Once upon a time, there was this little thing called COVID. This itty bitty virus brought along with it loads of previously unasked questions; What would happen if the worldwide supply of toilet paper ran out? If someone washed their hands every 4 minutes, would they throw off their body’s water/tissue ratio, and turn into a big puddle on the floor? And perhaps most importantly (for the context of this post, anyway), if all company operations would be forced to shift from in-office to remote – in the blink of an eye – could a business possibly continue to function effectively?
Thankfully, for the most part the pandemic is behind us (or at least, we pretend it is, so we can move on with life and do fun things, like going to supermarkets where TP is stocked in abundance.) But in any experience, the most important part is the lessons learned – and for many companies, that lesson was the need to create a rock solid business continuity plan.
The Need for Business Continuity
The truth is, business continuity planning has always been a critical process, even before the pandemic brought the need roaring to the forefront. Typically part of any risk assessment program, a business continuity plan delineates the most critical assets, systems, and processes a business has, and then establishes the policies that guide on how to respond with minimal damage or downtime. Essentially, it serves as the blueprint for how businesses operate during and after any sort of disruption or crisis.
And while human nature is to not think about unpleasantries until it’s just too darn late, thanks to Security Compliance standards, companies MUST establish their own BCP in order to meet requirements. In all frameworks, there is a control regarding business continuity planning that must be met to pass the audit. For example in ISO 27001 Annex A:17, the control states that companies must prepare a business continuity plan in order to avoid uncertainties and potential damage.
Likewise, in SOC 2, Availability TSC A1.3 requires the development and annual testing of a business continuity plan. NIST’s CSF Information Protection Processes and Procedures (PR.IP) requires response plans of all kinds, including business continuity and disaster recovery to be ‘in place and managed’. Mature organizations create real, realistic scenarios and test them to the fullest degree, and will even sacrifice valuable work hours of valuable employees for proper simulations.
In enterprises, business continuity planning often falls under the purview of the GRC/Compliance team, but then the individual plans per critical process will be built in conjunction with the process owners who will have the relevant expertise to define what the plan needs to be. But outside the enterprise realm, it may be a bit less clear. Now let’s say for argument’s sake that you’re the Compliance leader/person/whatever in your growing organization –- you know you need a plan: a) in order to pass your audits, and b) to not fall to pieces the next time the zombie apocalypse occurs. Where do you start? How can you design a plan that addresses your unique needs?
We’ll break it down for you into a few tolerable steps.
How to Build a Business Continuity Plan (or, How to Expect the Unexpected)
Step one – Set the stage
“Avengers, assemble”. Or something like that. This initial stage is where you find your heroes, the people who will help you launch your plan into action the moment it’s needed. These are stakeholders with various areas of operational expertise who can help you ensure their domain is adequately understood in the planning stages, and then addressed when things happen. It’s super important to make sure these people are aware of their roles and responsibilities in this context, which may include training others within their teams on how to respond to events.
Step two – Perform your Business Impact Analysis
Next, focus on understanding the impact. This is where performing a thorough Business Impact Analysis (BIA) comes in. According to the US government, “A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies.” How to get started on that, though? Check out this handy BIA questionnaire, again, complements of the US government.
Step three – Determine RTO (recovery time objective) for processes
Using your BIA, take a look at the most important activities and resources within the organization and try to determine the Recovery Time Objective, i.e., your optimal amount of time in which you’ll aim to be back up and running. You’ll also need to determine the Maximum Tolerable Period of Disruption, or the MTPD. This is the maximum period of time your company could do without said asset. A week without anyone noticing? Great, it’s probably not so critical. But if a production system were to fail, and would cause pandemonium, well that’s probably a good indicator that the system is pretty darn critical – and is thus why you need to build a business continuity plan for when that particular production system fails.
Step four – Explain how to achieve RTO
It’s also important to delineate how each process should be restored here. So to use a familiar example; if suddenly, you have to vacate premises due to an irksome little virus, are all employees set up with the WFH capabilities? Do they have the technical set up + equipment to switch over within the determined RTO? Detailing how each RTO can be achieved will help make it more likely to go off with fewer hitches.
Step five – Test and monitor
This part probably isn’t too surprising – if you want to be sure your plan is airtight, best to not wait ‘til the boat is sinking. Testing and monitoring on a regular basis will help you perfect and tweak where needed. Almost every Compliance standard will require an annual simulation and annual training should be a real, hands-on, technological simulation (e.g. restoring the entire production environment into a new region because there is a regional failure). Then you can begin to train your staff on the new plan.
Plan Now – Because Zombies Don’t Knock
And this is why having a business continuity plan is such an important element of Security Compliance standards. Having one in place ensures that when the zombie apocalypse comes, or when a new virus rears its ugly little head (Reindeer Pox 2022, anyone?), your organization will be fully prepared to respond in minimal time and with optimal processes.