« Download Free BCM testing continuity plans audit checklist
Download Free SAP Project Executive Summary Template »

Download Free Business Continuity Management Framework Audit Checklist

Business Continuity Management Framework Audit Checklist
Download Free Business Continuity Management Framework Audit Checklist. The Business Continuity Management framework, which should be owned by the information security adviser, should provide for coordination of plans across an organization, setting planning and continuity priorities, and should cover individual domain plans, testing and continuous maintenance. It should also, as ISO27002 identifies, include:

- An escalation procedure, which identifies how to assess the situation, who is to be involved in the decision that an incident is to be escalated and who is told what, when and the criteria that will trigger escalation.
- An internal mobilization and briefing procedure to ensure that everyone within the organization who has a role to play in dealing with the incident is alerted and appropriately briefed within a specified timescale.
- An external mobilization and briefing procedure should include all thirdparty organizations that may have a role to play in dealing with the disaster, and should include relevant and appropriate press contacts.
- The information security adviser should ensure that all individual continuity plans are presented in the same format. This makes it simpler and easier for people to follow them in an emergency and for people not familiar with specific plans to understand them quickly. This format should show clearly the conditions under which the plan will be activated, how the situation should be assessed, who else might need to be involved and what type of actions might be required.
- There should be a full range of emergency procedures, including how to deal with attacks on systems, fire, flood or other physical impact on the premises of the organization.
- There should be emergency evacuation procedures as well as appropriate accident procedures. These should set out precisely what has to be done by whom and should be clearly linked into the calling trees described above.
- Fall-back procedures should also be planned in advance. For each of the critical systems identified in the business impact analysis, there should be a plan that enables the service to move to and operate from alternative premises within the specified timescale, and that ensures that affected business processes are returned to operation within this timescale.
- Each plan should detail any necessary temporary operational procedures that will apply until resumption is complete. These will range from the handling of incoming telephone calls or customer/staff enquiries through to alternative goods delivery sites.
- Each plan should contain resumption procedures setting out how the service is to be brought back to normal operation. (It might need to include the setting down of details of suppliers of particular equipment, how that equipment is to be configured and what its dependencies and dependants are.) ‘Normal’ needs to be clearly defined (number of transactions, level of configuration, etc), so that it is possible to establish when it has been achieved.
- There should be a process for the testing of plans and for ensuring that lessons learned from tests are built into new versions of the plans. There needs to be a schedule setting out when and how the plans are to be tested. This should range from frequent tests for critical components of the plans that have an everyday importance (eg fire alarms, uninterruptible power supply (UPS) tests, etc) to much less frequent tests for those components of plans that the risk assessment says are much less likely to be required (eg fire sprinkler systems). Common components of a number of plans (eg emergency evacuation procedures) should also be tested regularly.
- Staff and key personnel at contractors should all receive training in the continuity plans that will affect them. In particular, they should receive training in recognizing the circumstances in which the plan may need to be invoked and to be aware of what changes in circumstances might affect the smooth operation of the plan when it is invoked and then ensuring that the plan is revised to take these changed circumstances into account. The process by which this training is to take place should be documented and there might even be an internal website where those who have responsibilities under the continuity plans are able to share experience and learning.
- The responsibilities of all individuals who may have to take specific action as identified in one of the continuity plans need to be specifically documented and added to the person’s job description. Alternatives should be identified to deal with holidays and other absences, including unplanned and involuntary ones.
- The staff exit process should include a step that reviews whether or not there is a continuity plan role and ensures that the plan and any related calling tree are appropriately updated. Similarly, the new starter process should allow for a continuity plan role to be identified at this stage, and for the plan and calling tree documents to be updated.
- The critical assets and their whereabouts (together with any information necessary to access them) need to be documented for each of the components of each plan. Any special operating skill or knowledge that may be required to operate any of these assets also needs to be identified, together with provision for its availability.

download

Popularity: 16% [?]

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • Slashdot
  • StumbleUpon
  • Reddit

This entry was posted on Friday, April 10th, 2009 at 12:37 pm and is filed under Control, Download, Template. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.