Business Continuity Planning (BCP) Review
1.1 Linkage to ISACA Standards
1.1.1 Standard 060.020 (Evidence) states, "During the course of the audit, the Information Systems Auditor is to obtain sufficient, reliable, relevant and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence."
1.2 Linkage to COBIT
1.2.1 COBIT Framework states, "It is management's responsibility to safeguard all the assets of the enterprise. To discharge this responsibility, as well as to achieve its expectations, management must establish an adequate system of internal control." The COBIT Framework provides high-level controls for each of the 34 IT processes.
1.2.2 COBIT Control Objectives provides specific, detailed control objectives associated with each IT process and aligns the overall framework with detailed control objectives. Control Objectives contains statements of the desired results or purposes to be achieved by implementing specific control procedures within an IT activity and, thereby, provides a clear policy and good practice for IT control.
1.2.3 COBIT Management Guidelines provides a management-oriented framework for continuous and proactive control self-assessment specifically focused on:
- Performance measurement—How well is the IT function supporting business requirements?
- IT control profiling—What IT processes are important? What are the critical success factors for control?
- Awareness—What are the risks of not achieving the objectives?
- Benchmarking—What do others do? How can results be measured and compared?
1.2.4 Management Guidelines provides example metrics enabling assessment of IT performance in business terms. The key goal indicators identify and measure outcomes of IT processes and the key performance indicators assess how well the processes are performing by measuring the enablers of the process. Maturity models and maturity attributes provide for capability assessments and benchmarking, helping management to measure control capability and to identify control gaps and strategies for improvement.
1.2.5 COBIT provides a detailed set of controls and control techniques for the information systems management environment. Selection of the most relevant material in COBIT as applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes, control objectives, associated management control practices and consideration of relevant COBIT information criteria.
1.2.6 High-level control objective DS4 (Ensure Continuous Service) states, "…ensuring continuous service to make sure IT services are available as required and to ensure a minimum business impact in the event of a major disruption.."
1.2.7 Refer to the COBIT reference in the appendix for the specific objectives or processes of COBIT that should be considered when reviewing the area addressed by this guidance.
1.3 Need for Guideline
1.3.1 The primary objective of BCP is to protect the organisation in the event that all or part of its operations and/or information systems services are rendered unusable and aid the organisation to recover from the effect of such events.
1.3.2 The purpose of this guideline is to describe the recommended practices in performing a business continuity plan (BCP) review.
1.3.3 The purpose of a BCP review is to identify, document, test and evaluate the controls and the associated risks relating to the process of BCP as implemented in an organisation to achieve relevant control objectives.
1.3.4 These control objectives can be primary, directly related to BCP, and secondary, indirectly related to BCP.
1.3.5 This guideline provides guidance in applying IS auditing standard 060.020 (Evidence) to obtain sufficient, reliable, relevant and useful evidence during review of the business continuity plan. The IS auditor should consider it in determining how to achieve implementation of the above standard, use professional judgment in its application and be prepared to justify any departure.
1.4 Guideline Application
1.4.1 This guideline is applied when conducting a review of BCP in an organisation.
1.4.2 When applying this guideline, the IS auditor should consider its guidance in relation to other relevant ISACA standards and guidelines.
2. BUSINESS CONTINUITY PLAN (BCP)
- Business continuity plan (BCP)
- Business impact analysis (BIA)
- Disaster recovery plan (DRP)
2.2 Definition and Introduction
2.2.1 Business continuity plan (BCP) refers to the process of developing advance arrangements and procedures that enable an organisation to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change. In simpler terms, BCP is the act of proactively strategising a method to prevent, if possible, and manage the consequences of a disaster, limiting the consequences to the extent that a business can absorb the impact.
2.2.2 The primary objective of BCP is to protect the organisation in the event that all or part of its operations and/or information systems services are rendered unusable, and aid the organisation to recover from the effect of such events.
2.2.3 The term BCP refers to the complete process of business continuity planning; it includes inter-alia business, technological, human and regulatory aspects.
2.2.4 The BCP defines the roles and responsibilities and identifies the critical information technology application programs, operating systems, networks, personnel, facilities, data files, hardware and time frames needed to assure high availability and system reliability based on the business impact analysis. A BCP is a comprehensive statement of consistent actions to be taken before, during and after a disaster. Ideally, BCP enables a business to continue operations in the event of a disruption and to survive a disastrous interruption to critical information systems.
