A methodology that aims to ensure a company’s BCM/ISM programme is appropriately maintained. This typically consists of four elements :
Exercising & Testing
Information Security Review
A baseline review of an organisation’s current strengths and weaknesses against a comprehensive set of information security controls (typically BS7799/ISO17799). May include network penetration testing.
Exercising and Testing
The execution of Recovery Plans in a “safe” environment, to assess the plans’ effectiveness, identify weaknesses and improvements, and exercise Recovery Team members. This can take many forms and may be full or partial, pre-arranged or unannounced. Options include structured walkthroughs, callout tests, technical (eg IT) recovery and business function recovery exercises and network penetration tests.
Business Impact Analysis (BIA)
An assessment of a business detailing the impact that would be felt if it were unable to operate normally due to a major incident or security breach. Expressed in both quantitative (financial) and qualitative (reputation) terms, the BIA is used to determine and justify a BCM and/or ISM strategy.
Recovery Strategy Development
An examination of external and internal recovery solutions appropriate to the company’s requirements.
The determination of cost-effective solutions to meet a company’s Recovery Time Objectives (RTOs) and recovery needs. This usually follows and is driven by the Business Impact Analysis.
The process of managing an incident that escalates beyond day-to-day operational failure.
Assistance with the recovery process and management of external and internal teams throughout an incident.
An assessment of the threats to a company, both commercial and environmental.
The categorisation of such threats and means of mitigation.
The formal documentation of procedures to enable a company to execute its BCM or ISM strategy at the time of an incident.
Project management of creating the recovery solution(s) identified at the Recovery Strategy Development stage. This includes the acquisition, delivery and installation of equipment and facilities, and the release and issue of Business Continuity Plans and associated documentation.
Health Check/ Capability Review
A review of existing Business Continuity or Disaster Recovery plans and their underlying strategies to determine an organisation’s readiness and recovery capability.