B3nj1
B3nj1
Home

Business Continuity Management

~

This is my point of view on what I understand by continuity

Introduction

On the morning of September 11, 2001, four commercial airliners traveling from the northeastern United States to California were hijacked by members of the terrorist group Al Qaeda, these caused these planes to crash in different parts of the United States but this time we will focus on those that crashed in the World Trade Center or better known as the twin towers, we will focus on these because at that time these towers were part residential and part business, based on that the question would be what happened to those businesses after the crash? The answer is simple, they disappeared for the simple fact of not having a continuity management or a business continuity plan, now what is business continuity? The answer to this question and more questions can be found in the development.

Development

Background Continuity Management.

In the period of the 80’s and 90’s there was a growing awareness of technology disaster recovery, basically because companies woke up and realized that a break in the IT system could cause significant damage.

NFPA 1600 is the oldest standard, which was launched in 1995. This standard establishes guidelines oriented to disaster management, emergency and business continuity programs. Later on, the BS 25999-1 standard was launched, this document establishes the business continuity life cycle.

11-S.

As I mentioned in the introduction after the events of September 11, 2001, continuity plans were an essential part of the business idea as such, they covered both companies in the financial sector and their associates. One thing to note is that no matter if it is a large or small company the continuity plan should be applied to both. The terrorist attacks of 9/11 caused a rise in computer sales and increased the awareness of the entities about the importance of safeguarding and backing up their information, as it was mentioned that companies that were there were ruined or disappeared because they could not sustain the business despite having lost all their data.

We can also mention the benefits that this plan brought to some companies, as is the case of the prestigious Lehman Brothers, which despite losing everything as a result of the attack continued to operate, this thanks to one of its employees or rather the director of information technology at that time was Bob Schwartz, this while leaving the building active recovery plan and business continuity, the next day this company had 400 employees ready to return to their usual work. The company lost a lot of computer equipment that amounted to large sums of money, but I quote their CTO: *“It’s really hard to have a disaster occur that will test everything that was planned. But we have always been cautiously optimistic of our ability to restore all key applications in stages in an acceptable time.

This shows how effective a business continuity and recovery plan can be.

Having said all this we can say in summary that business continuity is the process that allows the continuity of the business despite any incident, in the same way it allows to return to the way those services were before the incident. It should be noted that, as mentioned above, this management covers the entire company.

Business Continuity Management Frameworks.

At this point we are going to go deeper into what business continuity management is. When we talk about business continuity management we find that there are reference frameworks, now the question is: What is a reference framework? Basically it is the one that identifies and exposes what concerns the background, theories and regulations of an action program or a process. That said, in continuity management we can cite some reference frameworks such as ISO/DIS 22301:2019 and ISO/IEC 27001:2013. One question we ask ourselves is: What is ISO? This is the international standardization organization, this is the one that normally creates the reference frameworks.

ISO/DIS 22301:2019

This document explains in detail the structure and requirements to be considered when implementing and maintaining a business continuity management system (BCMS). We can say that a BCMS highlights the importance of understanding the needs of both the organization and the need to set business continuity policies, monitor the performance of the BCMS this to know the effectiveness of the same and improve continuously. It should be noted that this document can be applied to any type of organization.

The benefits of these implementations is to ensure that the business continues to operate despite the occurrence of a disaster and that it improves continuously, we can also cite some benefits that are:

  • From the business perspective: These allow them to create an advantage in the market and allows them to systematically generate credibility among users.

  • From a financial perspective: The most logical would be to make partners feel comfortable.

  • From the stakeholder perspective: We can cite that the most notable benefits are the protection of property, environment and human resources.

ISO/IEC 27001:2013

This document has a process-based approach to implement and maintain an ISMS of an organization, What is an ISMS? This is the information security management system that consists of a set of information management policies. This document is related to the previous one since this one seeks to counteract the interruptions in the business activities and this one seeks to protect its critical processes against the effects of failures in the information systems.

This regulation contains controls aimed at business continuity:

A.14.1.1 This control refers that in the continuity management process, information security cannot be forgotten.

A.14.1.2 This control states that before implementing a business continuity plan, the relevant risk assessments must be applied.

A.14.1.3 This control is important because it states that business continuity must be centralized.

A.14.1.5 This specifies that business continuity plans must be constantly tested for improvement and, when an incident occurs, can be put into effect without complications.

Business Continuity Management Process.

