The Binomial Bookstore

SPECIAL OFFER:
SAVE $10.00!

BUSINESS CONTINUITY: BEST PRACTICES
WORLD-CLASS BUSINESS CONTINUITY MANAGEMENT
2nd EDITION
by Andrew Hiles, FBCI

and

AUDITING BUSINESS CONTINUITY:
GLOBAL BEST PRACTICES
By Rolf von Roessing

- - - - - - - -
- -
ORDER #DR725
- - - - - - - -
- -
- - - - - - - -
- -

BUSINESS CONTINUITY: BEST PRACTICES
WORLD-CLASS BUSINESS CONTINUITY MANAGEMENT
2nd EDITION
by Andrew Hiles, FBCI

ENDORSED BY THE BUSINESS CONTINUITY INSTITUTE INTERNATIONAL (BCI)
AND
DISASTER RECOVERY INSTITUTE INTERNATIONAL (DRII).

- - - - - - - -
- -

This is the new, 2nd edition of the landmark 1999 book, BUSINESS CONTINUITY:
BEST
PRACTICES which was the first book to address the ten units of The Common
Body of
Knowledge for Business Continuity adopted jointly by BCI and DRII.

- - - - - - - -
- -

NEW IN THIS EDITION:
Business Continuity Road Map for Novices and for Experienced
Practitioners.

- - - - - - - -
- -

This book is a guide to implementation of World-Class Business Continuity
Management
within an enterprise. It may be used as a step-by-step guide by those new to
Business
Continuity Management or dipped into by the more seasoned professional for ideas
and
updates on specific topics.

There is no absolute "right way" to perform business continuity management –
although there
are plenty of wrong ways. Business Continuity is not rocket science: it is applied
common
sense. Yes, experience helps, but it is no mystic art. This book makes the
processes
transparent and provide the reader with everything necessary to do the job.

Many examples are provided throughout this guide: these all have their roots in real
cases
and real organizations, and come heavily laden with pragmatism. Over fifteen years
of
business continuity experience in environments large and small, public and private,
has gone
into developing the methods described. Your own "right way" for business
continuity
management means picking, matching and tailoring from the cases and examples
provided
and combining these with existing best practice within your organization.

- - - - - - - -
- -

EXCERPT FROM THE FOREWORD TO THE 2nd EDITION

The events of 9/11 have cast a long shadow over the world and led to a vital
reappraisal of
Enterprise Risk Management and Business Continuity Management.

The Federal Reserve Bank of New York, Federal Reserve System, the Office of the
Comptroller of the Currency, the New York State Banking Department, and the
Securities and
Exchange Commission sponsored the Financial Industry Summit, held on
February 26, 2002.
I can do no better than to repeat Roger Ferguson's summary of the key
vulnerabilities that
regulators and institutions have to face in the aftermath:
* “First, contingency planning generally did not account for region-wide
events.
Some firms found they lost both primary and back-up sites. There were significant
concerns
about the loss of or inaccessibility of staff.
* “Second, concentrations, both market-based and geographic, were really
evident
and became a source of vulnerability.
* “Third, the critical interdependencies across the industry, although
understood in
the context of planning Year 2000, were never so readily apparent. This was
evident in the
impact of the problems at key infrastructure providers on wide range of financial
institutions.
Even institutions far removed from New York City were significantly affected by
interdependencies.”

These factors apply not only to financial institutions that were particularly hit by the
tragedy,
but also to many other industries that could be impacted by disasters having a
similar impact.

Key lessons have been painfully learned:
* People issues are paramount: staff availability, risk awareness and training
are
critical
* Operations distributed over a wide geographic area have a better chance of
recovering and may recover quicker. Reliance on single points of failure should be
avoided.
* Focus on the outcomes of disaster rather than the causes and on the
deliverables
rather than on the processes of delivery
* It is not enough to pay lip service to business continuity: planning must be
whole
hearted, thorough and tested. Testing may need to extend across the industry,
across
industries and into the supply chain, including infrastructure providers.

It is our hope that effective risk management, emergency and continuity planning
may help to
prevent deliberate disasters and to mitigate the consequences of those that do
occur.

Andrew Hiles

- - - - - - - -
- -

EXCERPT FROM THE PREFACE
Melvyn Musson, FBCI, CBCP, CISSP

I was very pleased to be asked to write a preface to this much-needed book. There
are many
books that have been written covering various aspects of hazard control,
emergency
response, disaster recovery and business continuity, but not one that pulls all
areas together
under the auspices of the individual sections of the BCI and DRII Professional
Practices.

Why my interest? To quote from a letter I wrote to the National Fire Protection
Association
(NFPA) in 1991 when they were considering the establishment of a Technical
Committee to
develop a Standard on Disaster Management:

“Disaster Management, or Business Continuation Planning as we prefer to call it,
is a natural
progression from Hazard/Loss Control through Emergency Response to the
recovery
process.

