Business continuity
Encyclopedia
Business continuity is the activity performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions. These activities include many daily chores such as project management, system backups, change control, and help desk. Business continuity is not something implemented at the time of a disaster; Business Continuity refers to those activities performed daily to maintain service, consistency, and recoverability.
The foundation of business continuity are the standards, program development, and supporting policies; guidelines, and procedures needed to ensure a firm to continue without stoppage, irrespective of the adverse circumstances or events. All system design, implementation, support, and maintenance must be based on this foundation in order to have any hope of achieving business continuity, disaster recovery
, or in some cases, system support. Business continuity is sometimes confused with disaster recovery, but they are separate entities. Disaster recovery
is a small subset of business continuity. It is also sometimes confused with Work Area Recovery (due to loss of the physical building which the business is conducted within); which is but a part of business continuity.
The term Business Continuity describes a mentality or methodology of conducting day-to-day business, whereas business continuity planning
is an activity of determining what that methodology should be. The business continuity plan may be thought of as the incarnation of a methodology that is followed by everyone in an organization on a daily basis to ensure normal operations.
ISO - Work is also underway at ISO to publish two ISO Standard - ISO 22301 and ISO 22313. ISO 22301 'Business continuity management systems - Requirements' is expected to be released in early 2012. ISO 22313 'Business continuity management systems - Guidance' is expected to be released in late 2012.
United Kingdom – Produced by the British Standards Institution (BSI), BS 25999 is a business continuity management (BCM) standard in two parts. The first, “BS 25999-1:2006 Business Continuity Management. Code of Practice”, takes the form of general guidance and seeks to establish processes, principles and terminology for business continuity Management. The second, “BS 25999-2:2007 Specification for Business Continuity Management”, specifies requirements for implementing, operating and improving a documented business continuity management system (BCMS), describing only requirements that can be objectively and independently audited.
North America – Published by the National Fire Protection Association NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs.
North America - ASIS/BSI BCM.01:2010 published Dec 2010
Australia – Published by Standards Australia HB 292-2006 : A practitioners guide to business continuity management HB 293-2006 : Executive guide to business continuity management
In 2010, Standards Australia introduced their Standard AS/NZS 5050 that connects far more closely with traditional risk management practices. This interpretation is designed to be used in conjunction with AS/NZS3100 covering risk management.
ANSI/ASIS SPC.1-2009 Organizational Resilience: The ANSI/ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems—Requirements with Guidance for Use American National Standard is under consideration for inclusion in the DHS PS-Prep, a voluntary program designed to enhance national resilience in an all hazards environment by improving private sector preparedness.
Set of documents, instructions, and procedures which enable a business to respond to accidents, disasters, emergencies, and/or threats without any stoppage or hindrance in its key operations. Also called business resumption plan, disaster recovery plan, or recovery plan.
The BIA can be used to identify extent and timescale of the impact on different levels of an organization. For instance it can examine the effect of disruption on operational, functional and strategic activities of an organization.
Not only the current activities but the effect of disruption on major business changes, introducing new product or services for example, can be determined by BIA.
Most standards require that a business impact analysis should be reviewed at defined intervals appropriate for each organization and whenever any of the following occur:
Automation if often associated with the idea of centralized management - in area of data storage and data management. Solutions based on storage consolidation can ensure data safety, efficiency, high availability
, reliability and convenience.
(SLA). This provides a written contract stipulating the expectations of management with regard to the availability of a necessary business function, and the deliverables that information technology provides in support of that business function.
planning occurs as a subset of defining the business continuity procedures.
The following is a list of physical and logical entities within an information technology environment which require the application of a business continuity Methodology. Applying the methodology should include the definition of things such as policies, guidelines, standards, procedures, etc., for each item in the list:
The foundation of business continuity are the standards, program development, and supporting policies; guidelines, and procedures needed to ensure a firm to continue without stoppage, irrespective of the adverse circumstances or events. All system design, implementation, support, and maintenance must be based on this foundation in order to have any hope of achieving business continuity, disaster recovery
Disaster recovery
Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is a subset of business continuity...
