< Return to Video

How to Audit Business Continuity Management. Audit BCM in 10 steps

  • 0:01 - 0:03
    The ability to respond to a natural or
  • 0:03 - 0:06
    man-made threat, ensure continuity of
  • 0:06 - 0:07
    business operations, and
  • 0:07 - 0:10
    protect human resource and assets
  • 0:10 - 0:12
    in the event of a disaster or a business
  • 0:12 - 0:14
    disruption is the primary objective of
  • 0:14 - 0:16
    any business continuity management
  • 0:16 - 0:17
    program.
  • 0:17 - 0:19
    Hello, and welcome to Information
  • 0:19 - 0:22
    Security Governance, Risk, and Compliance.
  • 0:22 - 0:24
    My name is Salvadore, and today we will
  • 0:24 - 0:26
    learn how to audit a business continuity
  • 0:26 - 0:28
    management program
  • 0:28 - 0:29
    in 10 steps.
  • 0:29 - 0:31
    Let's get started.
  • 0:33 - 0:35
    Point number one: Check and verify that a business
  • 0:35 - 0:38
    continuity management policy is created
  • 0:38 - 0:41
    and reviewed on a regular basis.
  • 0:41 - 0:43
    Ensure the policy contains the roles and
  • 0:43 - 0:45
    responsibilities,
  • 0:45 - 0:47
    workforce training, a framework for setting
  • 0:47 - 0:50
    business continuity objectives,
  • 0:50 - 0:52
    and organizational risk appetite and
  • 0:52 - 0:54
    tolerance to plan,
  • 0:54 - 0:56
    deliver, and support capabilities in the
  • 0:56 - 1:00
    event of a business disruption.
  • 1:00 - 1:03
    Point number two: Make sure a business
  • 1:03 - 1:06
    impact analysis is performed.
  • 1:06 - 1:09
    The business impact analysis contains
  • 1:09 - 1:11
    identification of critical products and
  • 1:11 - 1:14
    services with their inherent risks,
  • 1:14 - 1:17
    the likelihood and impact of each risk,
  • 1:17 - 1:20
    countermeasures to prevent, detect, and
  • 1:20 - 1:23
    react to the identified risks,
  • 1:23 - 1:25
    recovery time objectives, and recovery
  • 1:25 - 1:28
    point objectives.
  • 1:28 - 1:30
    Point number three: Ensure a business
  • 1:30 - 1:33
    continuity strategy is developed to
  • 1:33 - 1:35
    reduce the impact of a disaster,
  • 1:35 - 1:38
    ensure business continuity, and recover
  • 1:38 - 1:40
    from business disruptions within the
  • 1:40 - 1:43
    enterprise risk appetite.
  • 1:43 - 1:45
    Make sure that the strategy includes
  • 1:45 - 1:46
    unavailability of all relevant
  • 1:46 - 1:48
    components,
  • 1:48 - 1:50
    and all activities and processes within
  • 1:50 - 1:55
    the scope whether on-premise or on cloud.
  • 1:55 - 1:57
    Point number four: Check and verify that
  • 1:57 - 2:00
    a business continuity plan is created
  • 2:00 - 2:02
    and reviewed on a regular basis.
  • 2:02 - 2:04
    Ensure that the plan consists of the
  • 2:04 - 2:06
    following components:
  • 2:06 - 2:08
    scope of activity, roles and
  • 2:08 - 2:10
    responsibilities, clear lines of
  • 2:10 - 2:11
    communication,
  • 2:11 - 2:14
    recovery procedures, and the basis for
  • 2:14 - 2:16
    BCM invocation.
  • 2:16 - 2:18
    With respect to cyberattacks, ensure
  • 2:18 - 2:20
    there is a skilled incident management
  • 2:20 - 2:24
    technical team to manage the incidents.
  • 2:24 - 2:26
    In case of a pandemic event that the world
  • 2:26 - 2:28
    is going through now, the users need to
  • 2:28 - 2:30
    perform the functions
  • 2:30 - 2:32
    working from home.
  • 2:32 - 2:34
    Ensure endpoint security and network
  • 2:34 - 2:36
    communication is effective to ensure
  • 2:36 - 2:40
    smooth business operations.
  • 2:40 - 2:42
    Point number five: Check and verify that
  • 2:42 - 2:44
    all the relevant documents, such as
  • 2:44 - 2:47
    backup and restoration guidelines,
  • 2:47 - 2:49
    network, and architecture diagrams,
  • 2:49 - 2:52
