Once upon a time, there was this little thing called COVID. This itty bitty virus brought along with it loads of previously unasked questions; What would happen if the worldwide supply of toilet paper ran out? If someone washed their hands every 4 minutes, would they throw off their body’s water/tissue ratio, and turn into a big puddle on the floor? And perhaps most importantly (for the context of this post, anyway), if all company operations would be forced to shift from in-office to remote – in the blink of an eye – could a business possibly continue to function effectively? What are the essential components of a business continuity plan that are needed to prepare for such an eventuality?
Thankfully, for the most part, the pandemic is behind us (or at least, we pretend it is, so we can move on with life and do fun things, like going to supermarkets where TP is stocked in abundance.) But in any experience, the most important part is the lessons learned – and for many companies, that lesson was the need to create a rock-solid business continuity plan.
The truth is, business continuity planning has always been a critical process, even before the pandemic brought the need roaring to the forefront. Typically part of any risk assessment program, a business continuity plan has stages. It delineates the most critical assets, systems, and processes a business has, and then establishes the policies that guide on how to respond with minimal damage or downtime. Essentially, it serves as the blueprint for how businesses operate during and after any sort of disruption or crisis.
And while human nature is to not think about unpleasantries until it’s just too darn late, thanks to Security Compliance standards, companies MUST establish their own BCP in order to meet requirements. In all frameworks, there is a control regarding business continuity planning that must be met to pass the audit. For example in ISO 27001 Annex A:17, the control states that companies must prepare a business continuity plan in order to avoid uncertainties and potential damage.
Likewise, in SOC 2, Availability TSC A1.3 requires the development and annual testing of a business continuity plan. NIST’s CSF Information Protection Processes and Procedures (PR.IP) requires response plans of all kinds, including business continuity and disaster recovery to be 'in place and managed'. Mature organizations create real, realistic scenarios and test them to the fullest degree, and will even sacrifice valuable work hours of key employees for proper simulations.
In enterprises, business continuity Compliance often falls under the purview of the GRC/Compliance team, but then the individual plans per critical process will be built in conjunction with the process owners who will have the relevant expertise to define what the plan needs to be. But outside the enterprise realm, it may be a bit less clear. Now let’s say for argument's sake that you're the Compliance leader/person/whatever in your growing organization –- you know you need a plan: a) in order to pass your audits, and b) to not fall to pieces the next time the zombie apocalypse occurs.
Where do you start? What is a business continuity plan (BCP)? What are the 5 components of a business continuity plan? How can you design a plan that addresses your unique needs?
We’ll break it down for you into a few tolerable steps.
The 5 essential components of a business continuity plan are:
This initial stage is where you make sure your ducks are all lined up. Do you know which assets, business entities, and processes you need to have in place before you can launch your plan into action? Make sure you understand which individuals and stakeholders can help you ensure their domain is adequately understood in the planning stages and then addressed when things happen. It’s super important to make sure these people are aware of their roles and responsibilities in this context, which may include training others within their teams on how to respond to events.
Next, focus on understanding the impact. This is where performing a thorough Business Impact Analysis (BIA) comes in. According to the US government, “A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies.” For example, If the Accounting system goes down, there will be a negative impact on financial forecasting and on employee check disbursement. How to get started on this analysis? Check out this handy BIA questionnaire, again, compliments of the US government.
Using your BIA, take a look at the most important activities and resources within the organization and try to determine the Recovery Time Objective, i.e., the optimal amount of time in which you’ll aim to be back up and running. You’ll also need to determine the Maximum Tolerable Period of Disruption or the MTPD. This is the maximum period of time your company could do without said asset. A week without anyone noticing? Great, it’s probably not so critical. But if a production system were to fail, and would cause pandemonium, well that's probably a good indicator that the system is pretty darn critical – and is thus why you need to build a business continuity plan for when that particular production system fails.
It's also important to delineate how each process should be restored. So to use a familiar example; if suddenly, you have to vacate premises due to an irksome little virus, are all employees set up with WFH capabilities? Do they have the technical setup + equipment to switch over within the determined RTO? Detailing the recovery steps that will enable each RTO to be achieved will help make it more likely to go off with fewer hitches.
This part probably isn't too surprising – if you want to be sure your plan is airtight, best to not wait ‘til the boat is sinking. Testing and monitoring on a regular basis will help you perfect and tweak where needed. Almost every Compliance standard will require annual tabletop testing, or an annual simulation and training exercise that is a real, hands-on, technological simulation (e.g. restoring the entire production environment into a new region because there is a regional failure). Then you can begin to train your staff on the new plan.
And this is why all components of a business continuity plan are such important elements of Security Compliance standards. Having a plan in place ensures that when the zombie apocalypse comes, or when a new virus rears its ugly little head (Reindeer Pox 2022, anyone?), your organization will be fully prepared with all necessary business continuity plan elements to respond in minimal time and with optimal processes.