, or in some cases, system support. Business continuity is sometimes confused with disaster recovery, but they are separate entities. Disaster recovery
Disaster recovery
Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is a subset of business continuity...
is a small subset of business continuity. It is also sometimes confused with Work Area Recovery (due to loss of the physical building which the business is conducted within); which is but a part of business continuity.
The term Business Continuity describes a mentality or methodology of conducting day-to-day business, whereas business continuity planning
Business continuity planning
Business continuity planning “identifies [an] organization's exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization, whilst maintaining competitive advantage and value system integrity”. It is also called...
is an activity of determining what that methodology should be. The business continuity plan may be thought of as the incarnation of a methodology that is followed by everyone in an organization on a daily basis to ensure normal operations.
Standards
This section provides references to a number of worldwide BC/BCM standards (content pulled from SDO’s website):ISO - Work is also underway at ISO to publish two ISO Standard - ISO 22301 and ISO 22313. ISO 22301 'Business continuity management systems - Requirements' is expected to be released in early 2012. ISO 22313 'Business continuity management systems - Guidance' is expected to be released in late 2012.
United Kingdom – Produced by the British Standards Institution (BSI), BS 25999 is a business continuity management (BCM) standard in two parts. The first, “BS 25999-1:2006 Business Continuity Management. Code of Practice”, takes the form of general guidance and seeks to establish processes, principles and terminology for business continuity Management. The second, “BS 25999-2:2007 Specification for Business Continuity Management”, specifies requirements for implementing, operating and improving a documented business continuity management system (BCMS), describing only requirements that can be objectively and independently audited.
North America – Published by the National Fire Protection Association NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs.
North America - ASIS/BSI BCM.01:2010 published Dec 2010
Australia – Published by Standards Australia HB 292-2006 : A practitioners guide to business continuity management HB 293-2006 : Executive guide to business continuity management
In 2010, Standards Australia introduced their Standard AS/NZS 5050 that connects far more closely with traditional risk management practices. This interpretation is designed to be used in conjunction with AS/NZS3100 covering risk management.
ANSI/ASIS SPC.1-2009 Organizational Resilience: The ANSI/ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems—Requirements with Guidance for Use American National Standard is under consideration for inclusion in the DHS PS-Prep, a voluntary program designed to enhance national resilience in an all hazards environment by improving private sector preparedness.
Program
Ongoing management-level process to ensure that necessary steps are regularly taken to identify probable accidents, disasters, emergencies, and/or threats. It also involves (1) assessment of the probable effect of such events, (2) development of recovery strategies and plans, and (3) maintenance of their readiness through personnel training and plan testing. See also business impact analysisPolicies
Policies are those things mandated by the management of an organization that will always be performed according to a preset design plan, and supporting all business functions within an organization.BC/BCM plan
The components of the business continuity methodology required for manifestation into a documented plan include:Set of documents, instructions, and procedures which enable a business to respond to accidents, disasters, emergencies, and/or threats without any stoppage or hindrance in its key operations. Also called business resumption plan, disaster recovery plan, or recovery plan.
BC/BCM planning
Task of identifying, developing, acquiring, documenting, and testing procedures and resources that will ensure continuity of a firm's key operations in the event of an accident, disaster, emergency, and/or threat. It involves (1) risk mitigation planning (reducing possibility of the occurrence of adverse events), and (2) business recovery planning (ensuring continued operation in the aftermath of a disaster).Guidelines
Guidelines are those things which are recommended to be performed according to a preset design plan. However depending upon the needs and requirements of the target business function, these items may or may not be performed, or may be altered during implementation.Procedures
British Standard 25999-2 and other standards identified above provide a specification for implementing a business continuity management system within an organization.Business impact analysis (BIA)
The entire concept of business continuity is based on the identification of all business functions within an organization, and then assigning a level of importance to each business function. A business impact analysis is the primary tool for gathering this information and assigning criticality, recovery point objectives, and recovery time objectives, and is therefore part of the basic foundation of business continuity.The BIA can be used to identify extent and timescale of the impact on different levels of an organization. For instance it can examine the effect of disruption on operational, functional and strategic activities of an organization.
