Has it ever happened to you that your management has given you the responsibility to implement business continuity just because you are in the IT department?
Why is business continuity usually identified with information technology?
This is probably because business continuity has its roots in disaster recovery, and disaster recovery basically is all about information technology. Twenty or thirty years ago business continuity (BC) did not exist as a concept, but disaster recovery (DR) did - the main concern was how to save the data if a disaster occurred.
At that time it was very popular to purchase expensive equipment and place it at a remote location so that all the important data of an organization would be preserved if, for instance, an earthquake would occur. Not only preserved, but also that the data would be processed with more or less the same capacity as if it was at the main location.
But after a while it was realized - what use would there be of the data if there were no business operations to use such data? This was how the business continuity idea was born - it's purpose is to enable the business to keep going on, even if in case of a major disruption.
Let's take a look at the definitions - business continuity is the "strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level" (BS 25999-2:2007), while disaster recovery is "the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster" (Wikipedia.org).
As you can see from the definitions, the emphasis in DR is on technology, while in BC it is on business operations. Therefore, disaster recovery is part of business continuity - you might consider it as one of the main enablers of business operations, or the technological part of business continuity.
However, you may have noticed something else too - the definition of BC is quoted from BS 25999-2, the leading standard on business continuity management, while the definition of DR is quoted from Wikipedia - actually, "business continuity" is an official term recognized in standards, while "disaster recovery" is not.
Implications for Implementation
So why is it a bad idea for an IT department to implement business continuity for the whole organization? Because business continuity is primarily a business issue, not an IT issue.
If the IT department was implementing business continuity for the whole organization, it would neither be able to define the criticality of business activities, nor the criticality of information. Further, it is a question whether it would achieve commitment from the business parts of the organization.
The best way to organize the implementation of BC is for the business side to lead such a project - this is how you would achieve greater awareness and acceptance of all parts of the organization. The IT department should play its role in such a project - a key role - to prepare disaster recovery plans.
* * *
Infosec Island is pleased to announce a special prize drawing specifically aimed at our member companies. The drawing winner will receive a Platinum ISO 27001 & BS 25999 Documentation and Service Package from the Information Security & Business Continuity Academy.
The prize package includes:
- Platinum Package from Information Security & Business Continuity Academy. For this purpose, 6 months subscription will be included, worth US$3,594.00
- ISO 27001 & BS 25999 Premium Documentation Toolkit worth US$849.00
- details on eligibility and prize package HERE
To qualify for a chance to win this industry leading compliance package, companies must have a completed profile registered at Infosec Island, as well as at least one employee with a completed member profile, including profile picture (instructions HERE).
The drawing selection will be made from all eligible Island members employed by registered companies with completed profiles. The prize will be awarded to the company, along with kudos and acknowledgment for the lucky staff member chosen in the drawing.
The more registered members with completed profiles a company has, the greater their chance of winning this valuable ISO package - so encourage your coworkers and employees to take two minutes to complete their brief profile at Infosec Island today, and register your Company profile before the December 31, 2010 cutoff.
Cross posted from ISO 27001 & BS 25999 blog - http://blog.iso27001standard.com