Is the increasing organizational focus on information security having an effect on the traditional demarcation lines between business continuity and information security management (ISM)? Continuity Central recently conducted an online survey to find out. 182 responses to the survey were received and it seems that convergence between BCM and ISM has happened in some organizations; while the majority believe that ideally ISM should be the responsbility of a team consisting of representatives from different areas of the organization. The results are as follows:
Do you see information security as a business continuity issue?
64.5 percent of respondents believe that information security is definitely a business continuity issue, with a further 32 percent saying that it was partially a business continuity issue. Only 3.5 percent said that information security is not a business continuity issue at all.
Respondents were asked to explain their answer to this question. The verbatim responses can be read here (PDF).
Does the business continuity team in your organization manage information security threats?
Information security threats are managed by the business continuity team in only 14 percent of respondents’ organizations. A further 29 percent of respondents said that the business continuity team was partially responsible for managing information security threats. The remaining respondents said that the business continuity team was not responsible for managing information security threats (55 percent) or did not know (2 percent).
Respondents were asked to briefly describe how their organization structures its information security management. The verbatim responses can be read here (PDF).
Respondents were also asked which department or business unit should lead information security management. The results were as follows:
- Information security management should be led by the IT department / business unit: 20 percent
- Information security management should be led by the business continuity team: 5 percent
- Information security management should be led by the Board: 10.5 percent
- Information security management should be led by the risk management team: 19 percent
- Information security management should be led by a team consisting of representatives from different areas of the organization: 38 percent
- Other responses and don’t knows were 7.5 percent.
Respondents were asked to explain their answer to the question. The verbatim responses can be read here (PDF).
Does your organization have a formal incident response plan for information security incidents?
A resounding 82 percent of respondents confirmed that their organization has a formal incident response plan for information security incidents, with only 10.5 percent stating that it doesn’t. A surprising 7.5 percent didn’t know.
Does the business continuity team in your organization respond to information security incidents?
There was a mixed response to this question, with 26.5 percent of respondents stating that the business continuity team does respond to information security incidents and 34 percent saying that it doesn’t. 37 percent said that the business continuity team is partially involved in information security response. 2.5 percent didn’t know.
Respondents were asked who should be responsible for information security incident response. The results were as follows:
- Information security incident response should be led by the IT department / business unit: 19 percent
- Information security incident response should be led by the business continuity team: 8 percent
- Information security incident response should be led by the Board: 4.5 percent
- Information security incident response should be led by the risk management team: 10 percent
- Information security incident response should be led by a team consisting of representatives from different areas of the organization: 49 percent.
- Other responses and don’t know: 9.5 percent.
Respondents were asked to explain their answer to the question. The verbatim responses can be read here (PDF).