Business Continuity Plan Checklist | Disaster Recovery Checklist |
ISO 27001 Audit Checklist
An organization's resistance to failure is "the ability ... to withstand changes in its operating environment and still function". Often called resilience, this is a capability that enables organizations to either endure environmental changes without having to permanently
Business continuity planning is the process of creating systems of prevention and recovery to deal with potential threats to an organization. In addition to prevention, the goal is to permit ongoing operation, before and during the execution of disaster recovery.adapt, or the organization is forced to adopt a new way of working that better suits the new environmental conditions.
Business continuity is the intended outcome of perfect execution of Business continuity planning and Disaster recovery. It is the payoff for cost-effective buying of spare machines and servers, performing timely backups and bringing them off-site regularly, assigning responsibilities, performing planned drills, creating awareness, and educating employees and being vigilant to incidents.
A significant cost in planning for BCP & DR is the preparation of audit compliance management documents; automation tools are although available but help little to reduce the time and cost associated with manually producing this information.
Planners of Business Continuity Plan and Disaster recovery audit checklist must have information about:
Equipment (Devices, Servers, computing equipment, etc)
Supplies and suppliers, vendors, contractors
Records, Documents and documentation(Documented information), including which have off-site backup copies:
Business documents, proprietary knowledge, contracts, Intellectual property
Processes and Procedure documentation
Analysis and evaluation
The analysis phase mainly consists of
threat analysis and
Quantification of loss ratios should also include "dollars to defend litigation or a lawsuit." It is estimated that one dollar spent in loss prevention can prevent "07 dollars of disaster-related economic loss."
Business impact analysis (BIA) is another element that needs to be considered in the Business Continuity Plan Checklist, and Disaster Recovery Checklist.
A Business impact analysis (BIA) essentially differentiates critical (urgent) from non-critical (non-urgent) organization functions/activities. A function can be considered critical if required by law.
For each function, two values are assigned, which are to be considered in Business Continuity Plan Checklist, and Disaster Recovery Checklist.:
Recovery Point Objective (RPO) is the acceptable latency of data that will not be recovered. For example, is it acceptable for the company to lose 1 day, or 2 days, or 3 days of data? The recovery point objective must ensure that the maximum tolerable data loss for each activity does not exceed.
Recovery Time Objective (RTO) is the acceptable amount of time to restore the function.
Maximum time constraints for how long an organization key products or deliverable services can be unavailable or undeliverable before stakeholders perceive unacceptable consequences, have been named as:
Maximum Tolerable Period of Disruption (MTPoD)
Maximum Tolerable Downtime (MTD)
Maximum Tolerable Outage (MTO)
Maximum Allowable Outage (MAO)
After defining recovery requirements, every potential threat can require unique recovery steps. Common threats include:
Sabotage (insider or external threat)
other major stormEpidemic
Water outage (supply interruption, contamination)
Theft (insider or external threat, vital information or material)
Random failure of mission-critical systems
Single point dependency
While preparing the Business Continuity Plan Checklist, and Disaster Recovery Checklist, the above areas may cascade: Responders may grapple and stumble. Supplies can run out or become depleted. During the SARS outbreak in 2002-2003, some companies compartmentalized and rotated teams to match the incubation period of the pandemic disease. The organization also banned in-person contact during both business and non-business hours. This increased resiliency against the threat.
Tiers of preparedness
SHARE's seven tiers of disaster recovery released in 1992, were updated in 2012 as an eight-tier model
what is Tier 0 - Nothing off-site... "recovery time .. unpredictable ..." - possibly not possible.
What is Tier 1 - called "PTAM (Pickup Truck Access Method)" - but a hot site (backup hardware).
In Tier 2 - Hot site - will need hours or even days to load the most recent backup tapes.
In Tier 3 - Transaction data at the off-site is kept relatively current via an ongoing high-speed data link (electronic vaulting) and "an automated tape library at the remote site."
In Tier 4 - "Point-in-time copies" so that less reprocessing of transactions will be needed.
In Tier 5 - "Transaction integrity" - the hot site is kept as up-to-the-moment as possible.
In Tier 6 - "Zero or Near-zero data loss"
In Tier 7 - "Highly automated" recovery - few if any manual steps following the main site failure; rollover to running at the hot site is automatic.
Two key requirements from the impact analysis stage emerge :
For IT: the minimum application and data requirements and the time in which they should be available.
Outside IT: preservation of hard copy (example- contracts). A process plant should consider skilled staff and embedded technology.
This phase overlaps with disaster recovery planning.
The solution phase determines the following:
Crisis management command structure
Telecommunication architecture between primary and secondary work sites
Data replication methodology between primary and secondary work sites
Backup site - applications, data
Data application or and workspace required at the secondary work site.
Specialized technical resources should be maintained. Checks must include:
Virus definition distribution
Application security and service patch distribution
Please note that physical and environment security (Admin), Human resource Security and IT Security is not part of BCP and DR Audit, since these dedicated departments have as such a huge set of controls to address.