If you are looking to set up a Business Continuity system there are 4 simple questions that you should answer which will help your planning. If you are considering certification to ISO 22301, the information you gather will provide evidence of good planning so is an investment worth making.
Some organisations are simple; they work in a single site with a limited number of people. Some organisations are more complex with multiple sites, working across multiple shifts and possibly even having workers onsite who are employed by more than one organisation. In the context of Information Security, define the systems you operate and where data is being held. It’s important to refine the scope of the system that you want to develop so that you can prepare and manage recovery plans for each of these different situations.
This might sound like a stupid question, but many organisations confuse business continuity plans with incident management plans that are enacted if there is a simple accident or IT failure, e.g. if the email systems stop working for an hour, or someone injures themselves. These are not business continuity events.
Business continuity events are major incidents that could threaten the existence of the organisation and when they are over, plans need to be in place that will recover the organisation to the point it was before the incident occurred. For example, if a major fire occurred and the building was partially destroyed or could not be used, how would your organisations start to service its clients and do what it needs to house personnel and reinstate the infrastructure? If your servers or networks are taken over by ransomware or corrupted in some way, what's the next step?
Deciding on the start point for your business continuity system will bring clarity to the system and help focus the minds of personnel working on it to achieving its aim.
Following disruption or major incident, a business continuity plan will need to be put in place. There are options that can be decided, and organisations can be as flexible or as imaginative as they need to be. Examples might include:
Many organisations will have cloud data services, where failover is provided as part of the service, but where this is not the case, organisations should have provision in place to buy new equipment, upload data from backup and begin to set up networks to new computers.
Some organisations may even have resources positioned away from their main operating areas that will be accessed in case of emergency. For example, a power station may maintain a fleet of rugged vehicles that can get onto the main site and support emergency services.
Most organisations do not work in isolation, so partnerships and collaborative working will support any business continuity plan. If your organisation provides public services, co-ordination with the Councils, Emergency Services or Civil defence authorities will be appropriate, whereas private companies may make agreements with other organisations. Examples of this might be transport companies that make arrangements to share yards or warehousing. Where the organisation operates from multiple sites, this form of redundancy can easily be achieved by moving all operations from one site to another.
In addition, you should consider which of your suppliers can provide critical products and services e.g. computers, phones or server equipment. Where significant purchases may be required, it may be appropriate to buy and maintain a minimum amount ready. Critical though in all planning should be the involvement of the local community, who will always be more likely to support an organisation of whom they have a positive opinion.
Pulling all this information together will start to inform how you layout and plan your Business Continuity system, particularly if you are considering certification to ISO 22301. Thorough planning will save time and money and result in a better system.
Related Articles5 Business Continuity terms you must know