Business Continuity Planning
Provide stakeholders throughout the organization with security advice to assist in the analysis of incidents and to ensure that data is secure before, during, and after the execution of the business continuity plan.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Business Continuity Planning at each level of maturity.
- 1Initial
- Practice
- Develop business continuity advice and expertise at a local level for identified high priority security-related events.
- Outcome
- Business continuity advice is available for a selected set of high priority security-related events.
- Metric
- # High priority security-related events addressed. # High priority security-related events not addressed.
- 2Basic
- Practice
- Provide advice on security risks to business continuity planning as requested. Build resilience into the most critical systems.
- Outcome
- Business continuity plans include consideration of security risks and incidents.
- Metric
- # Specific business continuity issues for which advice has been provided # Outstanding requests for advice ~ Timeliness of responses
- 3Intermediate
- Practice
- Develop and agree with the business a business continuity plan that addresses security related backups, archival and systems recovery. Test business continuity plan security features. Implement security related business continuity plans in high priority business units.
- Outcome
- Business continuity advice and contributions are implemented in business continuity plans. Backups and archive management are done so that business recovery priorities can be managed securely. Business continuity plans are security tested and revised based on any test issues identified.
- Metric
- # Business units covered by the agreed business continuity plan. # Business recovery plan elements untested in last year # Business units that have not implemented business continuity plan features.
- 4Advanced
- Practice
- Take an organization-wide view when planning backups, archival and systems recovery for specified business continuity risks. Test, review and regularly improve recovery processes, tools and practices.
- Outcome
- Organization level priorities are managed and costs are optimized at an organization level yielding better financial results. Recovery processes are incrementally improving.
- Metric
- % Restorations within service level agreement limits ~ Variances in timeliness around service level agreement specified time limits
- 5Optimized
- Practice
- Regularly test the security features of the business continuity plan. Implement improvements and or corrections for any security issues or problems encountered in testing.
- Outcome
- Business recovery testing identified issues are regularly corrected. Backup, archival and systems recovery processes show evidence of continuing improvement.
- Metric
- # Time since last test # Outstanding change recommendations from last test # Improvements identified in recent tests