Business continuity strategy, as defined in BS 25999-2 standard, is an "approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major incident or business disruption".
Therefore, the point is to prepare yourself in the best possible manner to counteract a disaster if such would occur. This preparation can include organizational measures (drawing up plans, making contracts with suppliers/partners, exercising, reviewing, awareness raising, etc.), and measures including investment in equipment, infrastructure etc.
Time is a very important factor in recovery - if you do not recover your business in time, you will probably lose your customers and consequently lose your business as well. So the business continuity strategy must set the recovery time objective (RTO) for each of your critical activities, whereas RTO can be different for each of those.
One important consideration: the shorter the RTO, the bigger the investment you will need - for instance, if you want to recover your data centre in less than one hour, you will have to invest in an alternative location almost the same equipment as in the primary location; on the other hand, if you want to recover your data centre in two weeks, the investment will be much lower because it would be enough to store the backup tapes at the alternative location, allowing you two weeks to obtain the necessary equipment. All this means that your RTO must not be too long, but not too short either.
Once the RTO is set, you will still need to make some investment; however, with a good business continuity strategy you will be able to decrease that investment, while still being able to recover your critical activities within the recovery time objective. Here are some examples:
- you might not need your own data centre at an alternative location - in most countries you can rent such a location from a specialized company, which means you don't need to invest in infrastructure, maybe not even in equipment or software,
- you might not need offices at an alternative location - employees who do not have to meet customers face-to-face can work from their homes,
- you might not need an alternative location at all if you have other business units at different locations which could take over the critical activities affected by the disaster,
- you might not need to purchase equipment in advance if you can find the supplier that could guarantee the delivery of equipment within your RTO
In all these examples you will need to increase your organizational capabilities, but if you want to save some money, it sure is something worth thinking about.
Infosec Island is pleased to announce a special prize drawing specifically aimed at our member companies. The drawing winner will receive a Platinum ISO 27001 & BS 25999 Documentation and Service Package from the Information Security & Business Continuity Academy.
The prize package includes:
- Platinum Package from Information Security & Business Continuity Academy. For this purpose, 6 months subscription will be included, worth US$3,594.00
- ISO 27001 & BS 25999 Premium Documentation Toolkit worth US$849.00
- details on eligibility and prize package HERE
To qualify for a chance to win this industry leading compliance package, companies must have a completed profile registered at Infosec Island, as well as at least one employee with a completed member profile, including profile picture (instructions HERE).
The drawing selection will be made from all eligible Island members employed by registered companies with completed profiles. The prize will be awarded to the company, along with kudos and acknowledgment for the lucky staff member chosen in the drawing.
The more registered members with completed profiles a company has, the greater their chance of winning this valuable ISO package - so encourage your coworkers and employees to take two minutes to complete their brief profile at Infosec Island today, and register your Company profile before the December 31, 2010 cutoff
Cross posted from ISO 27001 & BS 25999 blog - http://blog.iso27001standard.com