4.2 Establish requirements for Business Continuity & Recovery
The requirements of Business Continuity & Recovery is to prepare for and cope with unplanned events that will have significant impact on its operations and commitment to customers.
The pre-defined procedures documented herein must not be interpreted as the only course of action because disaster comes in various forms, complexity and severity. The possible combinations of events happening after a disaster cannot be entirely anticipated. Situations not described in the BCP are to be executed using common sense by improvising beyond the documented BCP.
A single framework or methodology for IT disaster recovery planning must be maintained to ensure that all plans are consistent, and to identify priorities for testing and maintenance. The IT disaster recovery planning framework must include the following: -
• IT emergency procedures: Emergency procedures which describe the actions to be taken following an incident.
• IT fallback procedures: Fallback procedures which describe the actions to be taken to move important activities or support services to alternative temporary locations and to bring business processes back into operation in the required time scales.
• IT resumption procedures: Resumption procedures which describe the actions to be taken to return to normal business operations.
• IT recovery test schedule: Maintenance schedule which specifies how and when the plan will be tested, and the process for maintaining the plan.
• Awareness and training activities which are designed to create understanding of the business continuity processes and ensure that the processes continue to be effective.
• List responsibilities of individuals, describing who is responsible for executing which component of the plan. Alternatives must be nominated as required.
Each plan must have a specific owner. Emergency procedures, manual fallback plans and resumption plans must be within the responsibility of the Owners of the appropriate resources or processes involved. Fallback arrangements for alternative technical services, such as information processing facilities must also be in place.