This website has been constructed to fulfil the objective of the European Network and Information Security Agency (ENISA) to: “Promote Risk Assessment and Risk Management methods to enhance the capability of dealing with network and information security threats” [ENISA Regulation]. As continuity risks are considered to be amongst the most important faced by many organisations and businesses, ENISA decided to invest its efforts in the promotion of methods, tools and good practices for continuity management. As the main focus of the Agency is on Network and Information Security, the context of this work will be on Information Technology and closely related areas.
Business processes are increasingly linked together via information and communication technology. This is accompanied by increases in the complexity of the technical systems and with a growing dependence on the correct operations of the technology (BSI Standard 100-2: 2005) [IT Grundshutz].
Through an organisation’s Risk Management process it is likely that continuity risks will be identified. These risks can be managed to reduce their likelihood and/or impact, but it may be necessary to have plans in place to deal with the effects of the risk should it occur.
Business Continuity is the term applied to the series of management processes and integrated plans that maintain the continuity of the critical processes of an organisation, should a disruptive event take place which impacts the ability of the organisation to continue to provide its key services. ICT systems and electronic data are crucial components of the processes and their protection and timely return is of paramount importance.
Business Continuity (BC) is now recognised as an integral part of good management practice and corporate governance.
The need for Business Continuity has expanded in recent years following incidents (malicious, terrorist attacks and environmental disasters) which have disrupted large enterprises and forced many smaller ones to cease trading. Government legislation e.g. Sarbanes-Oxley [SOX] in the US, Bill 198 in Canada [BILL 198] (both target the private sector), the Civil Contingencies Act (2004) [CC ACT] in the UK and the Presidential Decision Directive 67 [PDD 67] in the USA (necessitating the need for Continuance of Government), state the requirement for Business Continuity although they do not detail a particular methodology.
Regulatory bodies also influence the requirement for BC, for example the regulations of the Finance Services Authority [FSA] in the UK state the acceptable period for call centres to be unavailable, letters unanswered, etc. There are many similar financial bodies throughout the world, each have their own regulatory requirements. In Australia this led to the requirement for APS232 [APS 232].
Financial benefits are also evident as an incentive to widen the practice of BC. In some parts of the western world, insurance companies offer discounts when BC plans are in place. With Business Continuity Management (BCM) penetration lower than 20% in Japan, despite the frequent natural disasters, the Development Bank of Japan offer a Disaster Prevention Loan with reduced interest rates, to be used to plan BC programmes, to prepare facilities to reduce the effects of a disaster or to provide backup ICT services.
Reflecting this upsurge in interest there are a number of emerging standards (and overlapping standards) in the area of Business Continuity Management. With a choice of different terminologies and areas of overlap a company must adopt one specific methodology and apply it throughout the organisation.
Factors such as human resources, financial and technological limitations and regulatory constraints will shape the strategy and drive the eventual solution. With an increasing reliance on ICT in all areas of our lives this becomes an important part of the solution. The term “Disaster Recovery (DR)” has over many years migrated from its true meaning within business to a response to an ICT problem or failure. ICT departments provide DR Plans to recover important systems within a reasonable timescale in accordance with a Service Level Agreement but this rarely meets the end-user’s expectations based on their BC requirements.
These issues and overlaps are being addressed in the latest standards and frameworks but this evolves into a complex web of procedures and policies e.g. ITIL [ITIL] is a Framework for Information Technology (IT) infrastructure with v2 being divided into 9 areas; while the idea is to utilise the areas relevant to the organisation, the existence of relationships among the areas means that taking one and not another could create deficiencies. This is also reflected in standards, where the relationships are now starting to be defined. For example, PAS 77 IT Service Continuity Management [PAS 77] acknowledges the need for Business Continuity Management (BCM) before IT Services Continuity (ITSC) plans can be developed. It also states that if there is no BC in place then a subset of the Business Impact Analysis (BIA) must be completed in order to understand the business requirements and to align IT services to business requirements.
Emerging standards (and existing ones which are evolving) reflect their roots and so the target audience for each must be known to best understand their basis. The American standard NFPA 1600 comes from the National Fire Protection Association [NFPA] and is the standard on Disaster and Emergency Management and Business Continuity Programs. Early versions are more about saving the environment than IT but the latest version (2007) moves towards BC. This contrasts with BS 25999-1, which was written purely as a BC standard to enable businesses to recover from incidents ranging from minor (outage of a few hours) to a major incident requiring relocation of services [BS 25999-1].
A number of frameworks in this area identify a purely IT aspect of BCM referred to as IT Service Continuity. IT Service Continuity Management (ITSCM) is a discipline which has evolved from IT Disaster Recovery (ITDR) but is more customer-centric. The paradigm is similar, but the underlying assumptions made by ICT as to priorities, timescales and important components are replaced with accurate data from the business units. ITSCM is the control which transforms ICT into a pro-active service organisation, meeting the needs of its customers, understanding their requirements and fulfilling these requirements. In the event of an incident the plans and systems in place should ensure a resumption of service within the agreed Service Level Agreements (SLAs) ensuring compliance and customer satisfaction as well as aiding in Business Continuity.
This site utilises knowledge of many different methods, represents them on a Business Continuity overview process diagram and then compares the methods through individual process diagrams and entries in an inventory. This allows the readers to assess their suitability for use within their own organisation. Moreover, it provides an orientation for the target audience who would like to have an overview on the state of art of methods and good practices for continuity and who would like to properly apply existing approaches to their organisation.