“The best hazard/loss control programs cannot prevent emergency or catastrophic
situations
occurring. The emergency response procedures that most companies have
developed or
which may be required by law, deal with such aspects as initial fire fighting,
evacuation, life
safety, etc. - what one might term the stabilization of the situation. They cover the
first hours of
the emergency. They do not deal with the long-term recovery, which could take
several
months.

“Disaster Management, or some other similarly named program, is needed to
enable the
company to institute procedures to return to normal operations as soon as
possible.

That standard is now available as NFPA 1600: Standard on Disaster/Emergency
Management and Business Continuity Programs. Within that standard are details
of the
BCI/DRII Professional Practices, albeit as part of the various sections of the
standard and not
as an individual, specific section.

In addition to NFPA 1600, other standards and guides such as BS7779 in Great
Britain and
the recent Australian Risk Management Standard are incorporating the
Professional
Practices either by specific reference or wording relating to the practices.

The advent of the Turnbull Report introduces a new consideration and need, which
the
Professional Practices can support.

This makes it all the more important to have a reference material that can clearly
detail what
should be considered in each of the ten subject areas, together with appropriate
examples
and details of not only the benefits but also the problems that can be expected
with each of
those subject areas. Andrew Hiles has been able to do so in the development of
this book. In
addition, since Andrew intends to issue periodic updates, this book becomes a
living
document, which will address both changes in the Professional Practices and
developments
within the industry.

- - - - - - - -
- -

CONTENTS

DEDICATION
ACKNOWLEDGEMENTS
CONTENTS
FOREWORD TO THE 2ND EDITION
PREFACE - MELVYN MUSSON, FBCI, CBCP, CISSP
FOREWORD BY THE BUSINESS CONTINUITY INSTITUTE (BCI) - JOHN SHARP
FOREWORD BY THE DISASTER RECOVERY INSTITUTE INTERNATIONAL
(DRII) -
PAUL R. THOMAS, JR. AND BENNY D. TAYLOR
INTRODUCTION
BUSINESS CONTINUITY ROAD MAP: INTRODUCTION

1 PROJECT INITIATION AND MANAGEMENT
1.1 DRII/BCI Unit 1 Project Initiation & Control
1.2 Business Continuity Project - Activities
1.3 Business Continuity - Project or Program?
Figure 1.1: Bc Maturity Pyramid
1.4 Defining the Need: Scope of Business Continuity
1.5 Defining the Need: What Is a Disaster?
1.6 Disaster Defined
1.7 Recovery Timescale
Figure 1.2: Time for Recovery
1.8 Communicating the Need - Awareness: the Dangers
1.9 Communicating the Need - Awareness: Benefits of Business Continuity
Planning
1.10 Establish BC Policy
1.11 Establish a Planning / Steering Committee
Figure 1.3: Example of Steering Committee Structure
1.12 Project Planning
1.13 Develop Initial Budgetary Requirements
1.14 Report to Senior Management
1.15 Making it Stick - Other Motivators
1.16 Summary
Appendix a to Chapter One: Project Initiation Checklist
Appendix B to Chapter One: Examples of Briefing Information
Appendix C to Chapter One: Examples of Disaster Recovery Project
Appendix D to Chapter One: Examples of Project Terms of Reference & Scope,
Business
Continuity Project
Appendix E to Chapter One: Example of a Simple Business Continuity Project
Plan
Appendix F: Indicative Project Deliverables and Investment -Phase 1 of Pilot
Project
Business Continuity Road Map: Chapter 1

2 RISK EVALUATION & CONTROL
2.1 DRII/ BCI Unit 2 Risk Evaluation & Control
2.2 Definitions: Hazards, Threats, Risks and Assets
2.3 Risk Assessment - the Need
2.4 Health & Safety - Risk Assessment
2.5 Control of Major Accident Hazards Regulations 1999 (COMAH)
2.6 System Safety Programs and HAZOP
2.7 Risk Management for Finance and the Finance Sector - Compliance
Issues
2.8 Food and Drug Administration (FDA) Compliance
2.9 Risk Assessment in the Food Industry
2.10 Health Care
2.11 Risk Assessment in Other Industries
Table 2.1 Risk Guidance and Compliance
2.12 Risk Assessment: Statutory Requirement and Duty of Care
2.13 Example of Risk Assessment Guidelines: the Turnbull Report
2.13.1 the Turnbull Process
2.13.2 Making Progress
2.14 Risk Requirements in Germany
2.15 Risk Assessment - the Process
Figure 2.1 Schematic of Risk Assessment Process
2.16 Options for Risk Management
2.17 the Turnbull Approach to Risk Assessment
2.18 Critical Component Failure Analysis
2.19 Operational Risk Management
2.20 an Output Approach to Risk
2.21 Security and Siting - Risk Areas
2.22 Summary
2.23 Case Studies
Appendix A to Chapter Two: Possible Threats
Appendix B to Chapter Two: Example of a Simple Risk Analysis
Appendix C to Chapter Two: the E-bomb: the New Threat
Appendix D to Chapter Two: Fire Hazard from Computer Tapes
Appendix E to Chapter Two: Possible Threats: Smoke Tests
Appendix F to Chapter Two: Foot & Mouth: a Preventable Disaster
Appendix G: Site, Environmental & Health & Safety Risk Assessment Checklist
Business Continuity Road Map: Chapter 2

