The ability to respond to a natural or man-made threat, ensure continuity of business operations, and protect human resource and assets in the event of a disaster or a business disruption is the primary objective of any business continuity management program. Hello, and welcome to Information Security Governance, Risk, and Compliance. My name is Salvadore, and today we will learn how to audit a business continuity management program in 10 steps. Let's get started. Point number one: Check and verify that a business continuity management policy is created and reviewed on a regular basis. Ensure the policy contains the roles and responsibilities, workforce training, a framework for setting business continuity objectives, and organizational risk appetite and tolerance to plan, deliver, and support capabilities in the event of a business disruption. Point number two: Make sure a business impact analysis is performed. The business impact analysis contains identification of critical products and services with their inherent risks, the likelihood and impact of each risk, countermeasures to prevent, detect, and react to the identified risks, recovery time objectives, and recovery point objectives. Point number three: Ensure a business continuity strategy is developed to reduce the impact of a disaster, ensure business continuity, and recover from business disruptions within the enterprise risk appetite. Make sure that the strategy includes unavailability of all relevant components, and all activities and processes within the scope whether on-premise or on cloud. Point number four: Check and verify that a business continuity plan is created and reviewed on a regular basis. Ensure that the plan consists of the following components: scope of activity, roles and responsibilities, clear lines of communication, recovery procedures, and the basis for BCM invocation. With respect to cyberattacks, ensure there is a skilled incident management technical team to manage the incidents. In case of a pandemic event that the world is going through now, the users need to perform the functions working from home. Ensure endpoint security and network communication is effective to ensure smooth business operations. Point number five: Check and verify that all the relevant documents, such as backup and restoration guidelines, network, and architecture diagrams, alternate workarounds for performing business functions, and incident playbooks, are available instantly to support business continuity and operational resilience. Make sure that all the documents are reviewed for any changes that happened previously. Point number six: Make sure all business continuity and operational resilience plans are tested at least annually. Check and verify that a table top exercise was performed, and the report generated to identified if there were any shortcomings during the call. Make sure that a call tree exercise was performed to ensure the communications with all users. Ensure users' contacts are stored and acknowledged, and that all calls and messages were recorded and verified. Check and verify the stress reports to identify that the tests were conducted as per the resilience plan. Point number seven: In times of crisis, communication among stakeholders and the relevant entities is key to successfully managing business disruption. Make sure that communication lines are identified and how the communication is sent to the relevant parties, whether it be the press, municipality, or business users. Make sure that response structure is developed to communicate early warnings and communications to the stakeholders. Point number eight: Business data is a key component to recover from a disaster or a crisis situation. Make sure that a secure backup data process is followed for storing data in times of crisis. Check sample backup and restoration evidence. Point number nine: To recover from a natural disaster, like flooding or earthquakes, and other man-made disasters like fire, ensure that systems and network devices are housed in environmentally safe data centers, as well as redundancy is always maintained. Ensure alternate sites, like hot, warm, or cold sites, are designed according to business requirements and tested for effectiveness. And finally, point number ten: Check and verify that a DR or disaster recovery activity is tested. Ensure that network switching happens automatically to secondary sites, and servers and applications run without any issues. Thank you for watching the video. Do provide your feedback and subscribe the channel for upcoming videos. Thank you.