The rationale for implementing the Business Continuity Management System or its elements varies. They may result, inter alia, from:
- willingness to implement and certify the Business Continuity Management System according to international standards, such as ISO 22301,
- the need to adapt to the conditions imposed by the customer as part of supply chain management,
- obligation to meet legal requirements, such as the Act on the National Cybersecurity System, about which we write here,
- the terms of the insurance policy purchased by the company,
- or the sincere need to secure your business.
Regardless of the reason for the decision to implement BCMS or its selected elements, it should be remembered that effective business continuity management is always based on two pillars – prevention and appropriate response. The first one concerns the analysis of the activities carried out by the client as part of the BIA, identification of resources for critical processes, identification of threats that may result in unavailability of resources and taking appropriate actions in relation to the identified risks. The second area is preparation for probable incident and accident scenarios that will be identified during the risk assessment or result from past experience. How to do it? Create appropriate business continuity plans, crisis communication rules, emergency and recovery procedures. However, this is not all – it is crucial to test them properly to be sure that the adopted solutions will not fail us in a real threat.
None of the elements described can be omitted or simplified too much. This leads to an incorrect definition of business continuity needs, omission of important resources, neglect of risks, significant deficiencies in emergency and recovery procedures or the creation of business continuity plans, the use of which is questionable due to the lack of testing their effectiveness.
We recommend that each project of BCMS implementation or selected elements of business continuity management begin with a pre-audit. The main objective of the study is to verify the degree of compliance by the Customer with the requirements of reference standards and good practices in the field of business continuity management, and to get acquainted with the Organization, the adopted process model, implemented business continuity management mechanisms and the technology used.
As part of the initial audit, Blue Energy Experts carry out a documentation audit and a proper BCMS audit at the client’s premises. The product of this stage is a report presenting strengths and weaknesses in business continuity management and recommendations in the form of a roadmap with a description of tasks necessary to be implemented in order to increase the level of security of the conducted activity.
Business Impact Analysis (BIA) aims to provide an answer to the question which of the processes carried out in the Organization are particularly important. In order to ensure the most objective assessment of the processes by their owners, Blue Energy Experts together with the Project Team develop a detailed BIA analysis methodology. The methodology includes criteria for assessing financial, image, and regulatory and legal effects resulting from a break in the implementation of processes in fixed units of time (from several hours to several days).
In addition, as part of the BIA analysis, business continuity parameters are determined for each of the processes, including at least:
- RTO – Recovery Time Objective – Maximum Process Unavailability Time,
- MBCO – Minimum Business Continuity Objective – the level of the Process implementation allowing for the maintenance of business continuity to a minimum extent,
- MTPD – Maximum Tolerable Period of Disruption – the time after which the process should be resumed in normal mode.
The results of the analysis are compiled in the form of a BIA analysis report containing a detailed assessment of individual processes. The document also lists the critical processes on which further design work is focused. Thanks to this approach, irrelevant processes are not included in the design of the BCMS, resulting in significant savings for the client.
In the case of IT projects, the BIA analysis is performed in relation to specific systems.
The business continuity risk assessment focuses on the processes recognized by the BIA as critical activities. Business Impact Aanalysis, Risk Assessment are implemented in accordance with the methodology developed by the Project Team. The purpose of the risk assessment is to obtain full knowledge of threats and vulnerabilities that may significantly affect the continuity of processes carried out in the Organization. Correctly performed risk assessment is therefore a mine of knowledge for people managing the organization.
We recommend that the risk assessment takes place in relation to the resources necessary to implement the critical processes. Resource categories vary by business. They can be people, their specific competences, IT systems, industrial automation systems, machinery and infrastructure, means of communication, internal procedures and many, many more.
As part of the risk assessment, Blue Energy’s experts and the Client’s representatives identify threats, vulnerabilities and determine the probability and effects of a potential risk. As part of the risk assessment, actions are defined in the Risk Treatment Plan and include both planned preventive actions and event scenarios that should be covered by appropriate business continuity procedures.
