How to Use Business Continuity Standards to Write Policies – Part 2
In the second part of this article we offer examples of how standards language can be transformed into policy.
Hopefully in Part 1 we convinced you that using standards and legislation for policymaking is a good idea. Now let’s look at how we can transform standards into policies. In the following examples we take excerpts from BS 25999 and ISO/IEC 24762 and rewrite them into a policy format.
Standard: BS 25999-Part 2, Section 4.3.3.1 – The organization shall have documented plans that detail how the organization will manage an incident and how it will recover or maintain its activities to a predetermined level in the event of a disruption.
Policy: It is the policy of ABC Company to have documented plans that detail how the company will manage an incident and how it will recover or maintain business operations to an acceptable level in the event of a disaster.
Standard: BS 25999-Part 2, Section 5.2.1.1 – Management shall review the organization’s BC Management System at planned intervals and when significant changes occur to ensure its continuing suitability, adequacy and effectiveness.
Policy: The Business Continuity Steering Committee will schedule a review of the business continuity program twice annually, and will also review and updated the program when operational changes occur that impact the program.
Standard: ISO/IEC 24762, Section 1.1 – This International Standard describes the basic practices which Information and Communications Technology (ICT) DR service providers, both in-house and outsourced, should consider. It covers the requirements that service providers should meet, recognizing that individual organizations may have additional requirements that are specific to them (which would have to be addressed in the agreements/contracts with service providers).
Policy: ABC Company’s policy for the provision of disaster recovery services for information technology and telecommunications is that all service providers, whether internal or third-party organizations, shall adhere to the standards and requirements developed and approved by the company.
Standard: ISO/IEC 24762, Section 5.1 – Information and Communications Technology (ICT) DR service provision, irrespective of whether it is provided in-house or outsourced, should follow best practice guidelines as outlined in the following clauses. If the guidelines are followed there will be assurance that ICT DR services have been implemented after due consideration of unforeseen events that could affect the ability to fulfill service obligations, and related risk mitigation via prior arrangements with other service providers in the industry.
Policy: All IT disaster recovery service providers must follow best practice guidelines as defined by the company.
Standard: ISO/IEC 24761, Section 7.1 – Outsourced Information and Communications Technology (ICT) DR service providers should provide the basic service capabilities required by organizations. This includes having qualified staff, the capacity to support simultaneous invocations of DR plans by different organizations, all capabilities and services offered to organizations audited on a regular basis, and their own fully documented and tested business continuity, including disaster recovery, plans in place.
Policy: Third-party disaster recovery service providers must provide evidence of the following, as a minimum:
- Basic service capabilities as required by ABC Company;
- Qualified and trained staff;
- Capacity to support simultaneous invocations of DR plans by different organizations;
- Auditing of capabilities and services being offered to customers on a regular basis; and
- Fully documented and tested business continuity and disaster recovery plans in place.
Tags: business continuity policymaking, Business continuity standards, Standards
