The Binomial Bookstore

AUDITING BUSINESS CONTINUITY:
GLOBAL BEST PRACTICES
By Rolf von Roessing

ENDORSED BY THE BUSINESS CONTINUITY INSTITUTE!

Published by Rothstein Associates Inc.

- Contains a comprehensive, detailed business continuity audit plan
- Includes sample audit report and work papers
- An ideal resource for consultants or auditors, as well as internal business
continuity planners!
- International in scope - includes country-specific guidelines.
- - - - - - - -
-

EXCERPT FROM THE FOREWORD

“There are numerous publications that provide a wealth of knowledge about what
Business
Continuity Management (BCM) is and how it should be done; few offer an
explanation of how
it can be assessed. Many concentrate on how to develop and maintain a BCM
plan; few
adopt an holistic approach to BCM and address the key issue of how to develop
and
maintain a BCM capability based on an understanding of the business and its
markets.

“This work of Rolf von Roessing is grounded in sound experience and begins to fill
the BCM
plan/capability gap. It sets out the BCM audit process in a structured and user
friendly way
that should be basic reading for all BCM professionals and BCM auditors.

“A particular acknowledgement is the complexity of a BCM audit and the need for
professional BCM expertise as a key element to successfully achieve audit
objectives.

“The work not only provides a general outline of how to conduct different types of
audits but
also reinforces their application by providing practical examples and advice to
illustrate the
step-by-step methodology, including contracts, reports and techniques. The
practical
application of the methodology enables the professional auditor and BCM
practitioner to
identify and illustrate the use of good BCM practice whilst demonstrating added
value and
business resilience.

Dr. David J. Smith MBA LL.B(Hons)
Chairman of the Business Continuity Institute, Education Committee

- - - - - - - -
-

EXCERPT FROM THE PREFACE

“I was very happy to be asked to write a preface to this welcome addition to the
growing
library of Business Continuity learning.

“Why? As a practicing consultant and trainer of enterprise risk management and
business
continuity, it has long been a source of discomfort that so many business
continuity plans
simply pay lip service to real needs. Plans are often over simplistic, over-focused
on
particular possibilities, ill-considered and incomplete. They make implicit
assumptions -
about the availability of people, assets and access, for instance - without
subjecting those
assumptions to challenge.

“Around 85% of Business Continuity Plans fail when first tested. Put simply, these
plans
show
fundamental flaws that would have prevented recovery from taking place within the
required
timescale.

“Over 50% of Business Continuity Plans are never tested. This means that those
flaws have
not been exposed and the plans will almost certainly fail to deliver timely recovery.

“These stark figures demonstrate just how misplaced are the hopes of many
managers when
they rely on such fragile plans. No matter what forethought is given to business
continuity
management, the actual experience of a disaster bears little relation to the
pre-considered
events and to plans developed in the relative calm of normal circumstances.

“Too often business continuity arrangements are based on specific disaster
scenarios and
would not withstand scenarios that had not been considered. But disasters are
not
disciplined. Chaos follows no roadmap. The unthinkable does happen.

“It is therefore crucial to businesses that plans are subject to stringent review. That
is why I
welcome Rolf von Roessing's cogent contribution to this important area. Rolf
provides a
comprehensive, pragmatic and deeply practical step-by-step guide to Business
Continuity
audit. I commend it to all who are serious about the topic.”

Andrew Hiles
FBCI, MBCS
Director,
Kingswell International
Oxford, UK

- - - - - - - -
-

EXCERPT FROM THE INTRODUCTION

“This book presents a general methodology and a framework for auditing Business
Continuity Management (BCM). The main purpose is to provide a single work of
reference
for
auditors, managers working in business continuity and consultants.

“BCM is a complex field. It covers business issues and technology with a
perspective on the
entire enterprise. The business continuity manager, and the auditor, require a
diversified set
of skills and extensive knowledge to assess business continuity as a question of
business
survival. There has been a lot of confusion about the terms "business continuity,"
"disaster
recovery," "IT security" and many other words attempting to describe the
continuation of
critical business processes under adverse circumstances. However, for the auditor
these
terms refer to one and the same notion: businesses should take adequate
precautions to
ensure that no going concern issues arise from crises or disasters.

