Things to watch

Keeping in business is usually a critical requirement for most businesses. It is always surprising that so many organisations do not have up appropriate maintained and tested business continuity plans in case a disaster happens. One of the first things that the Auditor will check is that there is actually a plan (or series of plans) for continuing the business in the case of an emergency. This process needs high-level business input and management. The Auditor will check to see who has had what input to the plan(s) and the level of the person charged with custody of the organisations viability in case of disaster. Often the person found to be in charge is too junior in the organisation to have the power to ensure buy-in throughout the organisation.

There is a tendency to consider the wrong processes and applications as important when doing a business impact analysis or do it only once and never update it. The Auditor will check the business impact analysis (BIA) reports are appropriate and up to date.

Leading on from an up to date BIA, the plans should be updated to take into account of changes in the risks and impacts. The Auditor will check with the document control to ensure that the current plans actually do reflect the current risks and impacts from the output of the BIA process. Only too often the Auditor finds that there is little correlation between the plan, the BIA and what the business actually needs.

In large organisations it is quite common to see that different parts of the business approach business continuity in different ways. The Auditor will be checking in large organisations that there is consistency in the plans across the organisation and that the plans fit into a top-level framework.

One of the greatest mistakes in business continuity planning is to write a plan and neither involves the business or test that it works as needed. This gives the illusion of having an appropriate plan in place but in fact is worse than having no plan as it is relied upon and then found to be wanting. The Auditor will check to see that the plan or plans have been appropriately tested in the past year, that there is evidence of these tests and that the feedback from them has been used to modify the existing plan or plans, where required.

Typical evidence required will be the logs of the last test and evidence of the review meeting afterwards, such as minutes and action points, and then check that these have been incorporated into the plan. Volatile information such as staff lists and contacts will be checked to see that the people on whom the whole plan relies are actually still within the organisation and that their contact numbers are still correct. After all there is little point in trying to phone the critical staff to enact the plan only to find many of them are no longer with the organisation.

An Introduction To Information, Network and Internet Security
Things to watch Keeping in business is usually a critical requirement for most businesses. It is always surprising that so many organisations do not have up appropriate maintained and tested business continuity plans in case a disaster happens. One of the first things that the Auditor will check is that there is actually a plan (or series of plans) for continuing the business in the case of an emergency. This process needs high-level business input and management. The Auditor will check to see who has had what input to the plan(s) and the level of the person charged with custody of the organisations viability in case of disaster. Often the person found to be in charge is too junior in the organisation to have the power to ensure buy-in throughout the organisation. There is a tendency to consider the wrong processes and applications as important when doing a business impact analysis or do it only once and never update it. The Auditor will check the business impact analysis (BIA) reports are appropriate and up to date. Leading on from an up to date BIA, the plans should be updated to take into account of changes in the risks and impacts. The Auditor will check with the document control to ensure that the current plans actually do reflect the current risks and impacts from the output of the BIA process. Only too often the Auditor finds that there is little correlation between the plan, the BIA and what the business actually needs. In large organisations it is quite common to see that different parts of the business approach business continuity in different ways. The Auditor will be checking in large organisations that there is consistency in the plans across the organisation and that the plans fit into a top-level framework. One of the greatest mistakes in business continuity planning is to write a plan and neither involves the business or test that it works as needed. This gives the illusion of having an appropriate plan in place but in fact is worse than having no plan as it is relied upon and then found to be wanting. The Auditor will check to see that the plan or plans have been appropriately tested in the past year, that there is evidence of these tests and that the feedback from them has been used to modify the existing plan or plans, where required. Typical evidence required will be the logs of the last test and evidence of the review meeting afterwards, such as minutes and action points, and then check that these have been incorporated into the plan. Volatile information such as staff lists and contacts will be checked to see that the people on whom the whole plan relies are actually still within the organisation and that their contact numbers are still correct. After all there is little point in trying to phone the critical staff to enact the plan only to find many of them are no longer with the organisation.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security