The BCP - Business Continuity Plan

 

Business Continuity Plan

According to the SysAdmin, Audit, Network, Security (SANS) Institute, the business continuity plan should incorporate activities and processes for the recovery of all business services from interruptions or unexpected events. This plan must be formally documented and continuously updated according to the requirements of the organization.

The BCP Audit

Evaluates how the organization's continuity procedures are worked. It observes and defines the risks, dangers and threats to the proper management of a successful plan. The controls implemented are also evaluated to determine if certain risks or threats are acceptable and aligned with the objectives of the organization. The audit lists the weaknesses of the plan and offers recommendations for improving the plan.

The Goal

The BCP describes the processes, steps, and procedures that must be executed in a time of emergency caused by a natural disaster or unexpected outage. The purpose is to achieve a recovery of all business processes. The BCP typically addresses:

• Key computer processing locations
• Application systems and user requirements for key business processes
• End-user activities for key business processes
• Telecommunications and networks
• Key databases, information warehouses, etc.
• Human resources
• Personal safety of employees and others

This helps the organization respond effectively and operate business processes while working on the emergency.

BCP not available

In the event of an emergency, this can result in restoration delays in business processes and information systems. The result would be the inability to:

• continue operations
• loss of income
• unnecessary expenses
• loss of competitive advantage
• loss of customer trust
• market share
• sanctions

 These problems are acceptable for some period of time. But, it must be restored to optimal levels as soon as possible.

Approval

This plan is developed by IT auditors but must be approved by management.

Policy: Business continuity plan

The BCP establishes processes in case of emergency required by the directive, which informs users that:

• Management approves development of the BCP, and oversees its implementation.
• The BCP has been prepared following results from risk, impact, and cost analyses and assessments related to losses of information and IS services.
• Business priorities and critical needs have also been considered and incorporated into the BCP.
• Personnel responsibilities have been assigned, as appropriate. Strategies and procedures for recovery have been documented.
• The BCP is updated and tested on a regular basis by IS operations personnel.
• Test criteria, conditions, and frequency have been established and added to the BCP.
• Test results are evaluated and gaps, weaknesses, or deficiencies identified are addressed.
• Tests and test results are shared with management for review and approval.

Conclusion

Business Continuity: A business continuity plan (BCP) is a formal document that outlines the organization's strategy, process, and procedures that must be implemented in the event of a disaster. The BCP must recognize the threats and risks facing the organization, and must document specific procedures to prevent and recover from those threats and risks in order to protect the organization's assets and maintain functional operations.

Reference:

Otero, A. R. (2018, 26 julio). Information Technology Control and Audit, Fifth Edition (5.^a ed.). Auerbach.