“Some companies decide to take a cautious stance with regard to continuing their
operations come what may: they prefer to "err on the safe side" and rely on
preventative
measures. Other firms, perhaps in an industry where "speed to market" and
competitive
pressure require a faster pace, may prefer to reduce investments on prevention,
while putting
in place a robust crisis and disaster management mechanism. Both types of
corporations
nevertheless pursue the overall goal of business continuity, by either avoiding risks
or
disasters (if they can), or by making sure they can deal with these events.

“In a sense, BCM means "reading the future" or trying to safeguard an organization
against
unforeseen events. Management is still forced to address precisely this issue, by
carefully
evaluating their options and then making an entrepreneurial decision about the
acceptable
level of remaining risk. To the auditor, it is important to understand how this
decision has
been reached and whether it can be justified from a financial, operational and
managerial
point of view. Neither the overly cautious nor the reckless manager will succeed in
today's
market - the BCM auditor should provide a sounding board and an objective
business
partnership to the management of the company being reviewed.

“BCM audit is therefore an important element of ensuring corporate survival. The
audit result
incorporates issues of compliance, highlights weaknesses and provides
reasonable
recommendations to management, whose experience may be enhanced and
improved by
the auditor's objective input from other corporations or industries. It is not to be
confused with
the much narrower field of IT audit. This book has been deliberately restricted to
business
continuity rather than IT continuity to highlight the all-important differences between
the two.

“The contents have been arranged around the Business Continuity Institute (BCI) /
Disaster
Recovery Institute International (DRII) Professional Practices for business
continuity as well
as other standards such as CobIT or ISO / IEC 17799. Some elements may look
familiar to
the experienced auditor who may still benefit from using this book as a reference
manual or
as an instructive tool for groups of auditors. This is intentional, as BCM and related
audit
questions should "fit in" with tools and models that are recognized and proven in
the field.”

- - - - - - - -
-

EXCERPT: HOW TO USE THIS BOOK

“This book is a toolset to assist you in planning, conducting and documenting a
review of the
business continuity management (BCM) process within a company or institution. It
is
structured in three main sections. The first part explains how to plan an audit from
beginning
to end. The second part contains a full audit program that you may use at varying
levels of
detail to support your audit strategy and plan. The third part contains samples of
an audit
report and selected work papers to help you put the plan and program into
practice.

“If you are a financial auditor, or an internal auditor tasked with reviewing business
continuity,
this may be a new field to you. Likewise, if you are a business continuity manager
who has
been assigned the task of being an auditor, this is a new way of looking at BCM,
rather than
implementing it. Chapter 1 explains the concepts of BCM and audit seen together.
It shows
how to formulate the framework and scope of a BCM audit, how to define audit
plans and
how to write a clear and concise audit program that management and other
stakeholders will
understand and buy into.

“As an auditor, you are managing the practical phase of a BCM review. Chapter 2
explains
how to schedule the review, how to estimate time and effort, and how to streamline
the
process of formal audit steps. Known difficulties and pitfalls, many of them unique
to BCM,
are explained in detail. Even if you are a seasoned audit professional, this chapter
may help
you in identifying typical problems associated with reviewing a complex process
and
interacting with a wide range of managerial and technical responders. As a
business
continuity manager, Chapter 2 may help you understand the challenges presented
by
reviewing the BCM concepts without actually managing them yourself.

“Chapter 3 outlines methods of analysis that you can use to arrive at a
well-founded audit
opinion. As a financial or internal auditor, this chapter will allow you to evaluate
your findings
and to avoid time-consuming detail when reviewing the BCM process. As a
business
continuity manager, you will find Chapter 3 a useful tool for looking at any given
part of a
BCM
process and for comparing findings against your own experience and best
practices.

“The success of your work as a BCM auditor depends on clear, concise audit
reports that
are
easily understood by management. Chapter 4 explains how audit reports are
structured,
written and presented to your stakeholders. In this chapter, you will find samples
and
templates ranging from small, detailed reports to a large set of reports designed for
an
international BCM audit.