We will talk about an interesting part which is the business continuity management process. Before we talk about it, I would like to answer a question: What is a process? It is a set of activities linked together to achieve a certain goal. Knowing this we can say that the objective of the business continuity management process is that everything agreed on the continuity of business services is carried out as specified, taking into account all the needs raised. It should be noted that the business continuity management process consists of 4 main activities:

  1. Plan: this has the task of identifying and gathering all the continuity requirements for IT services, this has the intention that the agreed objectives can be met.
  2. Test: at this point we can say that it is where the business continuity plan for IT services is coordinated and tested, with the purpose of improving the plan.
  3. Control: this refers to the fact that the business continuity plan for IT services must be maintained by performing controls and follow-ups of the commitments made, to ensure that it remains functional and not obsolete.
  4. Execute: this part is basically based on the fact that if serious failures that could stop services are detected, the continuity plan is activated.

The continuity management process is accompanied by roles and responsibilities which are:

  • Process owner, this is in charge of designing the processes having pending standards and previous guidelines, this must ensure that the previously defined objectives are met, is responsible for communicating the results of the IT Continuity plan to the Continuity Committee.

  • Continuity Manager, we can say that this must support and be present at the time of defining the processes for the management of continuity of IT services, this has the responsibility to identify possible options to implement the continuity of IT services, in the same way this must coordinate the test execution of the IT continuity plan. Last but not least, he/she must communicate the results of the IT continuity management.

  • Key Stakeholders, basically we say that they provide relevant information oriented to the continuity of services, likewise they participate in activities such as training, tests, reviews and execution oriented to the continuity plan.

  • Team of IT specialists, they are in charge of carrying out all the tests and executions of the continuity plan, they recommend alternative actions at the time of the execution of the continuity plan.

  • Business continuity committee, they have the major responsibility, they review everything and based on this they approve the strategies and plans oriented to the continuity of IT services, they have other activities that are to provide executive support and communicate the situations to key stakeholders.

Business Continuity Management Policy.

Having said all that has to do with processes, it would be important to highlight the policies on business continuity management. The objective of these policies is to establish the guidelines for the management of the business continuity process, these guidelines are: A Business Continuity Plan should be prepared according to the format seen above.

  • The business continuity plan must be approved by the business continuity committee.
  • The business continuity manager must provide the test plan to be carried out oriented to the business continuity plan.
  • The process owner is responsible for both invoking and declaring the return to normal activities after the business continuity plan is activated.
  • Process performance should be evaluated by the Process Owner.

Conclusion

Now that we have seen all the above we can see that what happened on September 11, 2001 could have been avoided if a continuity management plan had been carried out, as we have seen the plan or continuity management we can say that it is our insurance against disasters that can stop the business.

In order to implement and maintain a continuity management, we have the ISO/DIS 22301 frame of reference, which in a summarized way describes how to implement and maintain a business continuity management system (BCMS), we also have the ISO/IEC 27001 standard, which is based on implementing and maintaining an information security management system (ISMS), which we can quickly say is a set of policies oriented to information management.

In the same way we saw that the business continuity management processes has a fundamental role since it defines the activities to be carried out, we have 4 main activities that are to plan, test, control and execute, likewise this is accompanied by roles and responsibilities that are: Process Owner, Continuity Manager, Key Stakeholders, Team of IT specialists and Business Continuity Committee.

Last but not least, since this part defines the guidelines for the management of the business continuity process, we find the continuity management policies, among the guidelines we can highlight that the process owner has an important role since he must decide when to activate and deactivate the business continuity plan.

Review

From my point of view the most significant antecedent of business continuity for me would be 9/11, since it marked a before and after in continuity management, this made companies open their eyes as to what it is to back up their information and to have a continuity plan. In the reference frameworks we find two documents that for me are essential for continuity: ISO/DIS 22301, which talks about how to implement and maintain the business continuity management system; we also have ISO/IEC 27001, which talks about how to maintain and implement an information security management system (ISMS); both documents are linked since one complements the other.

In the part of the processes we can highlight that there are more than four activities depending on the type of business, but the four that were discussed are the basis and those that play an important role when designing, maintaining and implementing a business continuity plan, these activities are: plan, test, control and execute. In the same way we find the roles and responsibilities, in this part I called my attention to the role of the process owner, who apart from designing the processes must guarantee that all the premises exposed are fulfilled. As for the other roles, I can say that apart from the owner of the process, the business continuity committee members have a great responsibility, the same goes for the continuity manager, who must be in charge of the tests that are carried out on the continuity plan.

To highlight the importance of the business continuity policies, since without them there would not be a good business continuity management process, since the policies define the guidelines and directives for good business continuity management.

Finally, the main objective of this essay was achieved, which is to understand in depth what is business continuity and the parts that form it, its importance and others, in the same way it will be possible to appreciate differently what happened on 9/11.

© 2021 - 2024 B3nj1. All rights reserved

Table of Contents