Courtesy: ISO 22301:2012 Societal security business continuity management system
Plans and procedures are used in business continuity planning to ensure that the critical organizational operations required to keep an organization running continue to operate during events when key dependencies of operations are disrupted. Continuity does not need to apply to every activity which the organization undertakes. For example, under ISO 22301:2019, organizations are required to define their business continuity objectives, the minimum levels of product and service operations which will be considered acceptable and the maximum tolerable period of disruption (MTPD) which can be allowed.
A major cost in planning for this is the preparation of audit compliance management documents; automation tools are available to reduce the time and cost associated with manually producing this information.
Inventory
Planners must have information about:
- Equipment
- Supplies and suppliers
- Locations, including other offices and backup/work area recovery (WAR) sites
- Documents and documentation, including which have off-site backup copies:
- Business documents
- Procedure documentation
Analysis
The analysis phase consists of
- impact analysis
- threat and risks analysis and
- impact scenarios.
Quantifying of loss ratios must also include “dollars to defend a lawsuit.” It has been estimated that a dollar spent in loss prevention can prevent “seven dollars of disaster-related economic loss.”
Business impact analysis (BIA)
A Business impact analysis (BIA) differentiates critical (urgent) and non-critical (non-urgent) organization functions/activities. A function may be considered critical if dictated by law.
Each function/activity typically relies on a combination of constituent components in order to operate:
- Human resources (full-time staff, part-time staff, or contractors)
- IT systems
- Physical assets (mobile phones, laptops/workstations etc.)
- Documents (electronic or physical)
For each function, two values are assigned:
- Recovery Point Objective (RPO) – the acceptable latency of data that will not be recovered. For example, is it acceptable for the company to lose 2 days of data? The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded.
- Recovery Time Objective (RTO) – the acceptable amount of time to restore the function