Good day everybody!
Before diving into the subject, I just want to inform everybody that the next video training will be available toward the end of next week. Now, lets get back to business :)
For many years now, a lot of people had been struggling with business continuity. First and foremost, it is often a question of language: business continuity, disaster recovery, resiliency, service availability… People use different terms and do not necessarily agree on the scope and meaning of those words.
With that said, whatever it means to you, from an ISO 27001 or BS 25999 perspective they all fall within one category: Business Continuity Management.
The reason why I think it is important to talk about this today, is that the National Fire Protection Association of the United States had just updated the 2007 version of the standard for Disaster/Emergency Management & Business Continuity Programs. The standard can be downloaded for free, right here!
The purpose of my posting is not to provide you with details about the changes between both versions but rather to expose you to the existence of the standard and its content to help you gain a better understanding of Business Continuity Management Systems.
Chapter 3 – Definition
It provides the reader with 24 definitions of words we commonly use when discussing BCMs.
Chapter 4 – Program Management
This section defines the requirement in terms of management commitment, roles and responsibilities, resource allocation and records management. For those of you who are already versed in ISO:27001 and BS:25999, you can see there are a lot of “clause 4 to 8” elements in there.
Chapter 5 – Planning
Focus on establishing the scope, understanding the constraints and requirements, conducting risk and business impact assessment and making decision in terms of preventive measures and possible mitigations.
Chapter 6 – Implementation
Talks about the various elements that needs to be put in place to make it happen such has emergency response, incident management, training, crisis communication, emergency operation centers and the various operational procedures.
Chapter 7 – Testing and Exercises
Document the requirements for testing, exercising, evaluating and insuring that the plan actually works.
Chapter 8 – Program Improvement
Again, much like the PDCA enforced by ISO standards, the NFPA clearly states how and why the program should improve and what needs to be done to insure adequacy of the program with regulatory changes and the evolution of the organization.
Annex A – Explanatory Material
Provides 15 pages of really useful supplemental information such as a mapping of the NFPA 1600:2010 standards to the Disaster Recovery Institute Professional Practices and a bunch of guidelines for many of the topics mentioned previously.
Annex B – Program Development Resources
Includes a list of supplemental reference and resources on the subject.
Annex C – Conformity Self Assessment
This is really a great section in this document! It provides the reader with a list of self-audit/self-assessment questions to go through to establish if you are doing your job in terms of business continuity and with regards to the management of the BCM program.
All in all, this is a great and free resource to get a better understanding of BCM. In comparison to BS:25999, it lacks a bit in terms of structure, components and workflow specifics to management systems and continuous improvement but the quality and depth of the information included as well as the practical aspects covered in there makes it a unique document that complements BS:25999 and which surely fills a lot of empty spaces left within ISO:27001.
As a conclusion, I just want to remind you how great Annex C is, although the standard is free, many people I know would have paid just to get that section!
Have a great evening and thanks for your time and comments !
Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security
No comments:
Post a Comment