Not only the current activities but the effect of disruption on major business changes, introducing new product or services for example, can be determined by BIA.
Most standards require that a business impact analysis should be reviewed at defined intervals appropriate for each organization and whenever any of the following occur:
- Significant changes in the internal business process, location or technology
- Significant changes in the external business environment – such as market or regulatory change
Security management
In today's global business environment, security must be the top priority in managing Information Technology. For most organizations, security is mandated by law, and conformance to those mandates is investigated regularly in the form of audits. Failure to pass security audits can have financial and management changing impacts upon an organization.Document management
In large information technology environments, personnel turnover is inevitable and must be planned as part of business continuity. The solution to the problems associated with turnover, is complete and up-to- date documentation. This insures that new personnel will have the information they need to quickly become knowledgeable and productive with respect to the business functions they are tasked to support. This also implies that business function related documentation is largely generated (rather than written) from existing systems and managed in an automated manner.Change management
Regulations require that changes to business functions be documented and tracked for auditing purposes and is designated as "change control". This brings a level of stability to the business functions by requiring the support personnel to document and coordinate proposed changes to the underlying systems. As this process becomes more and more automated, the emphasis will be less upon personnel control, and more upon regulatory compliance.Audit management
One of the most costly and time consuming aspects of Information Technology management is dealing with auditors. One of the goals of business continuity is data center automation, which includes audit management. All modern business functions should be designed with the concept of automatically generating the requisite audit compliance information and documentation as part of conducting day-to-day business. This dramatically reduces the time and cost associated with manually producing this information.Automation if often associated with the idea of centralized management - in area of data storage and data management. Solutions based on storage consolidation can ensure data safety, efficiency, high availability
High availability
High availability is a system design approach and associated service implementation that ensures a prearranged level of operational performance will be met during a contractual measurement period....
, reliability and convenience.
Service level agreements (SLA)
The interface between management and information technology is the Service level agreementService Level Agreement
A service-level agreement is a part of a service contract where the level of service is formally defined. In practice, the term SLA is sometimes used to refer to the contracted delivery time or performance...
(SLA). This provides a written contract stipulating the expectations of management with regard to the availability of a necessary business function, and the deliverables that information technology provides in support of that business function.
Other components
Disaster recoveryDisaster recovery
Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is a subset of business continuity...
planning occurs as a subset of defining the business continuity procedures.
The following is a list of physical and logical entities within an information technology environment which require the application of a business continuity Methodology. Applying the methodology should include the definition of things such as policies, guidelines, standards, procedures, etc., for each item in the list:
- Frames and Managed Systems
- Firmware and Microcode
- Internal and external disk storage
- Frame or Managed System Names
- Partition Names
- Node Names
- Host Names
- DNS Aliases
- Hardware Management Consoles and Console Access
- Virtualization
- Networking Design
- VLAN's
- TCP/IP Subnets
- Resource or Service Groups
- Workload Management
- Volume Groups
- Logical Volumes / Disk Partitions
- Journaling Filesystems Log
- Filesystem mount points
- User names and UID numbers
- Group names and GID numbers
- Security
- High AvailabilityHigh availabilityHigh availability is a system design approach and associated service implementation that ensures a prearranged level of operational performance will be met during a contractual measurement period....
- System Installation
- Application Installation
- Database Installation
- System Monitoring
- Application Monitoring
- Database Monitoring
- Patch Management
Planning
Planning, prevention, and preparation are a key part of any business continuity management system and have direct read across from civil contingencies planning. The activity begins with understanding the business to identify potential risks and threats to critical business activities both internally and from the external environment. It is also advisable to examine the resilience of suppliers.External links
- BCI Good Practice Guidelines
- National Institute of Science and Technology (NIST) Special Publication 800-34: Contingency Planning Guide for Information Technology Systems
- NFPA 1600 Standard for Disaster/ Emergency Management and Business Continuity, 2010
- Societal security - Guideline for incident preparedness and operational continuity management