HB 292 2006 A Practitioners Guide to Business Continuity Management



Similar documents
BUSINESS CONTINUITY MANAGEMENT

Best Practice Board Reporting

Australian Standard. Guidelines for quality management system documentation AS ISO ISO/TR 10013:2001 AS ISO 10013

Australian/New Zealand Standard

Australian Standard. Standard metamodel for software development methodologies AS AS

Australian/New Zealand Standard

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines

Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012

Chapter I: Fundamentals of Business Continuity Management

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

AS/NZS 4801:2001. Occupational health and safety management systems. Specification with guidance for use. Australian/New Zealand Standard

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines

Business continuity management policy

AS AS Australian Standard. Health Care Client Identification. This is a free 8 page sample. Access the full version online.

BUSINESS CONTINUITY: BEST PRACTICE, 2ND EDITION

#316 The Security Elements of Business Continuity & Disaster Recovery Plans

COMCARE BUSINESS CONTINUITY MANAGEMENT

Australian Standard. Quality management systems Guidelines for configuration management AS ISO ISO 10007:2003 AS ISO 10007

Business Continuity Policy

BUSINESS CONTINUITY MANAGEMENT IN THE PUBLIC SECTOR A ROUGH GUIDE

BSO Board Director of Human Resources & Corporate Services Business Continuity Policy. 28 February 2012

Merrycon s Approach to Business Continuity Management

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

Coping with a major business disruption. Some practical advice

Business Continuity Management Framework

Business Crisis and Continuity Management and Planning

Australian Standard. Bridge design. Part 1: Scope and general principles AS AP-G15.1/04 AS

Business Continuity Management Policy

Business Continuity Planning for Water Utilities: Guidance Document [Project #4319]

Introduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT

PBSi Business Continuity Planning

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

1.0 Policy Statement / Intentions (FOIA - Open)

AS AS Australian Standard. Emergency eyewash and shower equipment. This is a free 6 page sample. Access the full version online.

BUSINESS CONTINUITY POLICY

Australian Standard. Guidance on statistical techniques for ISO 9001:2000 (ISO/TR 10017, Ed. 2.0 (2003) MOD) AS ISO AS ISO

Australian Standard. Emergency control organization and procedures for buildings, structures and workplaces AS

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

Desktop Scenario Self Assessment Exercise Page 1

Business Continuity Management

Emergency Response and Business Continuity Management Policy

Business Continuity Management

BUSINESS CONTINUITY MANAGEMENT POLICY

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

International Diploma in Risk Management Syllabus

OPTIONS FOR EDUCATION AND TRAINING...3 LEARNING RESOURCES...5 TABLE TOP EXERCISE: POWER OUTAGE SCENARIO...7

Sector Development Ageing, Disability and Home Care Department of Family and Community Services (02)

Business Continuity Planning

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

Monetary Authority of Singapore BUSINESS CONTINUITY MANAGEMENT GUIDELINES

Finding the areas for improvement in plans, processes and procedures to protect shareholder value Performance driven. Quality assured.

Accreditation Application Forms

Business Continuity Planning (BCP) 101

Business Continuity Management Policy

Intel Business Continuity Practices

The PNC Financial Services Group, Inc. Business Continuity Program

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

Evaluating and Improving Your Business Continuity Plan

This presentation will introduce you to the concepts and terminology related to disaster recovery planning for businesses.

Principles for BCM requirements for the Dutch financial sector and its providers.

Australian/New Zealand Standard

Tips and techniques a typical audit programme

Business Continuity and Disaster Recovery Planning

Prudential Practice Guide

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

BS BUSINESS CONTINUITY MANAGEMENT

Business Continuity. Is your Business Prepared for the worse? What is Business Continuity? Why use a Business Continuity Plan?

Temple university. Auditing a business continuity management BCM. November, 2015

Fundamentals of Business Continuity Planning Have a Plan!

