A business continuity plan in information technology is a documented plan indicating how a business will continue to operate if IT operation is affected by adverse conditions, such as a storm, fire, interruptions or malicious damage. Such a plan typically explains how the business would operate at the time of disaster and recover from disaster.
In December 2006, the British Standards Institution (BSI) released an independent standard for BCP — BS 25999-1. Prior to the introduction of BS 25999, BCP professionals relied on information security standard BS 7799, which only peripherally addressed BCP to improve an organization’s information security procedures. BS 25999’s applicability extends to all organizations. In 2007, the BSI published BS 25999-2 “Specification for Business Continuity Management”, which specifies requirements for implementing, operating and improving a documented business continuity management system (BCMS).
Which one you need? Business Continuity or Disaster Recovery?
If you ask me, I would prefer to have a Business Continuity Plan that includes a disaster recovery with a smooth fail-over and fail-back option and a service continuity procedures as if disaster never happened.
Most organization will presume that they have Symantec/CommVault/Veeam Backup which protect them from disaster hence they have a disaster recovery plan. This is not the case “Disaster Recovery Plan” or “Business Continuity Plan” does not mean having just only a backup product and presume you have it all.
Note! Disaster Recovery is just part of Business Continuity. My previous post on disaster recovery plan differentiate between disaster recovery and business continuity.
Objectives:
- To ensure maximum possible service levels are maintained
- To ensure a smooth recovery from interruptions as quickly as possible
- To minimize the likelihood and impact (risk) of interruptions
- To minimize IT/IS service desk intervention with end user in the event of disaster
Identifying Risk (Example):
Create a spreadsheet and a database of business application, systems, network and other assets that likely be impacted by an event. Here is a sample spread sheet.
List of Assets | Disaster/Event Priority | Action ID | Responsibility | Procedure Document ID | Mitigation Procedure Document ID |
Microsoft Exchange Server | Medium | EXCH0001 | Exchange Admin | IT-EXCH-DR-001 | IT-EXCH-BC-001 |
Technology Acquisition as BC Plan (Example):
Technology | Provider | Purpose | Contract Reference | Warranty & Support |
Smart Host | Symantec | Backup MX and email archive up to 30 days | XX-SS-XX | 3 Years |
Site Recovery Manager | VMware | Infrastructure Fail-over & Fail-back | XX-SS-XX | 3 Years |
Storage Replication | EMC | Infrastructure Fail-over & Fail-back | XX-SS-XX | 3 Years |
Data Backup | EMC | Bare Metal Instant Recovery | XX-SS-XX | 3 Years |
SQL Cluster | Microsoft | Active-Active cluster | Enterprise Agreement | 3 Years |
SharePoint Cluster | Microsoft | Active-Active cluster | Enterprise Agreement | 3 Years |
Risk Work Sheet (Example):
Risk | Loss of Building |
Probability | Low |
Impact | High |
Likely Scenario | Fire |
Action |
|
Responsibility | List of onsite engineer
List of on call Engineer Service Delivery Manager Operation Manager |
Mitigation | Test controlled fail-over
Test clustered systems and network Monitor health of the systems and network |
Resources | List of documents and location where they stored |
Third Party Contact (Example):
Technology | Vendor | Technical Support |
Microsoft Exchange | Microsoft | 132058 |
IPVPN Provider | Company X | Xxxxxx |
Smart Host | Symantec | Xxxxxx |
IT Contact List (Example):
Name | Designation | Contact Number | Email Address |
Mr. X | XX | 12345678 |
Business Continuity Document: A Business Continuity Plan contain the following information. An example is shown below.
- Title
- Sub-Title
- Corporate Logo
- Document history.
- Corporate Copyright Info
- Table of Content
- Executive Summary
- Introduction
- Terminology
- Roles and responsibilities.
- Risk Management Plan
- Business Impact Analysis
- Incident Response Plan
- Plan activation.
- Communication Procedures
- Logic Diagram
- Recovery Plan
- Test & Evaluate
- Appendixes.