3 BUSINESS IMPACT ANALYSIS
3.1 DRII/BCI Unit 3 Business Impact Analysis
3.2 What Is BIA?
3.3 The BIA Project
3.4 BIA Data Collection Methods
3.5 Critical Success Factors: Definitions
Figure 3.1: Critical Success Factor / Business Process Matrix
3.6 Key Performance Indicators
3.7 Process Flows
3.8 Outputs & Deliverables
3.9 Activity Categorization
3.10 Desk Review of Documentation
3.11 Questionnaires
3.12 Interviews
Figure 3.2: Summary of BIA Interview Data
3.13 Workshops
3.14 Business Impact Analysis - Financial Justification for BCM
3.15 Grounds for Justification
3.16 Life and Safety
3.17 Marketing
Figure 3.3 the World's Top Ten Brands
3.18 Financial
Figure 3.4 Average Normalized Share Price Variation % Following a
Disaster
3.19 Compliance / Legal Requirements
3.20 Quality
3.21 Summary: Financial Loss
Table 3.5: Cost of Disaster - Causes
3.22 Designing an Impact Matrix
Table 3.6: Simplified Impact Analysis
3.23 Time Window for Recovery
Figure 3.7 Risks and Outage
Figure 3.8 Time Window for Recovery
3.24 A Tiered Approach to Business Continuity Planning: Relationship of
Business Continuity and Service Level Agreements
Figure 3.9 Tiered Availability
3.25 Resource Requirements
Figure 3.10 Effect of Coincident Workload Peaks
Figure 3.11 The Backlog Build-up
3.26 Summary
Appendix A to Chapter Three: Resource & Timescale for Provisioning
Appendix B to Chapter Three: Example of Risk & Impact Analysis
Appendix C to Chapter Three: Example of a Service Level Agreement Using Tier
Rating
Business Continuity Road Map: Chapter 3

4 DEVELOPING CONTINUITY STRATEGIES
4.1 DRII / BCI Unit 4: Developing Continuity Strategies
4.2 Vital Materials and Back-up
4.3 Business Continuity Strategy: Options
4.3.1 Bunker
4.3.2 Continuous Processing
4.3.3 Distributed Processing
4.3.4 Alternate Site
4.3.5 Quick Resupply
4.3.6 Off-Site Storage
4.3.7 Working from Home
4.3.8 Reciprocal Arrangements
4.3.9 Buying-in or Outsourcing
4.3.10 Buffer Stock
4.3.11 Other Recovery Services
4.4 Option Comparison
4.5 Contractual Arrangements for Recovery Services
Figure 4.1: Recovery Options and Recovery Timescale
4.6 Lateral and Creative Thinking
4.7 the Role of Insurance
Figure 4.2: Insurance Relationships
4.8 Using Consultants
4.9 Summary
Appendix A to Chapter Four: Example of a BC Project
Business Continuity Road Map: Chapter 4

5 EMERGENCY RESPONSE & OPERATIONS
5.1 DRII / BCI Unit 5: Emergency Response & Operations and Unit 10
Coordination
with Public Authorities
5.2 Types of Emergencies
5.3 Coordination with Public Authorities (DRII /BCI Unit 10)
5.3.1 DRII/BCI Standards
5.4 International Coordination
5.5 US Department of Homeland Security
5.6 National Incident Management System
5.7 National Interagency Incident Management System
5.8 Tthe US Federal Emergency Management Agency (FEMA)
5.8.1 About FEMA
5.8.2 FEMA's Role in Anti-Terrorism
5.8.3 FEMA's Powers
5.8.4 US State Emergency Authorities
5.9 Office of Critical Infrastructure Protection and Emergency Preparedness
Canada
5.10 Emergency Management Australia
5.11 Local Incident Control and Escalation
Table 5.3 UK "Blue Light" Services: Command Structure
5.12 UK National Arrangements for Responding to a Disaster
5.12.1 Overview
5.12.2 Roles
5.12.3 Combined Response
5.13 Public Relations & Crisis Communication (DRII/BCI UNIT 9)
5.13.1 DRII/BCI Competencies
5.13.2 Crisis Communication
5.13.3 Role of Media Management
5.13.4 Communication with Stakeholders
514 Salvage and Restoration
5.15 Summary
Appendix A to Chapter 5: Example Emergency Plans
Appendix B to Chapter Five: Emergency Response Acronyms
Business Continuity Road Map: Chapter 5

