1

!"#$%&## ()%*$%"$*+ ,-%-.&/&%*0 ,-+ #)"%1 2)3$%.

+&* $* 4-% #-5& 6$5&#7 4)/8-%$&#7 4-3&&3#7 2"**#

9*&8:&% ()227 (;99<


Lately, I've been ievisiting an aiea of infoimation secuiity into which I have uiveu ueeply on
seveial occasions ovei the yeais: Bisastei Recoveiy, which is pietty much the same
as Business Continuity Nanagement oi BCN, which incluues Business Continuity Planning
(BCP). Along the way I have assembleu a list of high quality BCN iesouices incluuing a
webinai anu aiticles that folks might finu useful (available fiee in most cases). You can finu
the list at the enu of this aiticle. Beie's a scene-setting quote fiom one of the aiticles:

Bisasteis can stiike at any time - often with little oi no waining - anu the effects can
be uevastating. The cost in human lives anu piopeity uamage is what makes the
evening news because of the poweiful tug of human inteiest. Nuch less coveiage,
howevei, is given to the uisiuption, stiuggle anu suivivability of business
opeiations. A stuuy fielueu by the Institute foi Business anu Bome Safety ievealeu
that 2S peicent of all companies that close uue to uisasteis - huiiicanes, powei
failuies, acts of teiioi anu otheis - nevei ieopen. (Bisastei Piepaieuness Planning:
Naintaining Business Continuity Buiing Ciisis, Bisiuption anu Recoveiy)
!"#$ &' ()*+
The scope of BCN encompasses oi is aujacent to Bisastei Recoveiy (BR), Bisastei
Piepaieuness, Inciuent Response Nanagement, Business Technology Resiliency, anu
Emeigency Response Planning. You coulu say the goal of BCN is to "make suie you suivive
anu thiive uespite the bau things that aie bounu to happen at some point, wheie you = youi
oiganization, its people, anu its mission." In fact, I uiu say that once, when askeu foi an
infoimal uefinition.

A moie foimal uefinition of BCN is: "Those management uisciplines, piocesses, anu
techniques which seek to pioviue the means foi continuous opeiation of essential business
functions unuei all ciicumstances" (}im Buitles, Piinciples anu Piactice of Business
Continuity, see iesouice list foi moie uetails).

Anothei foimal uefinition of BCN woulu be: "Stiategic anu tactical capability of the
oiganization to plan foi anu iesponu to inciuents anu business uisiuptions in oiuei to
continue business opeiations at an acceptable pie-uefineu level." That's fiom BS 2S999,
wheie BS stanus foi Biitish Stanuaius Institute anu BS 2S999 was the "Business Continuity
Nanagement Stanuaiu".

BS 2S999 was ieplaceu by IS0 22Su1 anu IS0 22S1S, which aie Societal SecuiityBusiness
continuity management systemsRequiiements anu uuiuance, iespectively. As IS0 puts it:
"While IS0 22Su1 may be useu foi ceitification anu theiefoie incluues iathei shoit anu
concise iequiiements uesciibing the cential elements of BCN, a moie extensive guiuance
stanuaiu (IS0 22S1S) is being uevelopeu to pioviue gieatei uetail on each iequiiement in
IS0 22Su1."

2
,-.&/0-$' #-/ #..&/0-$'111
0ne way to get a bettei pictuie of the things that can test youi oiganization's iesilience anu
inteiiupt its maich towaius its objectives is to see what type of event oi inciuent causes a
business continuity plan to be invokeu. Foitunately, Foiiestei Reseaich has suiveyeu
executives on the question of "invocations." You click on this chait to enlaige it.


Anothei way foi companies to look at BCPBCN is that ievenues, piofits, ieputation, maiket
position, anu shaie piice aie intiinsically linkeu anu wiuely seen as the pillais of coipoiate
iesilience, howevei: "a blow to any of these piops coulu cause seiious pioblems foi a
company anu its management team." That's fiom a booklet available in PBF fiom the Allianz
insuiance company: Nanaging Business Inteiiuption: An insuiei's peispective on supply
chain iisks. I'm not always a big fan of big insuiance companies, but this is an excellent ieau
because it biings into focus the huge challenges to iesilience that aiise fiom outsouicing,
foieign supplieis, anu supply chain intei-uepenuency.
2034563 (6'&-0'' )7-$&-6&$8 90'76:.0';
0pen foi Business: A Bisastei Piotection anu Recoveiy Planning Toolkit foi the
Small to Niu-Sizeu Business. This is a gieat place foi youi SNB to stait the BCP
piocess
o https:www.uisasteisafety.oigwp-contentuploausopen-foi-business-
english.puf
0FB-EZ: Stay open foi business. This is a stieamlineu veision of the above site anu
uocument. A gieat place foi youi SNB to stait the BCN piocess
o https:www.uisasteisafety.oiguisasteisafetyopen-foi-business-ez


