified lines of communication, roles, responsibilities, key tasks and reference information; defined purpose and scope; defined roles and responsibilities for people and teams having authority during and following an incident; guidelines and criteria regarding which individuals have the authority to invoke each plan and under what circumstances; a method by which each plan is invoked, meeting locations with alternatives, up-to-date mobilization and contact details for relevant agencies, organizations and resources that might be required to support the response; a process for standing down once the incident is over; essential contact details for all stakeholders; details for managing the incident including: immediate consequences of disruption, provisions for managing issues during the incident, processes and procedures to enable continuity and recovery of critical activities; details for managing immediate consequences giving due regard to: the welfare of individuals, strategic and tactical options, and prevention of further loss or unavailability of critical activities; details on communication with staff and relatives, key stakeholders and emergency contacts; details on media response including: incident communication strategy, preferred interface with the media, guidelines for drafting statements for the media, and appropriate spokespeople; methods for recording vital information about the incident, actions taken and decisions made; details of actions and tasks that need to be performed; prioritized objectives of critical activity recovery, timescales for recovery, and recovery levels; nominated persons to manage the business continuity and recovery phases of a disruption.
5.5	Exercising and maintaining BUSINESS CONTINUITY MANAGEMENT arrangements
5.5.1	General
5.5.1.1	Has the organization ensured that its BUSINESS CONTINUITY MANAGEMENT arrangements are validated by exercise and kept up-to-date?
5.5.2	BUSINESS CONTINUITY MANAGEMENT Exercising
5.5.2.1	Has the organization evaluated the competence and capability of its BUSINESS CONTINUITY MANAGEMENT with a view to continual improvement?
5.5.2.2	Does the organization: develop exercises consistent with the scope of its business continuity plan(s); ensure that exercises are carried out at periods determined by top management and when significant changes occur to the organization; carry out a range of different exercises to validate its business continuity arrangements; plan exercises so that: there is minimum risk of disruption, and the risk of an incident occurring as a direct result of the exercise is minimized; define the aims and objectives of every exercise; \produce a written report of the exercise, outcomes and feedback, including recommendations and a timetable for their implementation; and, carry out a post-exercise review of each exercise that will assess the achievement of aims and objectives of the exercise.
5.5.3	Maintaining BUSINESS CONTINUITY MANAGEMENT arrangements
5.5.3.1	Does the organization ensure that its BUSINESS CONTINUITY MANAGEMENT competence and capability remains effective, fit-for-purpose and up-to-date to meet its requirements?
6	Monitor and review the BUSINESS CONTINUITY MANAGEMENT SYSTEM
6.1	BUSINESS CONTINUITY MANAGEMENT SYSTEM review
6.1.1	Does the organization ensure its business continuity capability and appropriateness by review at planned intervals and when significant changes occur to ensure continuing suitability, adequacy and effectiveness?
6.1.2	Does the organization regularly review its BUSINESS CONTINUITY MANAGEMENT SYSTEM through self-assessment or audit?
6.2	Management review of the BUSINESS CONTINUITY MANAGEMENT SYSTEM
6.2.1	General
6.2.1.1	Does the organization review the BUSINESS CONTINUITY MANAGEMENT SYSTEM at planned intervals to ensure continuing suitability, adequacy and effectiveness? Does the review include assessing opportunities for improvement and the need for changes to the BUSINESS CONTINUITY MANAGEMENT SYSTEM, including BUSINESS CONTINUITY MANAGEMENT policy and objectives. Are results of review documented and records maintained?
6.2.2	Review input
6.2.2.1	Does input to management review include: results of BUSINESS CONTINUITY MANAGEMENT SYSTEM audits and reviews, including key suppliers and outsource partners; feedback from interested parties; techniques, products or procedures that could improve the performance or effectiveness of the BUSINESS CONTINUITY MANAGEMENT SYSTEM; status of corrective and preventive actions; level of residual and acceptable risk; vulnerabilities not adequately addressed in the previous risk assessment; follow-up actions from previous management reviews; changes that could affect the BUSINESS CONTINUITY MANAGEMENT SYSTEM; recommendations for improvement and exercise results; emerging guidance and good practices; observations / recommendations following incidents; lessons from incident response, near misses, and exercises; results of the education and awareness training programs.
6.2.3	Review output
6.2.3.1	Does management review output include any decisions and actions related to: improving effectiveness of the BUSINESS CONTINUITY MANAGEMENT SYSTEM modification of procedures that affect business continuity, response to internal or external events impacting the BUSINESS CONTINUITY MANAGEMENT SYSTEM, including any changes to: business requirements, resilience requirements, business processes, regulatory or legal environment, and levels of risk or risk acceptance; resource needs; funding and budget requirements.
7	Maintain and improve the BUSINESS CONTINUITY MANAGEMENT SYSTEM
7.1	Continual improvement
7.1.1.1	Does the organization continually improve the effectiveness of the BUSINESS CONTINUITY MANAGEMENT SYSTEM through use of the BUSINESS CONTINUITY MANAGEMENT policy and objectives, audit results, analysis of monitored events, corrective and preventive actions and their timescales, and management review?
7.1.2	Corrective action
7.1.2.1	Do the organizations documented procedures for corrective action include elimination of the cause of nonconformities associated with implementation and operation of the BUSINESS CONTINUITY MANAGEMENT SYSTEM to prevent recurrence and do they define requirements for : identifying nonconformities; determining cause of nonconformities; evaluating the need for action to ensure nonconformities do not recur; determining and implementing needed corrective action; recording results of actions taken; reviewing the corrective action taken.
7.1.3	Preventive action
7.1.3.1	Does the organizations documented procedure for preventive action guard against future nonconformities in order to prevent occurrence, are they appropriate to the impact of potential problems, and do they define requirements for: identifying potential nonconformities and their cause; determining and implementing needed preventive action; recording results of actions taken; reviewing preventive actions taken; identifying changed risks and ensuring attention is focused on significantly changed risks; ensuring that those who need to know are informed of the preventive action put in place; prioritization of preventive actions based on the results of the risk assessment and the business impact analysis (BIA).