6 DEVELOPING & IMPLEMENTING THE BCP
6.1 DRII/BCI Unit 6 Developing and Implementing Business Continuity Plans
6.2 Introduction
Figure 6.1 the Anatomy of BC Plan Development
6.3 Plan Introduction
6.4 Identify Teams
Figure 6.2 Example BC Organization
6.5 Tasks, Actions and Functions
6.6 Roles and Responsibilities
6.7 Alternative Locations (Standby Locations)
6.8 Contact Details for Internal and External Contacts
6.9 Vital Documents and Materials
6.10 Resource Requirements
6.11 Reporting Processes and Requirements
6.12 Audit Trail
6.13 Confidentiality Status, Version Control and Document Configuration
Management
6.14 Structure of the Plan
Figure 6.3 Example Organization and BC Plan Structure
6.15 Interim Plans
6.16 Software Tools for Plan Development
6.17 Summary
Appendix A to Chapter 6: Example Office Services Plan for a Professional Practice
Appendix B to Chapter 6: Example Contents of Generic Bc Plan Appendices
Appendix C to Chapter 6: Business Continuity Planning Software
Appendix D to Chapter Six: BC Software Checklist
Business Continuity Road Map: Chapter 6

7 AWARENESS & TRAINING PROGRAMS
7.1 DRII/BCI Unit 7: Awareness & Training Programs
7.2 Establishing Objectives and Components of the Program
7.3 Identifying Functional Awareness and Training Requirements
7.4 Developing the Training Methodology
7.5 Acquiring or Developing Training Aids
7.6 Identifying External Training Opportunities
7.7 Identifying Vehicles for Corporate Awareness
7.8 The Macquarie University Report
7.9 Summary
Appendix A to Chapter Seven: Staff Skills Assessment Matrix
Appendix B to Chapter Seven: Disaster Management Internet Hot List
Emergency Services News Groups
Emergency Services Mailing Lists
Catalogues, Publication Lists, Computer Data Bases
Business Continuity Road Map: Chapter 7

8 MAINTAINING & EXERCISING THE BCP
8.1 DRII/BCI Unit 10: Maintaining & Exercising the BCP
8.2 BC Plan Audit & Review
Table 8.1 Bc Plan Audit Areas
8.3 the Need for Exercise
8.4 Exercise Strategy
8.5 Exercise Methods
8.5.1 Talk Through
8.5.2 Walk-through
8.5.3 Role Play Scenario
8.5.4 Disaster Drill: Pull the Plug
8.6 A Structured Approach to Plan Exercising
8.7 When to Exercise
Table 8.1 Exercise Checklist
8.8 Post Exercise Reporting
8.9 Summary
Appendix A to Chapter Eight: Example of Notes of an Exercise Planning Meeting
Appendix B to Chapter Eight: Scenario for a Plan Walk-through
Appendix C to Chapter Eight: Example Brief for Observers
Appendix D to Chapter Eight: Test Scenario - Initial Briefings and Situation Reports
(Sitreps)
Business Continuity Road Map: Chapter 8

9 STANDARDS AND GUIDELINES
9.1 Introduction
9.2 USA: NFPA 1600, Standard on Disaster/Emergency Management and
Business
Continuity Programs
9.2.1 Introduction to NFPA 1600
9.2.2. NFPA 1600 Content
9.2.3 Compliance with the NFPA 1600 Standard
9.3 US Federal Emergency Agency (FEMA) Disaster Planning for Business
and
Industry
9.4 Federal Financial Institutions Examination Council (FFIEC) Guidelines
9.5 Canadian Standards Association CAN/CSA-7731-M95, Emergency
Planning for
Industry, a National Standard for Canada
9.6 South Africa Disaster Management
9.7 British Standard BS 7799 Standard in Information Security Management
Table 9.1: BS 7799 Controls
9.8 Australia AS4444 Standard in Information Security Management
Table 9.2 AS 4444 Sections and Objectives
9.9 Australia: Australian National Audit Office Better Practice Guide, Business
Continuity Management, Keeping the Wheels in Motion
9.10 Standards Australia OB/7 Working Group Business Continuity
Management
Guideline Draft Version 2.1
9.11 UK Defence Council Instruction DCI GEN 170/98 Business Continuity
9.12 UK Office of Government Commerce Bc Planning Guide
9.13 ISO 17799
9.14 Summary
Appendix A to Chapter Nine: Sources of Standards and Guidelines

