Business Continuity Management
What is Business Continuity Management?
Business Continuity Management (BCM) is the holistic process designed to ensure that normal business operations continue whenever disruptive incidents happen by improving organizational resilience. The goal of any BCM is to provide the organization the ability to respond effectively to a range of threats that could impact normal business activities.
It’s more than just understanding your organization, it’s understanding the interoperability and how it all fits together. It’s also how the processes interact and the data flows between systems to support the functions of your organization. It’s being able to look at your organization from a different angle. The biggest challenge we see for most of our clients is finding the time and resources to map it all out. Especially because Business Continuity is very important – but generally only urgent when it’s too late.
You are probably reading this for one of three reasons:
- A customer or business partner has requested that your organization provide them with proof that you have a viable continuity capability (e.g., an ISO-22301 certificate or a copy of your Business Continuity Plan).
- A threat (e.g., an outage, hurricane, flood, chemical spill, ransomware attack) has raised your awareness of business continuity risks and you are looking to establish or improve your ability to provide services to your customers regardless of a disruption.
- Your Risk Management Group has identified your lack of a recovery capability to be an unacceptable risk to your organization.
For many customers, Business Continuity Planning feels a bit like life insurance; something which costs a lot and provides little value. However, leveraged properly it can give your organization a competitive advantage (e.g., marketing, ability to operate fully in a disaster where your competitors can’t). It can also be an advantage to you and your management team as there is precedent that management may be held liable for an organizations failure to recover gracefully from an issue of note. The biggest advantage may be that you are in the 6% of organizations who actually survive a disaster of note.
The key to our work together is understanding; understanding your business, understanding your clients, understanding your risks, and understanding your culture so that what we develop is tailored to your specific objectives, integrated into what you do, and how you do it.
Before a business continuity management system can be designed, or an existing system improved, the processing of analyzing or “assessing” the existing control environment must occur. Assessments provide a baseline of understanding so that a solid road-map can be developed. Pivot Point Security’s Business Continuity Assessment activities may include:
Overall Program Assessment – Takes a high-level view of the overall program to identify what has been done, and investigates potential gaps in the program. If no program exists, the assessment begins the process of defining what kind of BCMS and ITCMS program will provide the best value for money.
Compliance Assessment – For existing BCMSs and ITCMS programs, this assessment compares the existing program against established standards, provides a gap analysis of compliance with the standards and recommends steps to achieve compliance.
Operational Assessment – Examines current BC/DR policies, plans, procedures, documentation and activities in greater detail to ensure they are consistent with good business continuity practice, and to recommend steps for improved performance.
Leveraging our proven processes we work as an extension of your team helping you ensure your objectives are clearly defined, realistic and executable. We will help you develop a system that meets your current needs and logically evolves as those needs change. We will work with you to socialize your recovery program so your people are empowered to respond effectively through training, exercises, and a complete knowledge transfer.
Business Continuity As a Service
Threats change. The services you provide and the clients you serve change. Technology & key vendors change. Personnel and business objectives change. Your BCMS need to evolve to ensure that it reflects these changes.
If you are short on resources, we can work as an extension of your team, to ensure that your Continuity Plans stay current and are tested to ensure that they will work when called upon.
Formal A business continuity management system (BCMS) is the structured entity from which an organized business continuity and disaster recovery program emerges. Included within the BCMS are policies, guidance, procedures and standards to
- Prepare for an unplanned and potentially disruptive incident
- Recognize and respond to the incident as it unfolds
- Recover from the event to a point where your business can restart operations, and
- Resume a business as usual position.
ISO 22301, the global standard for business continuity management and its companion document ISO 22313, provide the foundation for Pivot Point Security’s business continuity management program. Likewise, the ISO 27031 standard for technology disaster recovery is the foundation standard for PPS Information Continuity consulting services. Where applicable we may also leverage NIST SP 800-34, FFIEC Business Continuity Handbook, and the Business Continuity Institute’s Good Practice Guidelines.
Our Business Continuity Management System Practice Area conforms to the ISO 22301 Plan-Do-Check-Act model:
Plan (Establish) – Establish business continuity policy, objectives, targets, controls, processes and procedures relevant to improving business continuity to deliver results that align with the organization’s overall policies and business objectives.
Do (Implement and operate) – Implement and operate the business continuity policy, controls, processes and procedures through the use of business impact analyses, risk assessments, defining business continuity strategies, conducting training and awareness activities, and developing and exercising plans.
Check (Monitor and review) – Monitor, audit and review BCMS performance against business continuity policy and objectives, report the results to management for review and determine and authorize actions for remediation and improvement.
Act (Maintain and improve) – Maintain and improve the BCMS by taking corrective action and providing continuous improvement, based on the results of management review and reappraising the scope of the BCMS and business continuity policy and objectives.
Finding the Answers to your Questions
Being demonstrably resilient requires a broad understanding of Information Security as a whole and key sub-components including Business Continuity, Third Party Risk Management, & Incident Response. That is why PPS has assembled a broad team of subject matter expertise across these disciplines. This simplifies your approach, as you have the option to leverage a single resource to manage all of your information related risk. The process of looking for answers often initially yields more questions. If we can be helpful, we are happy to talk through your challenges.