Business Continuity Management Policy

Continuity of Business

THE COMPETENCIES REQUIRED FOR EXECUTIVE LEVEL BUSINESS CRISIS AND CONTINUITY MANAGERS. Gregory L. Shaw

Business Continuity Management Case Study

Business Continuity and Risk Management. Ken Kaberia Principal BCM Officer, Enterprise Risk Safaricom Limited

National Fire Protection Association s Contribution to Business Continuity Strategies

August 2013 Recommendations for Business Continuity Management (BCM)

The PNC Financial Services Group, Inc. Business Continuity Program

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Business Continuity Management

Building and Maintaining a Business Continuity Program

Business Continuity Management

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Overview TECHIS Manage information security business resilience activities

Business Continuity Management Planning Methodology

HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO AUDITS, CERTIFICATION AND TRAINING

Business Continuity Trends, Requirements and Expectations in Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

A Practical Approach to Business Impact Analysis

Australian Standard. Information technology Service management. Part 2: Guidance on the application of service management systems

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions

Transcription:

HB 292 2006 A Practitioners Guide to Business Continuity Management HB

HB 292 2006 Handbook A practitioners guide to business continuity management First published as HB 292 2006. COPYRIGHT Standards Australia All rights are reserved. No part of this work may be reproduced or copied in any form or by any means, electronic or mechanical, including photocopying, without the written permission of the publisher. Published by Standards Australia, GPO Box 476, Sydney, NSW 2001, Australia ISBN 0 7337 7472 5

HB 292 2006 2 Preface This Guide provides an overview of selected generally accepted practices and emerging new practices used variously within Australasia, USA and UK. Business Continuity Management (BCM) practice is such that approaches that work well in one organisation may be wholly inappropriate for a different organisation. Extreme care therefore needs to be taken in deciding what and how aspects of BCM will be implemented within an organisation. The structure of the Guide is based on Standards Australia/ Standards New Zealand Business Continuity Management Handbook HB 221:2004. Much of the information presented is fully consistent with HB 221. However, the principles of HB 221 have been significantly expanded upon and extensive new explanatory information is provided. This material is broadly consistent with the principles of other generally accepted practices such as NFPA1600 and the BCI Good Practice Guidelines 2005, Spring TR19: 2005; and the work of the DRII and DRJ. Readers need to be aware that the content of this Guide represents in-progress research by the authors and is subject to change without notice. This Guide is not intended to provide authoritative advice and no guarantee or warranty is provided as to the accuracy or applicability of any information provided in this Guide. Dr Carl A. Gibson and Gavin Love January 2006

3 HB 292 2006 Contents Page 1 Business continuity management? 1.1 What comprises business continuity management?... 7 1.2 Defining BCM... 8 1.3 The nature of crises and disasters... 9 1.4 Different approaches to business continuity and common elements... 11 1.5 BCM: Interrelationships with other disciplines and activities... 13 1.6 What are the benefits of implementing BCM?... 14 1.7 The BCM process... 14 1.8 Summary... 16 2 Commencement of Business Continuity Management: establishing a framework and managing the program 2.1 Introduction... 18 2.2 Awareness and understanding... 18 2.3 Gaining management commitment... 20 2.4 The need for communication and engagement... 21 2.5 Preparation of the business case... 22 2.6 Gaining the commitment of others... 23 2.7 Establishing the infrastructure for BCM... 24 2.8 Development of the BCM policy... 25 2.9 Confirmation of processes... 25 2.10 Resource allocation... 26 2.11 BCM program governance... 26 2.12 Summary... 27 2.13 The commencement checklist... 28 2.14 Example templates... 30 3 Assessing risks and developing disruption scenarios 3.1 What is risk?... 31 3.2 Using risk assessment in BCM... 31 3.3 Communicate and consult... 33 3.4 Establishing the context... 33 3.5 Identifying risk... 37

HB 292 2006 4 3.6 Analysing risk... 40 3.7 Evaluating risk... 46 3.8 Treating risk... 47 3.9 Monitor and review... 49 3.10 Developing disruption scenarios and dealing with uncertainty... 50 3.11 Summary... 52 3.12 The risk assessment checklist... 53 3.13 Risk assessment templates... 54 4 Conducting the business impact analysis 4.1 What is the business impact assessment?... 56 4.2 Step 1: Developing Communications for the BIA... 57 4.3 Step 2: Confirming critical business functions... 59 4.4 Step 3: Identify resource requirements... 59 4.5 Step 4: Establish interdependencies... 60 4.6 Step 5: Determine the disruption impacts... 62 4.7 Step 6: Identify the maximum acceptable outage times and recovery objectives... 64 4.8 Step 7: Identify alternate workarounds and processes... 66 4.9 Confirming current preparedness... 67 4.10 Summary... 68 4.11 The BIA checklist... 69 4.12 BIA templates... 71 5 Developing BCM Strategies Reaction to an incident 5.1 The emergency response... 79 5.2 The continuity phase... 80 5.3 Recovery and restoration phase... 81 5.4 Summary... 82 5.5 The strategy development checklist... 83 5.6 Strategy development template... 85 6 Assessing and collating resources requirements Consolidating resource information 6.1 Assessing organisational capabilities... 89 6.2 Summary... 89 6.3 The assessing and collating resources checklist... 90 7 Writing the Plan Guiding principles 7.1 The framework of plans... 92 7.2 Content of plans: generic... 93