The product of this stage is a report containing detailed results of the risk assessment together with the Risk Treatment Plan.
As part of this stage, Blue Energy Experts prepare the BCMS documentation. The scope of documents, their structure and content are agreed by the Project Team to meet the client’s requirements. The documentation model is different for a company that comprehensively implements ISO 22301 requirements and different for an organization focusing only on developing a Business Continuity Plan due to the insurer’s requirements. Each time a list of documents to be developed is created.
The proposed scope of documentation for the implementation of the Business Continuity Management System based on ISO 22301 includes, among others:
- Bussiness Contuinity Management Policy & Strategy
- The proposed scope of documentation for the implementation of the Business Continuity Management System based on ISO 22301 includes, among others:
- BIA analysis methodology,
- Risk Management methodology,
- Business Continuity Plan Template,
- Model of an emergency / recovery procedure,
- Procedure for creating and testing business continuity,
- Security requirements for external suppliers.
Each document is proposed by Blue Energy Experts. The final versions of the regulations are created with the active participation of the client.
We recommend that your business continuity incident response documentation be divided into 2 levels. Higher – addressed in the Business Continuity Plan, and lower – included in emergency and recovery procedures.
As part of the project, Blue Energy Experts develop a Business Continuity Plan including:
- a list of critical processes along with the resources necessary for their implementation,
- the structure of crisis management in the Organization,
- rules of notification as well as internal and external communication,
- rules for starting and canceling crisis mode,
- business continuity strategy,
- way of monitoring and reporting work in crisis mode.
The target shape of the Business Continuity Plan is developed together with the Project Team.
The Business Continuity Plan is supplemented at the operational level with specific procedures and instructions. Blue Energy experts support the client both in the preparation of emergency procedures for the maintenance of business, production and technological processes, as well as IT and industrial automation. The Blue Energy team consists of security architects, system administrators and pentesters, whose knowledge will add value at the stage of creating procedures.
The adopted model ensures an effective response to events both at the level of Crisis Management by Top Management (Business Continuity Plan) and the recovery of processes and resources at the operational level (emergency and recovery procedures).
Testing the effectiveness of the developed business continuity incident response procedures is the best test of the organization before a real threat occurs. That is why Blue Energy Experts place great emphasis on the organization of practical BCMS tests. As part of the preparation of business continuity tests, we develop internal regulations in the field of test planning, their organization and the selection of effective testing methods. They include the organization of tests in the form of tests, staff games, and the most advanced – operational tests.
As part of this stage, Blue Energy Experts:
- develop an annual schedule of business continuity tests with the Project Team,
- select test methods appropriate for the tested scenarios,
- develop test assumptions containing scenarios of emergency situations that are the subject of tests,
- they take an active part in the tests by moderating staff games and operational tests,
- prepare business continuity test reports containing recommendations for continuous improvement.
Due to their experience and technical knowledge, Blue Energy Experts plan and moderate tests on organizational and business processes, as well as more complex tests in the area of IT / OT infrastructure maintenance.
Related blog articles
Krajowy System Cyberbezpieczeństwa to wymagania dla operatorów usług kluczowych oraz usług cyfrowych. Czym są te wymagania opisane w dość oszczędny sposób w Ustawie? Co mówi sama ustawa o tym jak zapewnić bezpieczeństwo i ciągłość realizacji usług kluczowych?
Częstym problemem organizacji jest zapewnienie efektywnego i gwarantującego właściwą rozliczalność kanału komunikacji wewnętrznej, np. związanej z realizacją praw podmiotów danych, czy zgłaszaniem i obsługą naruszeń ochrony danych osobowych
Ile faktycznie zajmuje identyfikacja i realizacja praw podmiotu danych? Czy nasz rejestr czynności wspiera realizację praw? Czy potrafimy automatyzować procesy realizacji praw podmiotu danych?
Many of our clients do not know how to go about it ...
The project was divided into two areas ...
Continuity Plan development service ...