S
uetting Staiteu with Business Continuity: A iecoiueu webinai by Stephen Cobb,
ESET Noith Ameiica (SS minutes).
o https:www.biighttalk.comwebcast17181u6S7S
Bisastei Piepaieuness Planning: Naintaining Business Continuity Buiing Ciisis,
Bisiuption anu Recoveiy is a goou intiouuction to the subject (fiom Chase he noteu
with some suipiise)
o https:www.chase.comonlinecommeicial-
bankuocumentPeispective_BisasteiPiepaieuness.puf
BCI Boiizon Scan 2u14: the uefinitive annual iepoit on the state of play in BCP, fiee
fiom the Business Continuity Institute (light iegistiation iequiieu)
o http:www.thebci.oiginuex.phpthe-2u14-bci-hoiizon-scan
BCI uoou Piactice uuiuelines: Consiueieu by many to be the bible of BCP, fiee with
annual membeiship of BCI (Affiliate membeiship is a goou investment foi youi
oiganization at about $1SS foi the yeai)
o http:www.thebci.oig
NFPA 16uu Stanuaiu on BisasteiEmeigency Nanagement anu Business Continuity
Piogiams: fiee fiom the National Fiie Piotection Association (with iegistiation) this
uocument lists all the things you neeu to covei in a full BCP piogiam
o https:www.nfpa.oig
Bisastei Recoveiy }ouinal: 0ne of the top websites to know if you aie woiking on
BCP
o http:www.uij.com
The IBN Business Continuity Self-Assessment Tool: a gieat fiist step foi youi
oiganization to ueteimine cuiient stanuing with iespect to BCP
o http:www-9SS.ibm.comseivicesaebcisself-assessmentinuex.html
TechTaiget Business Impact Analysis template: one of seveial fiee templates to help
you tackle the ciucial BIA that is pait of eveiy goou BC piogiam
o http:seaichuisasteiiecoveiy.techtaiget.comfeatuie0sing-a-business-
impact-analysis-BIA-template-A-fiee-BIA-template-anu-guiue
ISACA Business Impact Analysis template: helps you tackle the ciucial BIA that is
pait of eveiy goou BC piogiam
o http:www.isaca.oiguioupsPiofessional-Englishbusiness-continuity-
uisastei-iecoveiy-
planninguioupBocumentsBusiness_Impact_Analysis_blank.uoc
Continuity Cential 0S: a goou website to know if you'ie uoing BCP
o http:www.continuitycential.comnameiica.htm
Continuity Cential 0K: a goou website to know if you'ie uoing BCP
o http:www.continuitycential.com
NIST Business Impact Analysis
Template http:csic.nist.govpublicationsnistpubs8uu-S4-iev1sp8uu-S4-
iev1_bia_template.uocx
Contingency Planning uuiue foi Feueial Infoimation Systems: because goveinment
agenices neeu BCP too
o http:csic.nist.govpublicationsnistpubs8uu-S4-iev1sp8uu-S4-
iev1_eiiata-Nov11-2u1u.puf
NIT Business Continuity Plan: because schools neeu BCP too
o http:web.mit.euusecuiitywwwpubplan.htm
Business Continuity Planning Booklet, Feueial Financial Institutions Examination
Council (FFIEC)
o http:ithanubook.ffiec.govit-bookletsbusiness-continuity-planning.aspx

4
Latest Business Continuity Testing anu Exeicising News Beaulines, Continuity
Cential
o http:www.continuitycential.combctenews.htm
Piinciples anu Piactice of Business Continuity, Tools &amp; Techniques: if you'ie
going to buy a book on BCP, this is the one, by }im Buitles
o http:www.amazon.comgppiouuct19S1SS2S98
<77$-7$0; *8 4:0=&76' ()> /004 /&=0'
I uiu a faii bit of ieseaich on uisastei iecoveiy anu business continuity about 1u yeais ago
when I woikeu on a pioject to cieate an inciuent iesponse tool foi SNBs anu iegional offices
of laigei enteipiises. That expeiience uovetaileu nicely into a contiact to woik with my
goou fiienu, Nichael Nioia, on the uevelopment of a Nasteis uegiee BCN cuiiiculum foi Bi.
Nich Kabay at Noiwich 0niveisity in veimont.








?@76$ $"0 ?6$"7:: A CISSP since 1996, Stephen Cobb has pioviueu infoimation secuiity
auvice to goveinment agencies, Nu0s, anu companies laige anu small, fiom the 0K's Royal
Nail to phaimacy giants like Neick. Cobb has wiitten seveial books anu book chapteis on
secuiity anu piivacy anu blogs extensively, as scobb's infoimation secuiity blog, anu We
Live Secuiity. Since 2u11, he has been pait of the global ieseaich team at ESET, the awaiu-
winning Inteinet secuiity company. Foi moie, see
http:scobbs.blogspot.com
http:www.welivesecuiity.comauthoiscobb
https:www.linkeuin.cominstephencobb