2.3.1 BCP is a self-sustaining executable recovery process that assures the reintegration of procedures, applications, operations, systems, networks and facilities that are critical to resumption of business. BCP components include the following:
- Prevention—Prevent or minimise the probability of the incident
- Detection—Identify the circumstances under which the organisation determines entering contingency status.
- Declaration—Specify the conditions on which contingency is declared and identify the person(s) who can declare it.
- Escalation—Specify the conditions on which contingency is escalated and identify the person(s) and order of escalation in the event of contingency.
- Containment—Specify the immediate action required to contain or minimise the effect of the incident on customers, suppliers, service providers, stakeholders, employees, assets, public affairs and the business process.
- Implementation—Specify the complete list of actions to be followed to declare contingency status (such as offsite processing, backup recovery, offsite media and manuals, employee transportation, and distribution and provider contracts).
- Recovery—Disaster recovery plan (DRP), a key component of BCP, refers to the technological aspect of the plan, while BCP addresses the overall operational and business aspect. It highlights the advance planning and preparations which are necessary to minimise adverse business impact (such as financial loss and image damage) and facilitate faster recovery and ensure continuity of the critical business functions of an organisation in the event of disaster within an acceptable timeframe. The key aspects to be reviewed are:
- Resumption—Resumption of critical and time sensitive processes immediately after the interruption and before the declared mean time between failures (MTBF). At this stage, all operations are not fully recovered.
- Revival—Revival of vital and less time sensitive processes is related to resumption of critical processes.
- Restoration—Repairing and restoring the site to original status and the business operations are resumed in totality or a complete new site is in place.
- Crisis management—The overall coordination of the organisation's response to a crisis in an effective, timely manner, with the goal of avoiding or minimizing damage to the organisation's profitability, reputation or ability to operate.
2.3.2 An essential element of BCP is risk assessment, which involves the task of identifying and analysing the potential vulnerabilities and threats, including the source. A risk benefit analysis-the outcome of the risk assessment-elaborates the potential threats and the related anticipated exposure together with contingency and mitigation action required, and concludes with the benefits arising out of covering the risks.
2.3.3 Risk assessment followed by a BIA must be performed to assess the overall financial exposures and operational effects due to a disruption in business activities. The BIA should identify and prioritise the critical business processes supported by the IS infrastructure including, but not limited to, cost-benefit analysis of controls in different disruption scenarios.
2.3.4 DRP, a key component of BCP, refers to the technological aspect of BCP; the advance planning and preparations necessary to minimise loss and ensure continuity of critical business functions in the event of a disaster. DRP comprises consistent actions to be undertaken prior to, during and subsequent to a disaster.
2.3.5 A sound DRP should be built up from a comprehensive planning process, involving all of the enterprise. In today's interconnected economy, organisations are more vulnerable than ever to the possibility of technical difficulties disrupting business. Any disaster, from floods or fire to viruses and cyber terrorism, can affect the availability, integrity and confidentiality of information that is critical to business. Disaster recovery strategies include the use of alternate sites (hot, warm and cold sites), redundant data centres, reciprocal agreements, telecommunication links, disaster insurance, business impact analyses and legal liabilities. Disaster scenarios should be categorised based on the severity of effect, and the DRP should address these various levels of severity.
2.3.6 The BCP must emphasise the following key points:
- Provide management with a comprehensive understanding of adverse affect on business due to normal systems processing disruption, and the total effort required to develop and maintain an effective BCP.
- Obtain commitment from appropriate management to support and participate in the effort.
- Select project teams in accordance with technological and business environments to provide reasonable assurance of a proper balance to develop the plan.
- Identify critical information resources related to core business processes.
- Identify methods to maintain the confidentiality and integrity of data.
- Assess each business process to determine its criticality. Indications of criticality include:
- The process supports lives or peoples' health and safety
- The process is required to meet legal or statutory requirements.
- Disruption of the process would affect revenue.
- Potential impact to business reputation, including that of the customers
- Focus appropriately on disaster prevention and effect minimisation, as well as orderly recovery.
- Document the effect of an extended loss to operations and key business functions.
