Five golden rules of business continuity management
Implementing a company-wide business system is never easy and business continuity planning is no exception. Ensuring that all the business’ needs are fully understood, requirements met and assumptions validated is no mean feat. Adopting a definite framework for best practice, as specified within BS 25999-2:2007 Business Continuity Management Planning, may appear to hold all the answers – but is it enough? In reality, implementing the standard is only part of the process, all be it a vital one if a business continuity management system (BCMS) is to be independently certified. Having worked with a variety of organisations to help them implement a BCMS, I have learnt that there are five fundamental rules that should be followed to ensure its success: 1. Understand the business requirement It is vital to understand and agree the business requirement for business continuity at an early stage in the process. If this is overlooked or poorly defined considerable effort can be spent developing BCM strategies that then have to be revised as the business need is re-defined. 2. Commit time and effort from across the business Implementing an effective BCMS requires time, effort and commitment from all parts of an organisation. It’s not just the function of the IT department, and as such all business decision-makers must understand the business need for continuity and be involved in developing meaningful impact analyses, risk assessments and continuity plans. 3. Internal communication is critical Two aspects of communication are pivotal to success: 4. The documentation should match the organisation No two organisations are the same and appreciating this is particularly true when developing a BCMS, where the structure of the documentation needs to match the organisational structure and the business requirements for BCM. Any standard needs to take into account the individual requirements and peculiarities of the business whilst drawing on best practice and maintaining compliance. 5. Put the plan to the test Testing or exercising business continuity plans is without doubt the most cost-effective way to ensure that they meet the organisation’s needs. In addition it ensures full engagement from all parts of the organisation and provides the opportunity to ‘shake out’ mistakes or incorrect assumptions allowing the plans to be improved to make sure they are genuinely fit or purpose. Time spent testing is not time wasted. It also raises awareness of business continuity throughout the organisation and provides a valuable training opportunity for the key staff involved in crisis management, business continuity and recovery. So, by adopting a few simple rules, based on real-life experience when implementing BS 25999, businesses can be confident that they have a genuine plan in the event of a potential disaster and not merely a set of manuals collecting dust on an IT manager’s shelves. Author Neil O’Connor is principal consultant, Activity. Neil founded Activity in 2004 in response to the demand for independent security advice. With twenty years experience in information security, Neil started out in secure systems development and project management for secure government projects. For fifteen years Neil was an information security consultant advising clients such as the Ministry of Defence, Foreign & Commonwealth Office, NHS and a number of commercial clients. He fast became an expert in the management of information security and the implementation of ISO 27001. Neil has qualifications including an MA (Oxon) in Physics, and a diploma in management studies. He is a member of CESG Listed Advisor Scheme (CLAS), and is an ISO 27001 auditor.
•Date: 3rd February 2009• Region: UK/World •Type: Article •Topic: BC general |
SPONSOR: Business Continuity from Backup Technology
Copyright 2010 Portal Publishing Ltd • Privacy policy • Contact us • Site map • Navigation help