GLOSSARY
BIBLIOGRAPHY

- - - - - - - -
- -

ABOUT THE AUTHOR

ANDREW HILES was founder and for almost 15 years Chairman of the first
international user
group for business continuity planning. He was a founding Director of the Business
Continuity
Institute, an international body for certification of business continuity professionals,
and a
founder of the World Food Safety Organization. Having begun his management
career with
the Royal Air Force, he pioneered IT systems before leaving to take up a position
within the
Finance Department of London Transport. Subsequently in their Central
Productivity Unit he
was a Senior Projects Manager and later became responsible for the business
re-engineering function, implementing new services and major technical projects.
He left to
take up a position with the UK Post Office as their first Business Systems
Consultant
responsible for major projects. Andrew then joined the UK Atomic Energy
Authority at the
Harwell Laboratories where he managed the supercomputing, mainframe and other
bureau
and outsourcing services.

Andrew was a founding director of Kingswell, an international consulting company
with a blue
chip client base specializing in Enterprise Risk Management, Business Continuity,
Disaster
Recovery and in Service Management. He is a pragmatic global consultant and
trainer on
these topics.

Andrew is an international speaker on risk management, business continuity and
contingency
planning and has featured on conference programs in the USA, Southern Africa,
Europe, the
Middle East and the Pacific Rim. He has presented workshops and seminars on
these topics
for Frost & Sullivan (Europe), IIR (Europe and Middle East), AIC (South Africa),
CEL (Hong
Kong), UPOM (Saudi Arabia) and other companies, having also lectured at
Ashridge,
Cranfield, GEC Dunchurch and Henley Management Colleges in the UK. He has
broadcast
on radio, TV and on Internet webinars.

He has designed the training programs Emergency Business Management for the
350,000
members of the American Institute of Certified Public Accountants (AICPA) which
run
successfully in North America and his highly acclaimed workshop The ABC of
Business
Continuity Management has been franchised for use in several other countries.
With IIR, the
world's biggest conference company, he designed and delivered a Certified Risk
management course specifically addressing the needs of the Middle East.

He has over 300 published articles on business continuity. Andrew is also the
author of
Enterprise Risk Management: Best Practices, published by Rothstein Associates
Inc. 2002
and of Guide to Risk Management, published by the Chartered Institute of
Accountants of
England and Wales in 2002. He co-edited and was the major contributor to The
Definitive
Guide to Business Continuity Management (published by Wiley, 1999) and The
IBM GUIDE
UK Disaster Recovery Manual. He contributed to the Confederation of British
Industry
business guide, Business Continuity Management and to the UK Institute of
Directors /
Department of Trade and Industry Business Continuity Guide.

Andrew is a Fellow of the Business Continuity Institute, a Member of the British
Computer
Society and a Freeman of the City of London.

2004, 290 pages.
- - - - - - - -
- -
- - - - - - - -
- -
- - - - - - - -
- -

AUDITING BUSINESS CONTINUITY:
GLOBAL BEST PRACTICES
By Rolf von Roessing

ENDORSED BY THE BUSINESS CONTINUITY INSTITUTE!

Published by Rothstein Associates Inc.

- Contains a comprehensive, detailed business continuity audit plan
- Includes sample audit report and work papers
- An ideal resource for consultants or auditors, as well as internal business
continuity planners!
- International in scope - includes country-specific guidelines.
- - - - - - - -
-

EXCERPT FROM THE FOREWORD

“There are numerous publications that provide a wealth of knowledge about what
Business
Continuity Management (BCM) is and how it should be done; few offer an
explanation of how
it can be assessed. Many concentrate on how to develop and maintain a BCM
plan; few
adopt an holistic approach to BCM and address the key issue of how to develop
and
maintain a BCM capability based on an understanding of the business and its
markets.

“This work of Rolf von Roessing is grounded in sound experience and begins to fill
the BCM
plan/capability gap. It sets out the BCM audit process in a structured and user
friendly way
that should be basic reading for all BCM professionals and BCM auditors.

“A particular acknowledgement is the complexity of a BCM audit and the need for
professional BCM expertise as a key element to successfully achieve audit
objectives.

“The work not only provides a general outline of how to conduct different types of
audits but
also reinforces their application by providing practical examples and advice to
illustrate the
step-by-step methodology, including contracts, reports and techniques. The
practical
application of the methodology enables the professional auditor and BCM
practitioner to
identify and illustrate the use of good BCM practice whilst demonstrating added
value and
business resilience.

Dr. David J. Smith MBA LL.B(Hons)
Chairman of the Business Continuity Institute, Education Committee

- - - - - - - -
-

EXCERPT FROM THE PREFACE

“I was very happy to be asked to write a preface to this welcome addition to the
growing
library of Business Continuity learning.

