[ORGANIZATION]

[ORGANIZATION LOGO]

INFORMATION SECURITY ASPECT OF BUSINESS

CONTINUITY MANAGEMENT PROCEDURE

1
 [LOGO] Document ID: [ORGANIZATION] ISMS-L2-Procedure 17- Information Security aspects of Business Continuity
Management Procedure

DOCUMENT CONTROL

DOCUMENT NAME: Information Security aspects of Business Continuity Management Procedure

DOCUMENT ID REFERENCE: [ORGANIZATION] ISMS-L2-Procedure-17- Information Security aspects of Business

Continuity Management

AUTHORIZATION:

Prepared By Reviewed By Authorized By

Name: Name: Name:

Designation: Internal Audit Designation: Designation:

SECURITY CLASSIFICATION: Internal

Version History:

Issue Date Effective Date Description

Version 1.1

Version 1.2

Version 1.3

Version 1.4

DISTRIBUTION LIST:
The following persons hold copies of the document; all amendments and updates to the document must be distributed
to the Distribution List.

Sr. Name Location Document Type

No.

1 [ORGANIZATION], Soft Copy, Hard Copy

[Location]

2 (Internal Audit) [ORGANIZATION], Soft Copy

[Location]

3 (Internal Audit) [ORGANIZATION], Soft Copy

[Location]

4 (Internal Audit) [ORGANIZATION], Soft Copy

[Location]

5 All [ORGANIZATION] in scope Locations and hired [ORGANIZATION], Soft Copy

staff [Location]

6 All third parties and vendors (when required) [ORGANIZATION], Soft Copy
[Location]
Confidentiality:

Internal 2
 [LOGO] Document ID: [ORGANIZATION] ISMS-L2-Procedure 17- Information Security aspects of Business Continuity
Management Procedure

This document contains restricted information pertaining to [Organization]. The access level for the document is specified above. The addressee
should honour this access rights by preventing intentional or accidental access outside the access scope.
Disclaimer:
This document is solely for the information of [Organization] and should not be used, circulated, quoted or otherwise referred to for any other
purpose, nor included or referred to in whole or in part in any document without our prior written consent.

Contents
1 BUSINESS CONTINUITY MANAGEMENT.......................................................................................................... 4
1.1 INFORMATION SECURITY REQUIREMENTS........................................................................................................... 4
1.1.1 Including information security in the business continuity management process......................................4
1.1.2 Business continuity and risk assessment................................................................................................ 4
1.1.3 Developing and implementing continuity plans........................................................................................ 4
1.1.4 Business continuity planning framework.................................................................................................. 5
1.2 Testing, maintaining and re-assessing the business continuity plan..............................................................6

Internal 3
[LOGO] Document ID: [ORGANIZATION] ISMS-L2-Procedure 17- Information Security aspects of Business Continuity
Management Procedure

1 Business Continuity Management

A business continuity management process should be implemented to minimize the impact on the organization
and recover from loss of information assets (which may be the result of, for example, natural disasters, accidents,
equipment failures, and deliberate actions) to an acceptable level through a combination of preventive and
recovery controls.

1.1 Information Security Requirements

1.1.1 Including information security in the business continuity management process

A managed process should be maintained for business continuity throughout the organization addressing the
following elements:
 Understanding the risks faced by the organisation in terms of likelihood and impact, including identification
and prioritisation of the critical business processes.
 Understanding the impact of interruptions caused due to information security incidents are likely to have on
the business and information processing facilities of the organization.
 Dedicate sufficient financial, technical and organizational resources to address the identified information
security requirements.
 Management of business continuity should be integrated as a part of the organization’s processes and
structures.

1.1.2 Business continuity and risk assessment

 Information security requirements should be identified based on the events that can cause interruptions to the
organization’s business processes.
 A risk assessment should be performed then to determine the probability and impact of such interruptions in
terms of time, damage scale and recovery period.
 Business continuity risk assessments should be carried out with full involvement from owners of business
resources and processes. This assessment should consider all business processes and should not be limited
to the information processing facilities, but should include the results specific to information security.
 The assessment should identify, quantify, and prioritize risks against criteria and objectives relevant to the
organization, including critical resources, impacts of disruptions, allowable outage times, and recovery
priorities.