“Section 2 is a standardized audit program divided into work areas. You will find
detailed
audit questions covering all aspects of business continuity management. In the
course of
your
BCM audit, you can use parts or the whole of the standardized questions for your
audit plan
and program. The standardized audit program is designed to give you additional
information
on risk ratings, recognized standards and additional materials that you may use to
understand each item, as well as to communicate it to audit teams or the auditee
organization.

“For each item within the standardized audit program, the legal, regulatory and
technical
background is explained in detail. Detailed audit steps have been included for each
question
to give you indications as to the time and effort required during the audit.
Suggested
standard wordings for findings and recommendations have also been included.

“Work area 11 contains detailed audit instructions for some national jurisdictions
where
different rules may apply. You can use these to guide your audit teams, and to find
out what
materials you may need to understand and evaluate when reviewing BCM abroad.
The
national parts of area 11 include the Central and Eastern European world to give
you an
overview of what to look for even if a foreign language is used.

“Work area 12 will support you when reviewing typical BCM software tools. You will
find
useful
hints and technical references to give you quick access to typical problems and
difficulties
that may constitute important audit findings.

“Section 3 contains a sample audit report that is based on the examples used in
Section 1.
Selected work papers have been added to provide an indication as to the ways in
which you
might use the standardized audit program.

“Depending on your previous experience with audit and BCM, you can use this
book as a
reference work or as a step-by-step guide for hands-on project work. However, it is
not a
"one-size-fits-all" guide along the lines of "BCM-in-a-box for $ 9.99." Whether you
are a
novice auditor or a seasoned BCM professional, it is likely that you will use the
book in
different ways.”

- - - - - - - -
-

TABLE OF CONTENTS

FOREWORD
PREFACE
INTRODUCTION
HOW TO USE THIS BOOK

SECTION I: AUDIT GUIDELINES FOR BUSINESS CONTINUITY
MANAGEMENT
1 AUDIT FRAMEWORK, SCOPE AND PLANNING
Introduction
Audit Framework
Audit Scope
Audit Areas (Modules) and Planning
Example of Audit Framework, Scope and Planning Statement
Example of Individual Audit Program
SUMMARY

2 CONDUCTING THE AUDIT
Scheduling and Administration
Example of Interview Schedule and Administration
Interview Contents
Example of Interview Guidelines
Example of BCM Questionnaire
Pitfalls and Known Difficulties
SUMMARY

3 ANALYSIS
Summarizing Interview Results
Example of Interview Series Summaries
Example of Gap Analysis
Documentation66
Methods
Analytical Example
Applying the Standardized Program
SUMMARY

4 REPORTING GUIDELINES
Structuring Report Contents
Example of Overall Report Structure
Miscellaneous Reporting Issues
Applying the Standardized Audit Program
SUMMARY

SECTION II: STANDARDIZED AUDIT PROGRAM
1 PROJECT INITIATION AND MANAGEMENT
1.1 Scope, Objectives and Format
1.2 Organizational BCM Integration
1.3 Financial Planning and BCM Budget
OVERVIEW CHAPTER 1 AUDIT ITEMS

2. RISK MANAGEMENT AND EVALUATION
2.1 Risk Identification, Loss Potentials, Vulnerabilities
2.2 Risk Analysis Methodologies and Tools
2.3 Risk Evaluation and Control
OVERVIEW CHAPTER 2 AUDIT ITEMS

3 BUSINESS IMPACT ANALYSIS ACTIVITIES
3.1 A comprehensive business impact analysis has been performed.
3.2 A list of prioritized business processes exists.
3.3 All vendors, suppliers, and third-party companies that are relied upon have
a
business continuity plan.
3.4 An adequate level of business interruption insurance is established.
3.5 Business process interdependencies are defined.
3.6 Maximum tolerable downtimes (MTDs) are established on the basis of
financial
and operational impacts of a disruption to normal business operations.
3.7 Maximum times in alternative operations (MTAs) for all business
processes are
defined and documented.
OVERVIEW CHAPTER 3 AUDIT ITEMS

