Business Continuity Planning Audit Checklist
Download free Business Continuity Planning Audit Checklist. This Checklist based on ISO27001/ISO27002 standard which recommends that the business continuity planning process should ensure that:
- There is a clear description (signed off by the board) of the circumstances in which the procedure is to be carried out.
- There is a clear description (signed off by the board) of what constitutes the maximum acceptable level of loss of information or services, and this criterion should drive all activity.
- All responsibilities and detailed emergency procedures for all identified interruptions are themselves identified and agreed internally.
- Emergency procedures are implemented quickly enough to allow recovery and restoration of the service within the specified timescale. Note that these need to allow for any internal or external business dependencies and for external contracts that may be in place. The services or resources – staffing, other resources, external contracts, fall-back arrangements – necessary to return the business, or the information systems, to an acceptable level should all be identified, as should the methods for accessing them.
- Agreed procedures and processes are documented and those involved in implementing the procedures must be involved in their creation. These plans, which must address organizational vulnerabilities, will themselves be highly sensitive documents and therefore need appropriate protection. Copies of them need to be securely stored in a remote location beyond the damage perimeter of the site to which they refer. One effective method of doing this is to provide members of the emergency response team with suitably protected CD ROMs or USB sticks (and adequately powered laptops) that contain the plans.
- Staff are trained in the emergency (both recovery and parallel operational) procedures, as well as in the overall crisis management situation. This training should be in the workplace and should involve carrying out the various actions specified in the emergency procedures until they are adequately memorized.
- Plans are tested and updated.
- The owner of the process or system is responsible for updating and maintaining the recovery plan and for ensuring that the central copies, and those stored remotely, are up to date.
|Free Download Attachment||Size|