and;others)
;Business;impact;analysis,;risk
assessment,;recovery;strategies
development,;plan;design;and
documentation,;training,;testing
exercises,;or;all;of;these;phases
;Single;points;of;failure;(a;single;element,
component,;system,;device,;or;person
that;is;critical;to;providing;a;service;–
availability;is;the;aspect;of;continuity
planning;that;is;concerned;with;avoiding
single;points;of;failure)
;BCM;roles;and;responsibilities
;BCM;software;(management,;access,
security)
;Plan;availability;and;updates
;Plan;maintenance;and;evidence;of
updates
;Plan;testing;exercises;and;evidence;of
testing
BCM Audit Concerns and Focus
BCM Auditors may have several con-
cerns related to the BCM as described
below.
;Risk Assessment –;The;BCM;auditor
may;audit;the;results;of;the;risk
assessment;as;well;as;the;process;that
was;used;during;the;development;of
the;risk;assessment;to;understand;if;it
was;comprehensive.;The;BCM;auditor
may;inquire;about;the;methodology;and
approach;used;for;the;risk;assessment.
There;may;be;questions;related;to:
analysis;of;threat;and;vulnerabilities,
physical;and;environmental;security,
backup;and;off-site;storage,;and;single
points;of;failure.;In;particular,;the;BCM
auditor;will;be;interested;in;the;mitigation
strategies;that;have;been;implemented.
;Business Impact Analysis;–;The
BCM;auditor;may;audit;the;results;of
the;business;impact;analysis;as;well
as;the;process;that;was;used;during
the;development;of;the;business
impact;analysis;to;understand;if;it;was
comprehensive.;The;BCM;auditor
may;inquire;about;the;methodology
and;approach;used;for;the;business
impact;analysis.;The;audit;may;review:
stakeholder;input,;recovery;point
objectives;(RPOs),;recovery;time
objectives;(RTOs),;resource;prioritization,
potential;losses,;and;interdependencies.
;BCM Structure and Documentation;–
Effective;documentation;and;procedures
are;extremely;important;in;a;business
continuity;plan.;Considerable;effort;and
time;are;necessary;to;develop;a;plan.
However,;many;plans;are;difficult;to;use
and;become;outdated;quickly.;Poorly
written;procedures;can;be;extremely
frustrating.;Well-written;plans;reduce;the
time;required;to;read;and;understand
the;procedures,;and;therefore;result;in;a
better;chance;of;success;if;the;plan;has
to;be;used.;Well-written;plans;are;also
brief,;to;the;point,;and;meet;all;project/
organizational;objectives.
A;well-organized;business;continuity
plan;will;directly;affect;the;recovery
capabilities;of;the;organization.;The
contents;of;the;plan;should;follow;a
logical;sequence;and;be;written;in;a
standard;and;understandable;format.;A
glossary;of;technical;terms;and;acronyms
can;be;beneficial;in;understanding;the
BCM;procedures;and;documentation.
Procedures;should;be;clearly;written.
The;BCM;auditor;may;audit;the;BCM
structure;and;documentation.;The;audit
may;review;activation;procedures,
communications;plan,;recovery;teams,
scenarios,;command;and;control;center,
alternate;facilities,;detailed;recovery
procedures,;and;other;considerations.
The BCM auditor may also ask:
u;Where;is;the;electronic;copy;of;the
BCM;stored?
u;Is;the;electronic;copy;of;the;BCM
secure?
u;Who;has;access;to;the;BCM;and;what
type;of;access;(read/write/delete)?
u;Is;there;a;backup;of;the;BCM;and;is;it
stored;offsite?
u;Are;there;hard;copies;of;the;BCM;and
are;they;secure?
;BCM Training;–;Training;is;an;important
aspect;in;completing;the;business
continuity;plan.;All;employees;must
know;their;specific;roles;in;the;business
continuity;plan;(BCM);and;how;to;fulfill
their;responsibilities.;Specific;training
is;necessary;to;maintain,;implement,
and;test;the;BCM.;Training;recovery
personnel;and;providing;them;with
multiple;skills;can;weigh;significantly
on;the;success;of;the;plan;and;the;time
required;to;execute;it.;An;awareness
program;should;be;used;to;initiate
staff;training;efforts;related;to;business
continuity;planning;and;included;in
employee;orientation;training;and;related
materials.
Successful;execution;of;the;BCM;will
