Review of Business Continuity Management Framework
Recent natural disaster, such as earth quake or tsunami is true evidence that all business operation need appropriate business continuity management. Today, there are a lot of world standard that could be followed to get the best implementation of business continuity management. From the US standard: NIST SP 800-34 to British Standard 25999. Here is simple comparison between to standard.
relased: December 2006
Section 6 - Understanding the organization. In order to apply appropriate business continuity strategies and tactics the organisation has to be fully understood, its critical activities, resources, duties, obligations, threats, risks and overall risk appetite.
Section 7 - Determining BCM Strategies. Once the organisation is understand the overall business continuity strategies can be defined that are appropriate.
Section 8 - Developing and implementing a BCM response. The tactical means by which business continuity is delivered. These include incident management structures, incident management and business continuity plans.
Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture. Without testing the BCM response an organisation cannot be certain that they will meet their requirements. Exercise, maintenance and review processes will enable the business continuity capability to continue to meet the organisations goals.
Section 10 - Embedding BCM into the organizations culture. Business continuity should not exist in a vacuum but become part of the way that the organisation is managed.
NIST SP 800-34
released: Juni 2002
1. Develop the contingency planning policy statement. A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan.
2. Conduct the business impact analysis (BIA). The BIA helps to identify and prioritize critical IT systems and components. A template for developing the BIA is also provided to assist the user.
3. Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
4. Develop recovery strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
5. Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system.
6. Plan testing, training, and exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
7. Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements.