The ability to respond to a natural or
man-made threat, ensure continuity of
business operations, and
protect human resource and assets
in the event of a disaster or a business
disruption is the primary objective of
any business continuity management
program.
Hello, and welcome to Information
Security Governance, Risk, and Compliance.
My name is Salvadore, and today we will
learn how to audit a business continuity
management program
in 10 steps.
Let's get started.
Point number one: Check and verify that a business
continuity management policy is created
and reviewed on a regular basis.
Ensure the policy contains the roles and
responsibilities,
workforce training, a framework for setting
business continuity objectives,
and organizational risk appetite and
tolerance to plan,
deliver, and support capabilities in the
event of a business disruption.
Point number two: Make sure a business
impact analysis is performed.
The business impact analysis contains
identification of critical products and
services with their inherent risks,
the likelihood and impact of each risk,
countermeasures to prevent, detect, and
react to the identified risks,
recovery time objectives, and recovery
point objectives.
Point number three: Ensure a business
continuity strategy is developed to
reduce the impact of a disaster,
ensure business continuity, and recover
from business disruptions within the
enterprise risk appetite.
Make sure that the strategy includes
unavailability of all relevant
components,
and all activities and processes within
the scope whether on-premise or on cloud.
Point number four: Check and verify that
a business continuity plan is created
and reviewed on a regular basis.
Ensure that the plan consists of the
following components:
scope of activity, roles and
responsibilities, clear lines of
communication,
recovery procedures, and the basis for
BCM invocation.
With respect to cyberattacks, ensure
there is a skilled incident management
technical team to manage the incidents.
In case of a pandemic event that the world
is going through now, the users need to
perform the functions
working from home.
Ensure endpoint security and network
communication is effective to ensure
smooth business operations.
Point number five: Check and verify that
all the relevant documents, such as
backup and restoration guidelines,
network, and architecture diagrams,
alternate workarounds for performing
business functions, and incident playbooks,
are available instantly to support
business continuity and operational
resilience.
Make sure that all the documents are
reviewed for any changes that happened
previously.
Point number six: Make sure all
business continuity and operational
resilience plans are tested at least
annually.
Check and verify that a table top exercise
was performed, and the report generated
to identified if there were any
shortcomings during the call.
Make sure that a call tree exercise was
performed
to ensure the communications with all
users.
Ensure users' contacts are stored and
acknowledged, and that all calls and messages
were recorded and verified.
Check and verify the stress reports to
identify that the tests were conducted
as per the resilience plan.
Point number seven:
In times of crisis, communication among
stakeholders and the relevant entities
is key to successfully managing business
disruption.
Make sure that communication lines
are identified and how the communication
is sent to the relevant parties,
whether it be the press, municipality, or business
users.
Make sure that response structure is
developed to communicate early warnings
and communications to the stakeholders.
Point number eight:
Business data is a key component to
recover from a disaster or a crisis
situation.
Make sure that a secure backup data
process
is followed for storing data in times
of crisis.
Check sample backup and restoration
evidence.
Point number nine: To recover from a
natural disaster, like flooding or
earthquakes, and other man-made disasters
like fire,
ensure that systems and network devices
are housed in environmentally safe data
centers, as well as redundancy is always
maintained.
Ensure alternate sites, like hot, warm, or
cold sites, are designed according to
business requirements and tested for
effectiveness.
And finally, point number ten: Check and
verify that a DR or disaster recovery
activity is tested.
Ensure that
network switching happens automatically
to secondary sites,
and servers and applications run without
any issues.
Thank you for watching the video.
Do provide your feedback and subscribe
the channel for
upcoming videos.
Thank you.