Contingency

DRII vs ISACA Business Continuity Plan Comparison

ISACA (Information System Audit and Control Association) and DRII (Disaster Recovery Institute International) are the two organizations that have a competency to release the right procedure and step by step for Business Continuity Management. However, if you see each step from ISACA and DRII, you can find some small differences approach on it. Here is some example:

ISACA Business Continuity
1. Project management and initiation
2. Business impact analysis
3. Recovery strategy
4. Plan design and development
5. Training and awareness
6. Implementation and testing
7. Monitoring and maintenance

I hate the (incompetent) IS auditor, here is the story. One day your external auditor from big 4 audit firm come checking your IT system. This guy, discuss some issue with executive level within your company. This text book auditor then asks you to prepare any document or plan in case of disaster or incident. You, in charge in IT department then asking question to the auditor.
“Can you explain more detail what type of document? Since I’m little bit confuse with your jargon of BCP, DRP, COOP what is the difference?”

And here is the explanation, theoretically, according to NIST-SP 800-34 standard, you must prepare:

1. Business Continuity Plan (BCP)

Purpose: Provide procedures for sustaining essential business operations while recovering from a significant disruption
Scope: Addresses business processes; IT addressed based only on its support for business process

2. Business Recovery (or Resumption) Plan (BRP)

Purpose: Provide procedures for recovering business operations immediately following a disaster
Scope: Addresses business processes; not IT-focused; IT addressed based only on its support for business process

Recent natural disaster, such as earth quake or tsunami is true evidence that all business operation need appropriate business continuity management. Today, there are a lot of world standard that could be followed to get the best implementation of business continuity management. From the US standard: NIST SP 800-34 to British Standard 25999. Here is simple comparison between to standard.