1.1.3 Developing and implementing continuity plans

 The business continuity plan should be addressing the following requirements:
o Identification and delegation of all responsibilities and business continuity procedures.
o Identification of acceptable loss of information and services.
o Implementation of the procedures to allow recovery and restoration of business operations and availability
of information in required time-scales based on contractual obligations.
o Operational procedures to follow pending completion of recovery and restoration.
o Documentation of agreed procedures and processes.

Internal 4
[LOGO] Document ID: [ORGANIZATION] ISMS-L2-Procedure 17- Information Security aspects of Business Continuity
Management Procedure

o Appropriate education of staff in the agreed procedures and processes, including crisis management.
 The planning process should focus on the required business objectives, e.g. restoring of specific services to
customers in an acceptable amount of time.
 The services and resources facilitating this should be identified, including staffing, non-information processing
resources, as well as fallback arrangements for information processing facilities. Such fallback arrangements
may include arrangements with third parties in the form of reciprocal agreements.
 Business continuity plans should address organizational vulnerabilities and therefore may contain sensitive
information that needs to be appropriately protected.
 Copies of business continuity plans should be stored in a remote location, at a sufficient distance to escape
any damage from a disaster at the main site.
 Management should ensure copies of the business continuity plans are up-to-date and protected with the
same level of security as applied at the main site. Other material necessary to execute the continuity plans
should also be stored at the remote location.

1.1.4 Business continuity planning framework

 Each business continuity plan should describe the approach to ensure information or information system
availability and security.
 Each plan should also specify the escalation plan and the conditions for its activation, as well as the
individuals responsible for executing each component of the plan.
 When new requirements are identified, the existing emergency procedures, i.e. evacuation plans or fallback
arrangements, should be amended appropriately.
 Procedures should be included within the organization’s change management program to ensure that
business continuity matters are always addressed appropriately.
 Each plan should have a specific owner.
o Emergency procedures, manual fallback plans, and resumption plans should be within the responsibility
of the owners of the appropriate business resources or processes involved.
o Fallback arrangements for alternative technical services, such as information processing and
communications facilities, should usually be the responsibility of the service providers.
 The following elements should be included in the Business continuity plan:
o The situations for activating the plans which describe the process to be followed (e.g. how to assess the
situation, who is to be involved) before each plan is activated.
o Emergency procedures, which describe the actions to be taken following an incident, which jeopardizes
business operations.
o Fallback procedures which describe the actions to be taken to move essential business activities or
support services to alternative temporary locations and to bring business processes back into operation in
the required time-scales.
o Temporary operational procedures to follow pending completion of recovery and restoration.
o Resumption procedures which describe the actions to be taken to return to normal business operations.
o Maintenance schedule which specifies how and when the plan will be tested, and the process for
maintaining the plan.
o Awareness, education, and training activities which are designed to create understanding of the business
continuity processes and ensure that the processes continue to be effective.
o Responsibilities of the individuals, describing who is responsible for executing which component of the
plan. Alternatives should be nominated as required.
o The critical assets and resources needed to be able to perform the emergency, fallback and resumption
procedures.

Internal 5
[LOGO] Document ID: [ORGANIZATION] ISMS-L2-Procedure 17- Information Security aspects of Business Continuity
Management Procedure

1.2 Testing, maintaining and re-assessing the business continuity plan

 Business continuity plan tests should ensure that all members of the recovery team and other relevant staff
are aware of the plans and their responsibility for business continuity and information security and know their
role when a plan is invoked.
 The test schedule for business continuity plan should indicate how and when each element of the plan should
be tested. Each element of the plan should be tested annually. (Refer: L3 - Business Continuity Management
Test Plan.xls)
 Responsibility should be assigned for regular reviews of each business continuity plan. The identification of
changes in business arrangements not yet reflected in the business continuity plans should be followed by an
appropriate update of the plan. This formal change control process should ensure that the updated plans are
distributed and reinforced by regular reviews of the complete plan.

References

L3 - Business Continuity Management Test Plan

Internal 6