Auditing Business Continuity Management Plans
John Silltow
This is an essential guide for those seeking to implement the British Standard on Business Continuity Management, BS 25999.
Business continuity planning is a proactive management-led incident management programme driven by business requirements. Every organization needs to have in place a plan to recover key business processes following an incident – and that plan needs to match the organization.
The role of audit is to assess and evaluate the effectiveness of the activities and functions of an organization against standards, regulations, best practice and organizational objectives; in this case, the organization’s approach to handling risks and business interruptions.
Most audit functions use risk as their basic evaluation tool and look at those risks identified by the business as well as others that audit may consider relevant. This provides audit with a unique insight into how organizations operate and how things may be improved or simplified.
Informed by BS 25999-1 the British Standard on business continuity – the code of practice (BS 25999-1:2006) and the specification (BS 25999-2:2007) – and also by personal experience and research, Auditing Business Continuity Management Plans is an essential aid to developing a successful business continuity management programme. It is a practical guide to using the insights that an auditor can provide, through scrutiny and advice, to help ensure that the plans decided on by management will achieve their stated objectives.
However, the introduction of business continuity management (BCM) to any organization may force change in the way the organization works and may generate additional risks and impacts that need to be handled sensitively and appropriately.
This handbook will help ease the introduction of BCM using BS 25999 by providing instructions on using internal audits to ensure that the implementation is undertaken in a controlled and managed way.
It does this by introducing and discussing the British Standard BS 25999 in detail and providing the approaches and rationales for conducting internal audits at various stages along the implementation path.
Such internal audits will ensure that the project proceeds properly and quickly as well as ensuring involvement of key stakeholders. In addition internal audits will also recognize and reduce the negative impact of BCM processes and the risks that the organization may face.
The book also introduces the role of the external assessors and explains how internal audits can be used to prepare the way for these external assessments as well as making them quicker and easier to undertake, therefore potentially reducing costs and business impact.
Fill out your details to download the first chapter free
Contents of the book include:
- Introduction
- Overview of business continuity and the role of audit
- Setting the business continuity management policy
- Developing the business continuity programme
- Understanding the organization and its continuity requirements
- Developing the business continuity strategy
- Incident recovery
- The continuity plans
- Exercising and maintaining the continuity plans
- Bringing business continuity into the culture
Appendices
- Certification to BS 25999-2:2007
- Risk
- Certification key risks
- Auditing the business continuity life cycle
- Auditing the project
- Document management
- Gold-silver-bronze command structure
- Business continuity policy statement
- Further reading
About the author
John Silltow, Director, Security Control and Audit Ltd, Devon, UK, has worked extensively in IT, audit and security across the UK and Europe. His experience includes consultancy, training and internal audit reviews of business continuity management systems.
He has authored several books and a number of articles within his subject areas.