- Highlight the relevant cost-benefit analysis considered.
- Clearly identify the conditions that activate the contingency plan.
- Clearly identify which resources will be available in a contingency stage and the order in which they will be recovered.
- Identify the enablers of recovery and alternatives thereof.
- Identify the methods of communication between enablers, support staff and employees.
- Identify geographical conditions related to the recovery of operations.
- Define recovery requirements from the perspective of business functions.
- BCP is understandable, easy to use and maintain.
- Define how BCP considerations must be integrated into ongoing business planning and system development processes for the plan to remain viable over time.
- Implement a process for periodic review of its continuing suitability as well as timely updating of the document, specifically when there are changes in technology and processes, legal or business requirements. The BCP strategies may also be modified based upon results of risk assessments and vulnerability assessments.
- Develop a comprehensive BCP testing approach.
- Implement a process of change management and appropriate version controls to facilitate maintainability.
- Identify mechanisms and decision maker(s) for changing recovery priorities resulting from additional or reduced resources as compared to original plan.
- Document formal training approaches.
3.1 Professional Independence
3.1.1 Where the IS auditor has been involved previously in the design, development, implementation or maintenance of any process related to BCP in an organisation and is assigned to an audit engagement, the independence of the IS auditor may be impaired. In the event of any possible conflict of interest, the same should be explicitly communicated to the organisation and the organisation's concurrence should be obtained in writing before accepting the assignment. The IS auditor should refer to appropriate guidelines to deal with such circumstances.
4.1 Skills and Knowledge
4.1.1 The IS auditor should provide reasonable assurance that the auditor has the required knowledge and skill to carry out the review of the BCP and its components.
4.1.2 The IS auditor should be competent to determine whether the BCP is in line with the organisation's needs.
4.1.3 The IS auditor should have adequate knowledge to review the aspects related to the BCP. Where expert inputs are necessary, appropriate inputs should be obtained from external professional resources. The fact that external expert resources would be used should be communicated to the organisation in writing.
4.1.4 As BCP review is essentially enterprise-specific, and in order that the review is effective, the IS auditor must, at the outset, gain an overall understanding of the business environment, which includes understanding the organisation's mission, business objectives, relevant business processes, the information requirements for those processes, and the strategic value of IS and the extent to which it is aligned with the overall strategy of the enterprise/organisation.
4.1.5 The IS auditor should undertake the development of a BCP or policies, testing and recovery plans, only if the IS auditor has the necessary knowledge, competence, skills and resources.
5.1 Scope and Objectives of the Review
5.1.1 The IS auditor should, in consultation with the organisation and where appropriate, clearly define the scope and objective of the review of the BCP. The aspects to be covered by the review should be explicitly stated as part of the scope.
5.1.2 For the purpose of the review, the stakeholders in the solution, and recipients of the report should also be identified and agreed upon with the organisation.
5.2.1 The IS auditor should formulate the audit approach in such a way that the scope and objectives of the review could be fulfilled in an objective and professional manner.
5.2.3 The approach should consider that BCP development, maintenance and activation are team efforts, and review should include discussions with user groups.
5.2.4 The approach should be appropriately documented and identify requirements of external expert inputs.
5.2.5 Critical areas such as prioritisation of business processes and results of risk assessment should be a collective exercise to provide reasonable assurance that the plan is effectively implemented as required.
5.2.6 Depending on the organisational practices, the IS auditor may obtain the concurrence of the organisation for the BCP audit plan and approach.
6. PERFORMANCE OF BCP REVIEW
6.1.1 The aspects to be reviewed and the review process should be decided, taking into account the intended scope and objective of the review as well as the approach defined as part of the planning process.
6.1.2 In general, study of available documentation (such as BCP, BIA, business risk analysis and enterprise risk management framework) should be used appropriately in gathering, analysing and interpreting the data.
6.1.3 Main areas of risk of a BCP should include previously detected BCP weaknesses and changes introduced to the systems environment (such as applications, equipment, communications, process and people) since the last BCP test.
