Module 7: Business Continuity Managementcit.icai.org/ISACourse2.0DVD/7.0_Business_Continuity... ·...

7.0 Overview

Module 7: Business Continuity

Management

1

Salient features of ISA Course 2.0

2

Learning Objectives

Task Statements

Knowledge Statements

Relationship between Task and knowledge statements

Knowledge Statement Reference Guide

Organisation of Chapters

Task Statements

3

Task Statements … 1

7.1 Distinguish between Disaster recovery plan, Business Continuity Plan and BCM.

7.2 Evaluate the enterprise business continuity plan to assess the adequacy and capability to continue essential business operations during the period of an IT or non-IT disruptions.

7.3 Applying industry best practices and regulatory requirements as relevant for BCM such as COBIT/ISO, etc.

7.4 Map business continuity management practices to enterprise requirements, objectives and budgets.

7.5 Review the enterprise processes of business resilience in the context of BCM.

4

Task Statements … 2

7.6 Identify the business and operational risks inherent in an entity’s disaster recovery/business continuity plan.

7.7 Assess the process of business Impact analysis.

7.8 Identifying recovery strategies and their adequacy to meet business needs.

7.9 Assess impact of RPO/RTO on Computer setup and IT Service Design.

7.10 Assess adequacy of operations and end-user procedures for managing scheduled and non-scheduled break- downs and incident management.

5

Task Statements …3

7.11 Perform various types of tests for different aspects of Business continuity.

7.12 Assess adequacy of documentation and maintenance process of BCM.

7.13 Assess Service level management practices and the components within a service level agreement.

7.14 Review monitoring of third party compliance with the enterprise controls as relevant to BCM.

7.15 Evaluate adequacy of BCP processes and practices to confirm it meets business continuity requirements.

7.16 Evaluate enterprise BCM practices to determine whether it meets enterprise requirements

6

Knowledge Statements

7

Knowledge Statements … 1

7.1 DRP, BCP and BCM processes and practices and related documentation.

7.2 Industry best practices as relevant such as COBIT, ISOstandard for BCP/DRP.

7.3 IT deployment in enterprises and business continuity requirements atvarious levels of IT such as hardware, network, system software, databasesoftware, application software, data, facilities, human resources, etc.

8


7.4 System resiliency tools and techniques (e.g., fault toleranthardware, elimination of single point of failure, clustering, etc.).

7.5 Business impact analysis (BIA) related to disasterrecovery planning.

7.6 Development and maintenance of BCM, BCP and DRP.

7.7 Problem and incident management practices (e.g., help desk,escalation procedures, tracking).

9


7.8 Analyzing SLA reports and relevant provisions.

7.9 Backup & Recovery strategies, Recovery Window, RPO and RTO.

7.10 Data backup, storage, maintenance, retention and restoration practices.

7.11 Regulatory, legal, contractual and insurance issues related to BCM.

10


7.12 Types of alternate processing sites and methods (e.g.,Near site, hot sites, warm sites, cold sites).

7.13 Processes used to invoke the disaster recovery plansand BCP as relevant.

7.14 Testing methods for DRP/BCP and BCM.

7.15 Auditing the BCP-DRP plans and participation in Drills.

11

Task and Knowledge Statements Mapping

12


13

Task Statements Knowledge Statements

7.1 Distinguish between Disaster

recovery plan, Business Continuity Plan

and BCM and related documentation.

7.1 DRP, BCP and BCM processes and

practices.

7.2 Evaluate the organisation business

continuity plan to assess the adequacy and

capability to continue essential business

operations during the period of an IT or

non-IT disruptions.

7.2 Industry best practices as relevant

such as COBIT, ISO standard for

BCP/DRP.

7.3 IT deployment in organisations and

business continuity requirements at

various levels of IT such as hardware,

network, system software, database

software, application software, data,

facilities, HR, etc.


14


7.3 Applying industry best practices and

regulatory requirements as relevant for

BCM such as COBIT/ISO,

7.2 Industry best practices as relevant such

as COBIT, ISO standard for BCP/DRP.

7.4 Map business continuity management

practices to organisation requirements,

objectives and budgets.