“Why? As a practicing consultant and trainer of enterprise risk management and
business
continuity, it has long been a source of discomfort that so many business
continuity plans
simply pay lip service to real needs. Plans are often over simplistic, over-focused
on
particular possibilities, ill-considered and incomplete. They make implicit
assumptions -
about the availability of people, assets and access, for instance - without
subjecting those
assumptions to challenge.

“Around 85% of Business Continuity Plans fail when first tested. Put simply, these
plans show
fundamental flaws that would have prevented recovery from taking place within the
required
timescale.

“Over 50% of Business Continuity Plans are never tested. This means that those
flaws have
not been exposed and the plans will almost certainly fail to deliver timely recovery.

“These stark figures demonstrate just how misplaced are the hopes of many
managers when
they rely on such fragile plans. No matter what forethought is given to business
continuity
management, the actual experience of a disaster bears little relation to the
pre-considered
events and to plans developed in the relative calm of normal circumstances.

“Too often business continuity arrangements are based on specific disaster
scenarios and
would not withstand scenarios that had not been considered. But disasters are
not
disciplined. Chaos follows no roadmap. The unthinkable does happen.

“It is therefore crucial to businesses that plans are subject to stringent review. That
is why I
welcome Rolf von Roessing's cogent contribution to this important area. Rolf
provides a
comprehensive, pragmatic and deeply practical step-by-step guide to Business
Continuity
audit. I commend it to all who are serious about the topic.”

Andrew Hiles
FBCI, MBCS
Director,
Kingswell International
Oxford, UK

- - - - - - - -
-

EXCERPT FROM THE INTRODUCTION

“This book presents a general methodology and a framework for auditing Business
Continuity Management (BCM). The main purpose is to provide a single work of
reference for
auditors, managers working in business continuity and consultants.

“BCM is a complex field. It covers business issues and technology with a
perspective on the
entire enterprise. The business continuity manager, and the auditor, require a
diversified set
of skills and extensive knowledge to assess business continuity as a question of
business
survival. There has been a lot of confusion about the terms "business continuity,"
"disaster
recovery," "IT security" and many other words attempting to describe the
continuation of
critical business processes under adverse circumstances. However, for the auditor
these
terms refer to one and the same notion: businesses should take adequate
precautions to
ensure that no going concern issues arise from crises or disasters.

“Some companies decide to take a cautious stance with regard to continuing their
operations come what may: they prefer to "err on the safe side" and rely on
preventative
measures. Other firms, perhaps in an industry where "speed to market" and
competitive
pressure require a faster pace, may prefer to reduce investments on prevention,
while putting
in place a robust crisis and disaster management mechanism. Both types of
corporations
nevertheless pursue the overall goal of business continuity, by either avoiding risks
or
disasters (if they can), or by making sure they can deal with these events.

“In a sense, BCM means "reading the future" or trying to safeguard an organization
against
unforeseen events. Management is still forced to address precisely this issue, by
carefully
evaluating their options and then making an entrepreneurial decision about the
acceptable
level of remaining risk. To the auditor, it is important to understand how this
decision has
been reached and whether it can be justified from a financial, operational and
managerial
point of view. Neither the overly cautious nor the reckless manager will succeed in
today's
market - the BCM auditor should provide a sounding board and an objective
business
partnership to the management of the company being reviewed.

“BCM audit is therefore an important element of ensuring corporate survival. The
audit result
incorporates issues of compliance, highlights weaknesses and provides
reasonable
recommendations to management, whose experience may be enhanced and
improved by
the auditor's objective input from other corporations or industries. It is not to be
confused with
the much narrower field of IT audit. This book has been deliberately restricted to
business
continuity rather than IT continuity to highlight the all-important differences between
the two.

“The contents have been arranged around the Business Continuity Institute (BCI) /
Disaster
Recovery Institute International (DRII) Professional Practices for business
continuity as well
as other standards such as CobIT or ISO / IEC 17799. Some elements may look
familiar to
the experienced auditor who may still benefit from using this book as a reference
manual or
as an instructive tool for groups of auditors. This is intentional, as BCM and related
audit
questions should "fit in" with tools and models that are recognized and proven in
the field.”

- - - - - - - -
-

EXCERPT: HOW TO USE THIS BOOK

“This book is a toolset to assist you in planning, conducting and documenting a
review of the
business continuity management (BCM) process within a company or institution. It
is
structured in three main sections. The first part explains how to plan an audit from
beginning
to end. The second part contains a full audit program that you may use at varying
levels of
detail to support your audit strategy and plan. The third part contains samples of
an audit
report and selected work papers to help you put the plan and program into
practice.

“If you are a financial auditor, or an internal auditor tasked with reviewing business
continuity,
this may be a new field to you. Likewise, if you are a business continuity manager
who has
been assigned the task of being an auditor, this is a new way of looking at BCM,
rather than
implementing it. Chapter 1 explains the concepts of BCM and audit seen together.
It shows
how to formulate the framework and scope of a BCM audit, how to define audit
plans and
how to write a clear and concise audit program that management and other
stakeholders will
understand and buy into.

