How can we create a business continuity plan?
Any organization is exposed to incidents that can cause an activity stoppage and to be an obstacle to business continuity.
Therefore, the need to establish plans with response actions that allow controlling these events and their effects through a Plan or Business Continuity Management System.
How can a Business Continuity Management System implementation help our company?
Having a Business Continuity Management System implemented allows the organization to have the ability to survive all those events that may have a negative impact and jeopardize the continuity of our activity: pandemics, cyberattacks, fires, earthquakes, floods, etc.
How can we develop a Business Continuity Management System?
As a common framework for action to implement and maintain a Business Continuity Management System, there is ISO 22301, developed and published by the International Organization for Standardization (ISO).
Main steps or stages for implementation:
- 1. To determine scope: it consists of identifying the organization’s business processes that we want to be considered in the BCMS.
- 2. To carry out a Business Impact Analysis (BIA) of each scope process, to determine the criticality of each. It contains the following aspects:
- Criticality determination: by studying the different types of impact (operational, financial, legal, reputational, etc.) that the interruption of the business process would have as time goes by;
- the necessary requirements, temporaries and of resources, for the continuity of activity and the return to normality: human resources, infrastructures, suppliers, services, machinery, used technologies, recovery times, maximum tolerable time of service drop, service recovery minimum levels, etc.
- 3. To carry out a Risk Analysis, consisting of:
- to determine potential threats to the assets to which the organization is exposed;
- to determine the risk level of each threat, evaluating its probability of occurrence and the impact it would cause if it occurred. A high risk should indicate that we are concerned about business continuity for that asset;
- to establish a Risk Treatment Plan, consisting of the implementation of controls, usually preventive, that helps to reduce the probability of the occurrence of threats.
- Based on the results of the Risk Analysis,identify possible crisis scenarios and establish the recovery strategy for each one of them.
- To create and to document detailed planes of response and recovery for the critical scenarios identified, including the steps to be taken since reporting the incident until returning to normal. Its aim is to avoid absence or improvised decision making that can make the situation worse or irreversible.
- To run tests and exercises of the response and recovery plans, to verify that they really work and are adequate. Reports will be made that include the results obtained and the incidents that have arisen.
- To carry out reviews and audits of our Management System to guarantee its maintenance, updating and establishment of corrective measures. With this we will achieve their continuous improvement
- Awareness: consists of implementing measures that promote staff awareness in the field of business continuity and knowledge of established plans.
Finally, with the implementation of a Business Continuity Management System, and regardless of the sector or size, any organization may be prepared to confidently face a security incident that may affect the development of its activities, providing greater security and ability to respond to any eventuality.
At Globalsuite Solutions we provide necessary help and advice for the implementation of your Business Continuity Management Systemand obtention of your certification. In addition, we count on GlobalSUITE® software, fully developed by our team, which allows the implementation, management and maintenance of all the requirements demanded by the standard ISO 22301 in all types of organizations and sectors.
- Managing personal data in schools
- Changes in data protection and the importance of risk analysis
- The figure of the Data Controller and Data Processor in the GDPR
- Protecting personal data in the coronavirus crisis
- What is it and how to develop a Record of Processing Activities, risk analysis and impact assessment?