7.4 System resiliency tools and techniques

(e.g., fault tolerant hardware, elimination of

single point of failure, )

7.6 Development and maintenance of BCM,

BCP and DRP.

7.5 Business impact analysis (BIA) related to

disaster recovery planning.


15


7.5 Review the organisation processes of

business resilience in the context of BCM.



7.6 Identify the business and operational risks

inherent in an entity’s disaster recovery/business

continuity plan.




BCP and DRP.

7.7 Assess the process of Business Impact

Analysis.

7.5 Business Impact Analysis (BIA) related to


7.8 Identifying recovery strategies and their

adequacy to meet business needs.


BCP and DRP.

7.7 Problem and incident management practices

(e.g., help desk, escalation procedures, tracking).

7.15 BCM documentation and maintenance

processes and procedures.


16


7.9 Assess impact of RPO/RTO on Computer

setup and IT Service Design.

7.9 Backup & Recovery strategies, Recovery

Window, RPO and RTO.

7.10 Data backup, storage, maintenance,

retention and restoration practices.

7.10 Assess adequacy of operations and end-user

procedures for managing disruptions and

incident management.

7.13 Processes used to invoke the disaster

recovery plans and BCP as relevant.

7.9 Backup & Recovery strategies, Recovery

Window, RPO and RTO

7.11 Perform various types of tests for different

aspects of Business continuity.

7.14 Testing methods for DRP/BCP and BCM.

7.16 Auditing the BCP-DRP plans and

participation in Drills.

7.12 Assess adequacy of documentation and

maintenance process of BCM.

7.1 BCM, BCP, DRP and related documentation.


retention and restoration practices.


17


7.13 Assess Service level

management practices and the

components within a service level

agreement.

7.8 Identifying recovery strategies

and their adequacy to meet business

needs.

7.14 Review monitoring of third

party compliance with the

organisation controls as relevant to

BCM.

7.11 Regulatory, legal, contractual

and insurance issues related to BCM.


18


7.15 Evaluate adequacy of BCP processes

and practices to confirm it meets business

continuity requirements.

7.9 Backup & Recovery strategies,

Recovery Window, RPO and RTO.


retention and restoration practices

7.12 Types of alternate processing sites and

methods (e.g., Near site, hot sites, warm

sites, cold sites)

7.1 BCM, BCP, DRP and relate

documentation.

7.16 Evaluate organisation BCM practices

to determine whether it meets organisation

requirements.

7.14 Testing methods for DRP/BCP and

BCM.

7.15 Auditing the BCP and DRP plans.

7.13 Processes used to invoke the disaster

recovery plans and BCP as relevant.

Knowledge Statement Reference Guide

19

KS 7.1 DRP, BCP, BCM processes and practices and related documentation.

20

Key Concepts Reference

Understand the difference

between BCP, DRP and BCM

process

1.1, 1.2, 1.3

Understand the meaning of

Disaster, threat.

1.5, 1.5, 1.7

Understand the objectives and

need for a BCM.

1.2, 1.3, 1.4

KS 7.2 Industry best practices as relevant such as COBIT, ISO standard for BCP/DRP

21


Understand regulatory

requirements and guidance on

BCP best practices

3.3 and 3.4

Understand the guidance given by

frameworks to facilitate better

BCP.

3.3 and 3.4

KS 7.3 IT deployment in organisations and business continuity requirements at various

levels of IT such as hardware, network, system software, database software,

application software, data, facilities and HR

22


Understand the BCP Requirements

at various level of the IT

Infrastructure and the criticality of

the functions of each level.

1.2, 1.3, 1.4

KS 7.4 System resiliency tools and techniques (e.g., fault tolerant hardware, elimination of

single point of failure, etc.)

23


Understand preventive

controls that will help in

reducing risk of disasters.

2.6 and 2.8

KS 7.5 Business impact analysis (BIA) related to disaster recovery planning

24


Understand the BIA as a key

driver of the BCP/DR

Process.

1.3, 2.2

KS 7.6 Development and maintenance of BCM, BCP and DRP

25


Understand the process for

developing a BCP/DCP.