“As an auditor, you are managing the practical phase of a BCM review. Chapter 2
explains
how to schedule the review, how to estimate time and effort, and how to streamline
the
process of formal audit steps. Known difficulties and pitfalls, many of them unique
to BCM,
are explained in detail. Even if you are a seasoned audit professional, this chapter
may help
you in identifying typical problems associated with reviewing a complex process
and
interacting with a wide range of managerial and technical responders. As a
business
continuity manager, Chapter 2 may help you understand the challenges presented
by
reviewing the BCM concepts without actually managing them yourself.

“Chapter 3 outlines methods of analysis that you can use to arrive at a
well-founded audit
opinion. As a financial or internal auditor, this chapter will allow you to evaluate
your findings
and to avoid time-consuming detail when reviewing the BCM process. As a
business
continuity manager, you will find Chapter 3 a useful tool for looking at any given
part of a BCM
process and for comparing findings against your own experience and best
practices.

“The success of your work as a BCM auditor depends on clear, concise audit
reports that are
easily understood by management. Chapter 4 explains how audit reports are
structured,
written and presented to your stakeholders. In this chapter, you will find samples
and
templates ranging from small, detailed reports to a large set of reports designed for
an
international BCM audit.

“Section 2 is a standardized audit program divided into work areas. You will find
detailed
audit questions covering all aspects of business continuity management. In the
course of your
BCM audit, you can use parts or the whole of the standardized questions for your
audit plan
and program. The standardized audit program is designed to give you additional
information
on risk ratings, recognized standards and additional materials that you may use to
understand each item, as well as to communicate it to audit teams or the auditee
organization.

“For each item within the standardized audit program, the legal, regulatory and
technical
background is explained in detail. Detailed audit steps have been included for each
question
to give you indications as to the time and effort required during the audit.
Suggested
standard wordings for findings and recommendations have also been included.

“Work area 11 contains detailed audit instructions for some national jurisdictions
where
different rules may apply. You can use these to guide your audit teams, and to find
out what
materials you may need to understand and evaluate when reviewing BCM abroad.
The
national parts of area 11 include the Central and Eastern European world to give
you an
overview of what to look for even if a foreign language is used.

“Work area 12 will support you when reviewing typical BCM software tools. You will
find useful
hints and technical references to give you quick access to typical problems and
difficulties
that may constitute important audit findings.

“Section 3 contains a sample audit report that is based on the examples used in
Section 1.
Selected work papers have been added to provide an indication as to the ways in
which you
might use the standardized audit program.

“Depending on your previous experience with audit and BCM, you can use this
book as a
reference work or as a step-by-step guide for hands-on project work. However, it is
not a
"one-size-fits-all" guide along the lines of "BCM-in-a-box for $ 9.99." Whether you
are a
novice auditor or a seasoned BCM professional, it is likely that you will use the
book in
different ways.”

- - - - - - - -
-

TABLE OF CONTENTS

FOREWORD
PREFACE
INTRODUCTION
HOW TO USE THIS BOOK

SECTION I: AUDIT GUIDELINES FOR BUSINESS CONTINUITY
MANAGEMENT
1 AUDIT FRAMEWORK, SCOPE AND PLANNING
Introduction
Audit Framework
Audit Scope
Audit Areas (Modules) and Planning
Example of Audit Framework, Scope and Planning Statement
Example of Individual Audit Program
SUMMARY

2 CONDUCTING THE AUDIT
Scheduling and Administration
Example of Interview Schedule and Administration
Interview Contents
Example of Interview Guidelines
Example of BCM Questionnaire
Pitfalls and Known Difficulties
SUMMARY

3 ANALYSIS
Summarizing Interview Results
Example of Interview Series Summaries
Example of Gap Analysis
Documentation66
Methods
Analytical Example
Applying the Standardized Program
SUMMARY

4 REPORTING GUIDELINES
Structuring Report Contents
Example of Overall Report Structure
Miscellaneous Reporting Issues
Applying the Standardized Audit Program
SUMMARY

SECTION II: STANDARDIZED AUDIT PROGRAM
1 PROJECT INITIATION AND MANAGEMENT
1.1 Scope, Objectives and Format
1.2 Organizational BCM Integration
1.3 Financial Planning and BCM Budget
OVERVIEW CHAPTER 1 AUDIT ITEMS

2. RISK MANAGEMENT AND EVALUATION
2.1 Risk Identification, Loss Potentials, Vulnerabilities
2.2 Risk Analysis Methodologies and Tools
2.3 Risk Evaluation and Control
OVERVIEW CHAPTER 2 AUDIT ITEMS