4 EMERGENCY RESPONSE AND OPERATIONS
4.1 Command and Control
4.2 Response Steps
OVERVIEW CHAPTER 4 AUDIT ITEMS

5 BCM STRATEGY
5.1 Strategy Requirements
5.2 BIA Alignment
5.3 Outsourcing / Insourcing Issues
5.4 Enterprise-wide Strategy
OVERVIEW CHAPTER 5 AUDIT ITEMS

6 DETAILED BUSINESS CONTINUITY PLANNING
6.1 Plan Development Requirements
6.2 Recovery Management and Control Requirements
6.3 Format and Structure of Plan Components
6.4 Operational Planning
6.5 Detailed Implementation
6.6 Plan Distribution and Control
OVERVIEW CHAPTER 6 AUDIT ITEMS

7 TRAINING AND AWARENESS
7.1 Business Continuity Awareness
7.2 BCM Training and Awareness
OVERVIEW CHAPTER 7 AUDIT ITEMS

8 MAINTENANCE AND EXERCISE
8.1 Plan Testing
8.2 Plan Maintenance
OVERVIEW CHAPTER 8 AUDIT ITEMS

9 PUBLIC RELATIONS AND COMMUNICATIONS
9.1 Public Relations
9.2 Crisis Communications
OVERVIEW CHAPTER 9 AUDIT ITEMS

10 COORDINATION WITH PUBLIC AUTHORITIES
10. 1 Regulatory Framework
10.2 Coordination with Disaster Recovery and Business Continuity Agencies
OVERVIEW CHAPTER 10 AUDIT ITEMS

11. COUNTRY-SPECIFIC ISSUES
11.1 Germany
11.2 Australia, New Zealand
11.3 Austria
11.4 Italy and Greece
11.5 United States and Canadian Standards on BCM and Risk Management
OVERVIEW CHAPTER 11 AUDIT ITEMS

12. SOFTWARE-BASED PLANNING
12.1 General Status
12.2 Technical Status
12.3 Software Functionality
OVERVIEW CHAPTER 12 AUDIT ITEMS

APPENDIX A: SAMPLE AUDIT REPORT (FORMATTED)

APPENDIX B: SAMPLE WORK PAPERS (FORMATTED)
Sample 1: Audit Item from Area 1 (Project Initiation and Management)
Sample 2: Audit Item from Area 2 (Risk Evaluation and Control)
Sample 3: Audit Item (complex) from Area 6 (Detailed Planning)
Sample 4: Audit Item (complex) from Area 7 (Training and Awareness)

BIBLIOGRAPHY
ABOUT THE AUTHOR
ABOUT THE PUBLISHER

- - - - - - - -
-

ABOUT THE AUTHOR

Rolf von Roessing is head of eSecurity Services and head of BCM for Austria,
Croatia,
Slovakia, Slovenia for Ernst & Young Vienna. He has extensive experience in
business
continuity management, information security and traditional security. He has
worked with
Ernst & Young in several European and global offices, including specialist
assignments such
as Y2K subject matter expert and active participation in several global core teams
for
business continuity. His current position includes BCM and security-related
responsibilities,
and he heads these service lines for Austria and several other countries.

Rolf is a board member of the Business Continuity Institute (BCI) and holds an
MBCI
certification. He is an active participant of the Institute's education committee,
working
towards integration of BCM best practices and tertiary education programs. These
developments include the consolidation and publication of BCM knowledge,
academic and
research work.

In Austria, Rolf has contributed to several standardization and codification
initiatives, notably
the ISO 17799 introduction as a common standard throughout the country. He
frequently
supervises security-related certification examinations and has presented various
lectures
and training courses on business continuity management in a European context.

Rolf holds postgraduate degrees in Britain, France and Germany, as well as the
CISA
(Certified Information Systems Auditor) and CISSP (Certified Information Systems
Security
Professional) professional certifications. "Auditing Business Continuity: Global
Best
Practices" is his first major book, following a solid background of academic
publications and
professional papers.

===============================
Published by Rothstein Associates Inc.
IN STOCK FOR IMMEDIATE SHIPMENT.
ISBN #1-931332-15-0
===============================
2002, 306 pages. Order #DR601.
- - - - - - - -
-

The Binomial Bookstore

Business Continuity & Disaster Recovery

Rothstein Associates Inc.