May 23, 2018

Last Updated on January 12, 2024

One of the most important elements of a business impact analysis (BIA) or other business continuity planning exercises is identifying each function’s critical records.  The survival of your business may depend on the availability of critical records.  Without them, there may be no recovery in the event of a disaster.
Which are your critical records and where are they stored?  How long can you live without them?  And what’s your backup plan if they’re not available?

Critical Records Management

Most business continuity planning clients I talk to state their critical records are readily available in digital form on the network.  But if the network isn’t available due to a disaster, those critical records won’t be available either.
In the case of electronic records that are hosted in a document management system or another repository (e.g., SharePoint), hopefully, that repository is properly backed up and the backups are accessible even if the network is down.  But has anybody checked those backups lately?  You need to periodically verify the backups are what you expect them to be and accessible should a disaster occur.
Critical records can fall within a very broad spectrum, from network recovery procedures to a contact list of key clients/stakeholders. If your critical records aren’t available, the impacts may vary from not being able to notify key stakeholders, to not having the procedures to correctly and securely recover your network, to not having your key references.  The list goes on.
Even with experience, it can be very challenging to identify critical records, especially given the volume of data organizations must deal with.  Take a non-IT, “non-critical” function like sales and marketing.  What’s the impact if you can’t recover your marketing strategy?  What about the customer list stored in your CRM system?  How long can you continue operations if your sales function is partially or completely offline pending recovery of critical systems that allow you access to critical records?
If you haven’t done adequate analysis around identification and availability of your critical records, then you’re flying blind.  That’s a potential crisis on top of the crisis you’re trying to recover from because you don’t know what you’ve set yourself up for.
Planning for recovery of critical records in a disaster isn’t particularly sexy or high-tech.  But if you fail to plan effectively, you might create a gaping hole in your recovery capability.  As with everything recovery-related, what you don’t know is what’s really going to hurt you.
To start a conversation on how best to identify your critical records and ensure they’re at your fingertips when you need them, contact Pivot Point Security.

For more information: 

Business Continuity Management

Ensures that your organizations critical business functions will continue to operate in spite of incident or disaster. The ISO 22301 roadmap will help you understand what a Business Continuity Information Security Management System is and guide you, step by step, from preparation through certification.