S 6.119 Documentation in the business continuity management process

Initiation responsibility: Emergency Officer

Implementation responsibility: Emergency Officer

The sequence of events in the business continuity management process, the results of the work done in each of the phases, and all major decisions should be documented. Such documentation and records form an essential foundation for the maintenance and efficient refinement of the process. They help to find and eliminate the causes of malfunctions and failed procedures in business continuity management. It is only possible to comprehensibly trace back the developments and decisions made in the field of business continuity management if continuous documentation is available.

A comprehensible process must be established ensuring that all documents, logs, and records drawn up in business continuity management can be found, clearly identified, accessed quickly, and are legible. Each document must be stored and/or kept securely, and access to the documents must be restricted to authorised persons only in order to prevent misuse.

A procedure must be established ensuring the documents are updated regularly as well as after special events. Outdated documents that have been replaced by a new version must be labelled as such to prevent accidental use of these documents. For all of the documents created within the framework of business continuity management, it is not only important to be able to retrieve the current version, but also to store the previous versions centrally so they can be retrieved at any time.

Depending on the object and the intended purpose, the following types of documentation should be considered for business continuity management and the business continuity management process:

Reports to management

In order for the top management of a government agency or company to make the right decisions in terms of controlling business continuity management, they need the corresponding information. The Emergency Officer and the business continuity management team should create reports on the status of the business continuity management system regularly and create event-based management reports when necessary.

Business continuity management documents

The following types of documentation of the business continuity management system should be drawn up:

• the business continuity management policy of the government agency and/or company
• descriptions of the roles together with their tasks, rights, and duties
• overview of the resources required and the available resources
• the contingency concept with the results of the BIA, the risk analysis, the continuity strategies, the necessary safeguards, and their implementation
• the business continuity handbook for effectively responding to an emergency or a crisis including the organisational structure of the emergency response and the various business continuity plans
• the training and sensitisation concept, verification of the safeguards, and the documentation of the examination
• planning, conception, and execution logs of tests and drills
• planning, execution, and results of audits and examinations (e.g. checklists and interview documentation)
• planning and execution of correction and improvement measures
• the essential tasks performed and decisions made by the business continuity management team should be documented in the form of meeting minutes and resolutions.

Documentation of workflows

Workflows, organisational specifications, and safeguards must be documented in such a way that no damage can be caused by a lack of knowledge or an error. It must be possible in emergencies and in crises to recover the desired target state of the business processes. Technical details and workflows must therefore be documented in such a way that this can be achieved within a reasonable amount of time.

Documentation of damage events

Preparations must be made for handling emergencies and crises so that all processes and decisions made in this regard can be understood. Likewise, the documentation should also enable improvements to be made to the contingency concept and business continuity handbook and avoid known errors in the future.

Information flow and reporting routes

The description and prompt revision of the reporting and escalation routes is important for the response to an emergency.

Documentation procedure

The Emergency Officer and the supporting business continuity management team are responsible for keeping up-to-date and informative documentation of the business continuity management system available at all times. For this reason, there should be a standard procedure for all documentation drawn up within the framework of the business continuity management process. This includes the following aspects, for example:

• The documentation must be understandable. This also means that it must be designed specifically for the intended target group. Reports submitted to management have different requirements than technical documentation intended for administrators.
• The documentation must be up to date. It must be specified who will maintain the documentation. The documents must also be labelled and stored so that they can be found quickly when needed. The date of creation, version, sources, and authors should be specified in the documentation. Outdated documents must be immediately taken out of circulation and archived.
• A defined procedure should be available for integrating, evaluating, and implementing (when necessary) any suggestions for changes (including the creation of new documents).
• In addition to ensuring information can be passed quickly to authorised persons, it is also necessary to ensure the confidentiality of internal details of the organisation. Confidential content must be classified as such, and the corresponding documents must be stored and processed securely.

When maintaining a large number of documents, it may be helpful to use a document management system.

Documentation does not always need to be available in paper form. The documentation medium can be selected as needed. For example, it is possible to use overview diagrams, brief minutes of meetings, handwritten notes, or software tools (to document the Business Impact Analysis, for example) for documentation purposes.

Review questions:

• Are the most important documents for the business continuity management system and its implementation available?
• It there a procedure ensuring the documents are updated regularly, allowing for the documents to be found quickly, and restricting access to authorised persons only?