IVI Framework Viewer

Business Continuity Planning

E1

Provide stakeholders throughout the organization with security advice to assist in the analysis of incidents and to ensure that data is secure before, during, and after the execution of the business continuity plan.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Business Continuity Planning at each level of maturity.

1Initial
  • Practice
    Develop business continuity advice and expertise at a local level for identified high priority security-related events.
    Outcome
    Business continuity advice is available for a selected set of high priority security-related events.
    Metric
    # High priority security-related events addressed. # High priority security-related events not addressed.
2Basic
  • Practice
    Provide advice on security risks to business continuity planning as requested. Build resilience into the most critical systems.
    Outcome
    Business continuity plans include consideration of security risks and incidents.
    Metric
    # Specific business continuity issues for which advice has been provided # Outstanding requests for advice ~ Timeliness of responses
3Intermediate
  • Practice
    Develop and agree with the business a business continuity plan that addresses security related backups, archival and systems recovery. Test business continuity plan security features. Implement security related business continuity plans in high priority business units.
    Outcome
    Business continuity advice and contributions are implemented in business continuity plans. Backups and archive management are done so that business recovery priorities can be managed securely. Business continuity plans are security tested and revised based on any test issues identified.
    Metric
    # Business units covered by the agreed business continuity plan. # Business recovery plan elements untested in last year # Business units that have not implemented business continuity plan features.
4Advanced
  • Practice
    Take an organization-wide view when planning backups, archival and systems recovery for specified business continuity risks. Test, review and regularly improve recovery processes, tools and practices.
    Outcome
    Organization level priorities are managed and costs are optimized at an organization level yielding better financial results. Recovery processes are incrementally improving.
    Metric
    % Restorations within service level agreement limits ~ Variances in timeliness around service level agreement specified time limits
5Optimized
  • Practice
    Regularly test the security features of the business continuity plan. Implement improvements and or corrections for any security issues or problems encountered in testing.
    Outcome
    Business recovery testing identified issues are regularly corrected. Backup, archival and systems recovery processes show evidence of continuing improvement.
    Metric
    # Time since last test # Outstanding change recommendations from last test # Improvements identified in recent tests