3 BUSINESS IMPACT ANALYSIS ACTIVITIES
3.1 A comprehensive business impact analysis has been performed.
3.2 A list of prioritized business processes exists.
3.3 All vendors, suppliers, and third-party companies that are relied upon have
a
business continuity plan.
3.4 An adequate level of business interruption insurance is established.
3.5 Business process interdependencies are defined.
3.6 Maximum tolerable downtimes (MTDs) are established on the basis of
financial
and operational impacts of a disruption to normal business operations.
3.7 Maximum times in alternative operations (MTAs) for all business
processes are
defined and documented.
OVERVIEW CHAPTER 3 AUDIT ITEMS

4 EMERGENCY RESPONSE AND OPERATIONS
4.1 Command and Control
4.2 Response Steps
OVERVIEW CHAPTER 4 AUDIT ITEMS

5 BCM STRATEGY
5.1 Strategy Requirements
5.2 BIA Alignment
5.3 Outsourcing / Insourcing Issues
5.4 Enterprise-wide Strategy
OVERVIEW CHAPTER 5 AUDIT ITEMS

6 DETAILED BUSINESS CONTINUITY PLANNING
6.1 Plan Development Requirements
6.2 Recovery Management and Control Requirements
6.3 Format and Structure of Plan Components
6.4 Operational Planning
6.5 Detailed Implementation
6.6 Plan Distribution and Control
OVERVIEW CHAPTER 6 AUDIT ITEMS

7 TRAINING AND AWARENESS
7.1 Business Continuity Awareness
7.2 BCM Training and Awareness
OVERVIEW CHAPTER 7 AUDIT ITEMS

8 MAINTENANCE AND EXERCISE
8.1 Plan Testing
8.2 Plan Maintenance
OVERVIEW CHAPTER 8 AUDIT ITEMS

9 PUBLIC RELATIONS AND COMMUNICATIONS
9.1 Public Relations
9.2 Crisis Communications
OVERVIEW CHAPTER 9 AUDIT ITEMS

10 COORDINATION WITH PUBLIC AUTHORITIES
10. 1 Regulatory Framework
10.2 Coordination with Disaster Recovery and Business Continuity Agencies
OVERVIEW CHAPTER 10 AUDIT ITEMS

11. COUNTRY-SPECIFIC ISSUES
11.1 Germany
11.2 Australia, New Zealand
11.3 Austria
11.4 Italy and Greece
11.5 United States and Canadian Standards on BCM and Risk Management
OVERVIEW CHAPTER 11 AUDIT ITEMS

12. SOFTWARE-BASED PLANNING
12.1 General Status
12.2 Technical Status
12.3 Software Functionality
OVERVIEW CHAPTER 12 AUDIT ITEMS

APPENDIX A: SAMPLE AUDIT REPORT (FORMATTED)

APPENDIX B: SAMPLE WORK PAPERS (FORMATTED)
Sample 1: Audit Item from Area 1 (Project Initiation and Management)
Sample 2: Audit Item from Area 2 (Risk Evaluation and Control)
Sample 3: Audit Item (complex) from Area 6 (Detailed Planning)
Sample 4: Audit Item (complex) from Area 7 (Training and Awareness)

BIBLIOGRAPHY
ABOUT THE AUTHOR
ABOUT THE PUBLISHER

- - - - - - - -
-

ABOUT THE AUTHOR

Rolf von Roessing is head of eSecurity Services and head of BCM for Austria,
Croatia,
Slovakia, Slovenia for Ernst & Young Vienna. He has extensive experience in
business
continuity management, information security and traditional security. He has
worked with
Ernst & Young in several European and global offices, including specialist
assignments such
as Y2K subject matter expert and active participation in several global core teams
for
business continuity. His current position includes BCM and security-related
responsibilities,
and he heads these service lines for Austria and several other countries.

Rolf is a board member of the Business Continuity Institute (BCI) and holds an
MBCI
certification. He is an active participant of the Institute's education committee,
working
towards integration of BCM best practices and tertiary education programs. These
developments include the consolidation and publication of BCM knowledge,
academic and
research work.

In Austria, Rolf has contributed to several standardization and codification
initiatives, notably
the ISO 17799 introduction as a common standard throughout the country. He
frequently
supervises security-related certification examinations and has presented various
lectures
and training courses on business continuity management in a European context.

Rolf holds postgraduate degrees in Britain, France and Germany, as well as the
CISA
(Certified Information Systems Auditor) and CISSP (Certified Information Systems
Security
Professional) professional certifications. "Auditing Business Continuity: Global
Best
Practices" is his first major book, following a solid background of academic
publications and
professional papers.

2002, 306 pages.

- - - - - - - -
-
ORDER #DR725
- - - - - - - -
-

The Binomial Bookstore

Business Continuity & Disaster Recovery

Rothstein Associates Inc.