5 HB 292 2006 7.3 Contents of plans: Specific... 93 7.4 Summary... 96 7.5 The continuity plan checklist... 96 8 Developing the Communications Strategy 8.1 Introduction... 97 8.2 Communication during and after incident... 97 8.3 Developing the written communications plan... 98 8.4 Identifying stakeholders and their needs... 100 8.5 Using IRACI... 103 8.6 Understanding effective communication... 103 8.7 Summary... 112 8.8 The communications strategy checklist... 113 9 Maintenance of BCM 9.1 Introduction... 114 9.2 Understanding: training and awareness... 115 9.3 Performance... 124 9.4 Assurance... 126 9.5 Summary... 133 9.6 The maintenance checklist... 134 9.7 Exercise template... 135 10 Activation and deployment 10.1 Control and coordination of activated plans... 136 10.2 Coordination and control framework... 137 10.3 Building disaster kits... 139 10.4 Record keeping... 139 10.5 Summary... 139 10.6 Activation and deployment checklist... 140 APPENDICES A Communication channels... 141 B Sources of risk... 144 C Example of a priority triage rating framework... 145 D Example threats and hazards... 146 E Vulnerability assessment Issues for consideration... 148 F Document recovery and restoration triage... 151 G Example of consolidated resource mapping... 152 H Example of content for other plans... 154

HB 292 2006 6 I Glossary of terms... 155 J Bibliography... 162 K Acknowledgements... 164 L A practioner s guide to business continuity management work book... 165

7 HB 292 2006 1 Business continuity management? 1.1 What comprises business continuity management? A wide range of terminology has been used to describe the processes associated with managing disruptions. Some of these terms include: Business continuity planning; Continuity planning; Contingency planning; Crisis management; Disaster recovery planning; Emergency management; Incident management; Disruption management; Business resumption planning; and Business resilience. Originally these terms each had distinct meanings, but with time they have become interchangeable for many organisations and practitioners. This has often caused confusion and at times heated debate amongst practitioners. In recent years the term business continuity management (BCM) has emerged to replace this disparate terminology. Today, under the BCM umbrella, some of the terminology is beginning to return to its original meanings where: Business continuity planning is often used to refer to those BCM activities associated with activities that assist in the continuing availability and capability of property, people and information; and Disaster recovery planning is often used to refer to those BCM activities associated with the continuing availability and restoration of the IT infrastructure (but should not be confused with the wider recovery and restoration activities). www.standards.com.au Standards Australia

HB 292 2006 8 1.2 Defining BCM The Joint Standards Australia/Standards New Zealand handbook for Business Continuity Management (HB 221: 2004) defines business continuity as: Business Continuity Management provides the availability of processes and resources in order to ensure the continued achievement of critical objectives. This is an important definition as it identifies both what a well founded approach to BCM must achieve as well as the means of achieving it: critical objectives what the organisation, project, team, individual must absolutely strive to achieve, i.e. what are the priorities and what are less important. These will ultimately direct our focus for BCM; processes and resources the processes that will allow critical objectives to be achieved, and the resources required to support those processes; availability processes and resources must be capable and accessible; and continued the capability to achieve critical objectives needs to be sustainable in the face of future uncertainty. 1.2.1 The elements of good practice BCM is NOT about having a nice printed document that contains some what ifs and possible responses that can be presented to senior management, the Board or auditors to earn a tick off and then be stored in a drawer. BCM IS about having a robust process that allows individuals to: Better understand uncertainty about the future; Realise the potential for different types of disruption; Better plan for future management of those disruptions, and to put in place business improvement now to reduce the likelihood and/or consequence of significant future disruption. The interrelationship of these elements is summarised in Figure 1. Standards Australia www.standards.com.au

The remainder of this document is available for purchase online at www.saiglobal.com/shop SAI Global also carries a wide range of publications from a wide variety of Standards Publishers: Click on the logos to search the database online.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information