Train staff
[NIST 800-34] advises that training for personnel with Business Continuity responsibilities should complement testing. Training should be provided at least annually; new staff who will have plan responsibilities should received training shortly after they are hired. Ultimately personnel must be trained to the point that they are able to execute their respective incident response and incident management procedures without the aid of the documents.
Training should encompass:
- Purpose of the plan
- Cross team co-ordination and communication
- Reporting procedures
- Security arrangements
- Team specific processes
- Individual responsibilities
[TR 19:2005] recommends that training be aimed also at specific groups, namely:
Target | Description |
---|---|
All staff | Basic awareness training which gives the staff an insight into basic Business Continuity and informs them about their Business Recovery Plans and what will happen to them during an incident |
Management Team | Management training to inform managers about the overall incident response and management, the purpose of their Business Recovery Plans, what they will be expected to do during an incident and how they will implement their plans |
Business Continuity and Incident Personnel | Specialised training to train all staff involved in incident response, management and recovery. This will probably involve a number of different training courses. Scenario exercises as mentioned in Section 354H12.1 are a good way of training staff following a classroom session. |
Examples of the types of training courses which could be delivered to the staff in the third group are:
- Evacuation
- Media communications (aimed at spokespeople)
- Establishing an Incident Room
- Managing an incident
- Crisis communications
- Working from alternate sites
Training should also be provided for the staff who will form the Business Continuity Management Team, which should cover:
- Programme management
- Conducting a BIA
- Designing and implementing BCPs
- Risk and threat evaluation
- Designing tests and exercises
The Business Continuity training programme should be embedded within the organisation’s training and development programme and form part of staff personal development plans. Details of the specific training and its frequency (taking into account refresher training as well as training new members of the team) should be included in a Training Manual that is part of the organisation’s training portfolio.
Ideally, general Business Continuity training is included within the induction programme so that all staff are made aware of Business Continuity from the start of their career.