S 1.3 Business continuity management
Description
A fire in a computer centre or office building, a significant personnel shortage due to a pandemic, flooding, widespread and long-term power failures, but also minor failures such as the failure of a server, of an outsourcing service provider, or of the internet may cause serious malfunctions or even the failure of business processes, which may result in enormous damages as a consequence. In order to prevent emergencies and crises in the organisation, it is necessary to establish and operate a business continuity management process. Only a planned and well organised process guarantees optimal contingency planning and emergency response. Such a process reduces the likelihood of an emergency or crisis and also lessens their effects when they do occur, therefore ensuring the survival of the organisation. Suitable preventive measures must be taken to increase the robustness and reliability of the business processes on the one hand, and to enable a fast and directed response in an emergency or a crisis on the other hand. Business continuity management is also referred to as emergency management.
An emergency is a damage event where essential processes or resources of an organisation do not function as intended. Emergencies are characterised in that the availability of the corresponding processes or resources cannot be restored within the required time and that business operations are seriously impaired. Emergencies with possible adverse effects on the continuity of business processes may escalate and become crises. The term crisis refers to a serious emergency where the existence of the organisation or the health and lives of people are at risk.
Business continuity management consists of the areas of contingency planning with preventive safeguards to avoid emergencies and crises as well as planning the emergency response together with the recovery of the business processes and systems (referred to as disaster recovery planning). The emergency response includes contingency planning and crisis management phases used to overcome the emergency or crisis. The goal of business continuity management is to ensure that important business processes are only interrupted temporarily or not interrupted at all, even in critical situations, and to ensure the economic existence of the organisation even after incurring serious damage. A holistic approach is therefore critical in this regard. All aspects required to ensure the continuation of the critical business processes when a damage event occurs, and not only the information and information technology, must be taken into account. The primary goal of IT service continuity management and business continuity management within the framework of security management (being a part of security management) is to guarantee business continuity by securing the availability of the IT services, applications, IT systems, and especially of the information. IT service continuity management is part of the overall business continuity management and should not be considered separately.
A properly functioning business continuity management process must be embedded into the existing management structures of every organisation. For this reason, this module provides general recommendations for organisational structures for business continuity management. Each of these recommendations must be adapted individually to the specific conditions prevalent in the particular organisation.
This module is intended to illustrate how a functioning business continuity management process can be established in a government agency or company and how it can be developed further during actual operations. To accomplish this, the module describes the most important steps in a systematic business continuity management process and provides instructions for creating a comprehensive business continuity concept. The module is based on BSI standard 100-4 Business Continuity Management and summarises the most important aspects of business continuity management found in the standard.
Threat scenario
The following threats are examined as examples of all of the threats that may arise due to the failure of business processes or the lack of availability of information:
Force Majeure
| T 1.1 | Loss of personnel |
| T 1.2 | Failure of the IT system |
| T 1.10 | Failure of a wide area network |
| T 1.18 | Failure of a building |
| T 1.19 | Failure of a service provider or supplier |
Method recommendation
In order to secure the information system examined, other modules will need to be implemented in addition to this module with these modules being selected based on the results of the IT-Grundschutz modelling process.
A series of safeguards need to be implemented for the establishment of a business continuity management process, starting with strategic planning and the analysis of the relevant business processes to specifying concrete safeguards for the resources allocated to these processes. The steps to be followed as well as the safeguards to implement in each step are listed in the following.
Planning and design
One cornerstone for the success of the business continuity management process is that the management level stands behind the goals of business continuity management and is aware of their responsibility for it. Management must initiate, control, and monitor the business continuity management process so that it is implemented in all areas of the organisation (see S 6.111 Policy for business continuity management and acceptance of overall responsibility by management). Furthermore, a continuous security process must be established and an appropriate business continuity management strategy must be specified for the particular organisation (see S 6.110 Specification of the scope and the business continuity management strategy).
Implementation
The management must appoint one person from management as the primary person responsible for business continuity management and one person to be responsible for all issues and questions relating to business continuity management (an Emergency Officer). The Emergency Officer is responsible for establishing and maintaining a suitable organisational structure for business continuity management (see S 6.112 Establishment of a suitable organisational structure for business continuity management).
Operation
Business continuity management must be actively supported in all areas of the organisation (S 6.116 Integrating business continuity management into organisation-wide procedures and processes). This includes the creation of a business continuity concept (see S 6.114 Creating a business continuity concept) as well as the integration of the employees into the business continuity management process (see S 6.115 Integration of the employees in the business continuity management process).
The bundle of security safeguards for business continuity management is presented in the following.
Planning and design
| S 6.110 | (C) | Specification of the scope and the business continuity management strategy |
| S 6.111 | (A) | Policy for business continuity management and acceptance of overall responsibility by management |
Implementation
| S 6.112 | (A) | Establishment of a suitable organisational structure for business continuity management |
| S 6.113 | (C) | Providing adequate resources for business continuity management |
| S 6.114 | (A) | Creating a business continuity concept |
| S 6.115 | (C) | Integration of the employees in the business continuity management process |
| S 6.116 | (C) | Integrating business continuity management into organisation-wide procedures and processes |
Operation
| S 6.117 | (B) | Tests and emergency drills |
| S 6.118 | (A) | Checking and maintaining the emergency measures |
| S 6.119 | (C) | Documentation in the business continuity management process |
| S 6.120 | (C) | Checking and controlling the business continuity management process |