6.1.4 To identify any problems relating to the BCP which have been noted previously and which may require follow-up, the IS auditor should review the following documents:
- Incidence reports
- Previous examination reports
- Follow-up activities
- Audit workpapers from previous examinations
- Internal and external audit reports
- Internal test reports and remedial action plan
- Published Industry information and references
6.1.5 To identify changes to the systems environment, the IS auditor should interview organisation personnel and service providers, as well as analyse spending records and reports, inspect IT premises, review hardware and software inventories, and use specialised software to analyse technical data.
6.1.6 Where necessary and agreed with the organisation, external expert inputs could be used suitably in the collection, analysis and interpretation of the data.
6.1.7 In reviewing the results of a BCP test, the IS auditor should, at a minimum, obtain an understanding of:
- Test scope and objectives
- Frequency, methodology and revisions to test plan
- Type, appropriateness and sufficiency of tests
- Volume of data
- Business areas
- Network rerouting
- System vulnerability, penetration and incidence response
- Change, configuration and patch management
- Audit evidence criteria and requirements
- Test effectiveness and its relation to risk assessment and business impact conclusions
6.1.8 In reviewing post-event scenario, the IS auditor should obtain understanding of:
- The cause and nature of disruption
- Extent of damage to personnel, infrastructure and equipments
- Mitigation exercises underway
- Services effected
- Records damaged
- Salvageable items
- Items that can be repaired, restored and/or replaced
- Insurance claims
- Effect of the disruption
- Time to restore the entire business process
- Action plan, restoration teams, roles and responsibilities
6.1.9 The inferences and recommendations should be based on an objective analysis and interpretation of the data.
6.1.10 Appropriate audit trails should be maintained for the data gathered, analysis made and inferences arrived at, as well as corrective actions recommended.
6.1.11 The observations and recommendations should be validated with the organisation as appropriate before finalising the report.
6.2. Aspects to Review
6.2.1 Typically, the BCP should address the following key issues:
- Why should it be done?
- How should it be done?
- Who needs to do it?
- What needs to be done?
- When should it be done?
- Where should it be done?
- By what means?
- Within what time frames?
- Using what resources?
- Under what policies, rules and standards?
- Who can change the plan and under what circumstances?
- Under what conditions is a disaster declared "over" ?
6.2.2 Organisational aspects should be reviewed to consider whether:
- BCP is consistent with the organisational overall mission, strategic goals and operating plans
- The BCP is updated and current
- The BCP in place is periodically tested, reviewed and verified for continuing suitability
- Budget allocation is available for the BCP testing, implementation and maintenance
- Due diligence and risk analysis are performed
- A formal procedure is in place to regularly update the IT and telecom inventory
- Management and personnel of the organisation have the required skills to apply the BCP and are appropriately trained
- Measures to maintain an appropriate control environment (such as segregation of duties and control access to data and media) are in place in case of contingency
- Enablers and communication channels are identified and properly communicated
- Roles and responsibilities are adequately defined, published and communicated
- Interface and communication among departments/divisions within the organisation is maintained
- Co-ordination with external service providers and customers is maintained
6.2.3 Planning aspects should be reviewed to consider whether:
- A risk assessment and BIA were performed before the BCP implementation
- Risks have been periodically reviewed, BIA on changes in the risks and corresponding effect on the BCP
- The BIA identifies the recovery time frames of the critical business processes
- The planned information systems technology architecture for the BCP is feasible and will result in safe and sound operations in case of contingency
- There are appropriate incident response plans in place to manage, contain and minimise problems arising from unexpected events, including internal or external events
- BCP teams have been identified as relevant for various BCP tasks clearly establishing responsibilities, reporting and points of accountability.