    alternate workarounds for performing
  • 2:52 - 2:54
    business functions, and incident playbooks,
  • 2:54 - 2:57
    are available instantly to support
  • 2:57 - 2:59
    business continuity and operational
  • 2:59 - 3:00
    resilience.
  • 3:00 - 3:02
    Make sure that all the documents are
  • 3:02 - 3:05
    reviewed for any changes that happened
  • 3:05 - 3:08
    previously.
  • 3:08 - 3:10
    Point number six: Make sure all
  • 3:10 - 3:12
    business continuity and operational
  • 3:12 - 3:15
    resilience plans are tested at least
  • 3:15 - 3:16
    annually.
  • 3:16 - 3:19
    Check and verify that a table top exercise
  • 3:19 - 3:21
    was performed, and the report generated
  • 3:21 - 3:23
    to identified if there were any
  • 3:23 - 3:26
    shortcomings during the call.
  • 3:26 - 3:28
    Make sure that a call tree exercise was
  • 3:28 - 3:29
    performed
  • 3:29 - 3:31
    to ensure the communications with all
  • 3:31 - 3:33
    users.
  • 3:33 - 3:36
    Ensure users' contacts are stored and
  • 3:36 - 3:38
    acknowledged, and that all calls and messages
  • 3:38 - 3:42
    were recorded and verified.
  • 3:42 - 3:44
    Check and verify the stress reports to
  • 3:44 - 3:46
    identify that the tests were conducted
  • 3:46 - 3:49
    as per the resilience plan.
  • 3:50 - 3:51
    Point number seven:
  • 3:51 - 3:53
    In times of crisis, communication among
  • 3:53 - 3:56
    stakeholders and the relevant entities
  • 3:56 - 3:58
    is key to successfully managing business
  • 3:58 - 4:00
    disruption.
  • 4:00 - 4:02
    Make sure that communication lines
  • 4:02 - 4:04
    are identified and how the communication
  • 4:04 - 4:06
    is sent to the relevant parties,
  • 4:06 - 4:08
    whether it be the press, municipality, or business
  • 4:08 - 4:10
    users.
  • 4:10 - 4:12
    Make sure that response structure is
  • 4:12 - 4:14
    developed to communicate early warnings
  • 4:14 - 4:17
    and communications to the stakeholders.
  • 4:19 - 4:20
    Point number eight:
  • 4:20 - 4:22
    Business data is a key component to
  • 4:22 - 4:24
    recover from a disaster or a crisis
  • 4:24 - 4:26
    situation.
  • 4:26 - 4:28
    Make sure that a secure backup data
  • 4:28 - 4:28
    process
  • 4:28 - 4:31
    is followed for storing data in times
  • 4:31 - 4:33
    of crisis.
  • 4:33 - 4:35
    Check sample backup and restoration
  • 4:35 - 4:37
    evidence.
  • 4:39 - 4:41
    Point number nine: To recover from a
  • 4:41 - 4:43
    natural disaster, like flooding or
  • 4:43 - 4:45
    earthquakes, and other man-made disasters
  • 4:45 - 4:47
    like fire,
  • 4:47 - 4:49
    ensure that systems and network devices
  • 4:49 - 4:51
    are housed in environmentally safe data
  • 4:51 - 4:54
    centers, as well as redundancy is always
  • 4:54 - 4:56
    maintained.
  • 4:56 - 4:58
    Ensure alternate sites, like hot, warm, or
  • 4:58 - 5:00
    cold sites, are designed according to
  • 5:00 - 5:03
    business requirements and tested for
  • 5:03 - 5:05
    effectiveness.
  • 5:05 - 5:07
    And finally, point number ten: Check and
  • 5:07 - 5:10
    verify that a DR or disaster recovery
  • 5:10 - 5:12
    activity is tested.
  • 5:12 - 5:13
    Ensure that
  • 5:13 - 5:15
    network switching happens automatically
  • 5:15 - 5:18
    to secondary sites,
  • 5:18 - 5:20
    and servers and applications run without
  • 5:20 - 5:22
    any issues.
  • 5:23 - 5:24
    Thank you for watching the video.
  • 5:24 - 5:27
    Do provide your feedback and subscribe
  • 5:27 - 5:28
    the channel for
  • 5:28 - 5:29
    upcoming videos.
  • 5:29 - 5:31
    Thank you.
Title:
How to Audit Business Continuity Management. Audit BCM in 10 steps
Description:
more » « less
Video Language:
English
Duration:
05:33

English subtitles

Revisions Compare revisions

Our website uses cookies for analysis purposes.