1.2, 1.3, 1.4,

2.2, 2.4, 2.7

Understanding the maintenance

process of a BCP/DRP and to

check the validity of the plan in

updating technologies.

1.2, 1.3, 1.4,

2.2, 2.4, 2.7

KS 7.7 Problem and incident management practices (e.g., help desk, escalation

procedures, tracking)

26


Understand the need of

having an Incident

Management Process.

1.2, 1.3, 1.5,

2.2

KS 7.8 Analyzing SLA reports and relevant provisions

27


Understand the meaning of Service

Level Agreement (SLA) and ensure

that the services provided by the

Vendor are at par to the provisions

mentioned in the SLA.

3.2

KS 7.9 Backup & Recovery strategies, Recovery Window, RPO and RTO

28


Understand the Backup

and Recovery Strategies,

critical recovery time

period.

2.2, 2.6, 3.2

KS 7.10 Data backup, storage, maintenance, retention and restoration practices

29


Understand the corrective

controls for backup, rerun and

restoration practices.

2.6, 3.2, 3.4

KS 7.11 Regulatory, legal, contractual and insurance issues related to BCM

30


Understand the regulatory,

legal, contractual issues and

compliances related to BCM

3.3, 3.4

Understand the types of

Insurance that is available

2.9

KS 7.12 Types of alternate processing sites and methods (e.g. hot sites, warm sites,

cold sites)

31


Understand the different types

of alternate processing points

and need for having the correct

site.

2.9

KS 7.13 Processes used to invoke the disaster recovery plans and BCP as relevant.

32


Understand the processes to initiate a

DR process for restoration of uptime

of IT Services at the time of the

happening of a critical incident.

2.4, 3.3, 2.9

Understand the process to initiate a

BCP following a DR Process for

complete restoration of Core Business

Operations.

2.4, 3.3, 2.9

KS 7.14 Testing methods for DRP/BCP and BCM

33


Understand the different

types of tests for concluding

whether the BCP; DR plans

are relevant for the entity.

2.2

KS 7.15 Auditing the BCP and DRP plans

34


Understand the Audit of a

BCP/DRP Plan.

2.2, 3.3, 3.5

Understanding the Audit of Test of a

BCP/DRP Plan.

2.2, 3.3, 3.5

Chapter 1: Agenda

35

Chapter 1: Business Continuity Management, Business Continuity Planning, Disaster Recovery Planning

• Concept of Disaster Recovery Process, Business Continuity Plan and Business Continuity Management

• Objectives of BCM and BCP.

• Need for BCM at Business Level.

• Need for BCM at various levels of IT Environment.

• Concept of Disaster.

• Phases of disaster.

• Impact of disaster.

Chapter 2: Agenda

36

Chapter 2: Strategies for development of business continuity plan

• Pre Requisites in developing a Business Continuity Plan

• Phase 1 - Business Impact Analysis.

• Phase 2 - Risk Assessment and Methodology of Risk Assessment.

• Phase 3 – Development of BCP

• Phase 4 -Testing of BCP and DRP.

• Phase 5 -Training and Awareness.

Chapter 2: Agenda

37

Chapter 2: Strategies for development of business continuity plan

• Phase 6 - Maintenance of BCP and DRP.

• Incident Handling and Management.

• Invoking a DR Phase/BCP Phases

• Documentation - BCP Manual and BCM Policy.

• Data backup, Retention and Restoration practices.

• Backup and Recovery strategies.

• Types of Recovery and Alternative Sites.

• System Resiliency Tools and Techniques.

• Insurance and Types of Insurance.

Chapter 3: Agenda

38

Chapter 3: Audit of Business Continuity plan

• Regulation Requirements.

• Reference to Standards, Frameworks etc.

• Audit of BCP and DRP.

• Services that can be provided by an IS Auditor in BCM

Thank you!

Questions?

Email: [email protected]

39

mailto:[email protected]

Module 7: Business Continuity Managementcit.icai.org/ISACourse2.0DVD/7.0_Business_Continuity... ·...

Documents

Transcript of Module 7: Business Continuity Managementcit.icai.org/ISACourse2.0DVD/7.0_Business_Continuity... ·...