- A BCP life cycle exists and is followed during development, maintenance and upgrade
- A methodology to determine activities that constitute each process is in place as part of a key business process analysis
- An appropriate schedule is in place for BCP testing and maintenance
- Onsite test, simulation, triggering of event and its potential impact is conducted
- BCP is reviewed at periodic intervals to confirm its continuing suitability to the organisation
6.2.4 Procedural aspects should be reviewed to consider whether:
- Top management is a serious driving force in implementation of the BCP
- Call tree is reviewed, tested and updated periodically
- Service providers' contacts are reviewed, tested and updated periodically
- Resources and their recovery have been prioritised and communicated to the recovery teams
- Safety of employees, personnel and critical resources is maintained
- The people involved in the disaster assessment/recovery process are clearly identified
- Appropriate levels of training are conducted including mock test drills
- Awareness is created across the entire organisation on the effect to the business
- Adequate emergency response procedures are in place and they are tested
- Backup and recovery procedures are part of the BCP
- Appropriate offsite records are maintained
- Confidentiality and integrity of data and information is maintained
- An appropriate backup rotation practice is in place
- Offsite locations are tested for availability and reliability
- Backsups are retrievable
- Evacuation plans are in place as part of the BCP and are periodically tested
- Alternative communications strategies are selected
- Backup human resources are identified and available
- Media liaison strategies are in place
- The BCP is periodically tested and test results documented
- Corrective actions are initiated based upon test results
6.3 Outsourcing of IS
6.3.1 Where the organisation has partially or fully delegated some or all of its IS activities to an external provider of such services (the service provider), which have an effect on the process of BCP, the IS auditor should review whether the service provider's BCP process is in conformance with the organisation's BCP and documented contracts, agreements and regulations remain with the service user.
6.3.2 The IS auditor should obtain an understanding of the nature, timing and extent of the outsourced services. The IS auditor should establish what controls the service user has put in place to address the business requirement of the organisation's business continuity. The IS auditor should perform the review process as applicable to the organisation and consider relevant guidelines.
7.1 Report Content
7.1.1 The IS auditor should produce reports on the technologies involved in the BCP, the risks assumed, and how those risks are managed in case of a contingency. Monitoring system performance is a key success factor. The report, produced as a result of the BCP review, should include aspects such as:
- The scope, objective, period of coverage, methodology followed and assumptions
- Overall assessment of the solution in terms of key strengths and weaknesses as well as the likely effects of the weaknesses
- Recommendations to overcome the significant weaknesses and to improve the solution
- The extent of compliance with COBIT 's control objectives, associated management control practices and COBIT information criteria as relevant, along with the effect of any noncompliance
- Reasonable assurance on BCP process and relevant internal controls to ensure that IT systems can be recovered within an acceptable time frame in event of a disruption. The report should state the conclusions, recommendations, and any reservations or qualifications.
- Recommendations regarding how the experience could be used to improve similar future solutions or initiatives
- Depending on the scope of the assignment, other topics
7.2.1 Weaknesses identified in the BCP review, either due to lack of controls, poor implementation or nonmitigation of associated risks to agreeable levels, should be brought to the attention of the business process owner and to IS management responsible for the implementation of the BCP process. Where weaknesses identified during the BCP review are considered to be significant or material, the appropriate level of management should be advised to undertake immediate corrective action.
7.2.2 Since effective BCP controls are dependent on business continuity planning process and related controls, weaknesses in the related controls should also be reported.
7.2.3 The IS auditor should include appropriate recommendations in the report to strengthen controls so as to mitigate the associated risks.
8. FOLLOW-UP ACTIVITIES
8.1.1 The effects of any weaknesses in the BCP are ordinarily wide-ranging and high-risk. Therefore the IS auditor should, where appropriate, carry out sufficient, timely follow-up work to verify that management action to address weaknesses is taken promptly.
8.2.1 To provide reasonable assurance of the effectiveness of the review, the IS auditor should conduct a follow-up review to oversee that the recommendations have been carried out and verify the effectiveness of corrective measures implemented.
9. EFFECTIVE DATE
9.1 This guideline is effective for all information systems audits beginning on or after 1 September 2004. A full glossary of terms can be found on the ISACA web site at www.isaca.org/glossary.
Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IS processes and consideration of COBIT's control objectives and associated management practices. In a BCP review, the processes in COBIT likely to be the most relevant selected and adapted are classified below as primary and secondary. The process and control objectives to be selected and adapted may vary depending on the specific scope and terms of reference of the assignment.
- PO8—Ensure compliance with external requirements
- PO9—Assess risk
- AI6—Manage changes
- DS4—Ensure continuous service
- DS11—Manage data
- DS12—Manage facilities
- DS13—Manage operations
- DS2—Manage third—party services
- DS5—Ensure systems security
- DS6—Identify and allocate costs
- DS10—Manage problems and incidents
- M1—Monitoring the process
The information criteria most relevant to a BCP review are:
- Primary: availability and compliance
- Secondary: confidentiality, integrity and reliability