If a business continuity exercise is too hot to handle

Full-on business continuity exercises can be big, intimidating, lengthy, costly (although hopefully still valuable!) and (to some extent) risky affairs for complex organisations or industry groups that really go to town on them ... but that's not the only way.

Alternatives include:
  • Solitary plan review/maintenance update - where the person responsible for a particular part of the whole plan (such as a section or department head) sits quietly in a dark corner imagining how things would play out in practice, carefully checking their part, liaising with colleagues as appropriate (e.g. on interfaces, coordination and reporting), taking advantage of their knowledge of that part of the business and any results from previous checks, working within the constraint of agreed strategies, policies and objectives.
  • Cross-checking - same as the above except someone else does the review, perhaps someone who might be called upon to lead and enact a plan following an incident in which the intended leader is "unavailable".

  • Desktop walk-throughs - team meetings where knowledgeble people treat the business continuity plans like play scripts, running through one or more simulated scenarios checking things such as hand-offs between functions or making reports.
  • Small-scale simulations - focused on the arrangements for specific processes, departments etc. that form parts of a bigger enterprise plan.

  • Case studies, tests and audits - using hypothetical but realistic incident scenarios to check that the prepared plans are workable, reasonable, and hopefully optimal.

  • Classroom exercises - learning sessions led or facilitated by business continuity specialists, examining actual and potential responses, comparing and contrasting the plans with alternative options, considering legitimate challenges etc.

  • Tech-bounded exercises - such as failing-over particular systems to alternative servers, communications/network links, data centres etc., or recovering systems from backups onto test hardware (not on top of live systems, please!).

  • Time-bounded micro- or snap-exercises - lasting just 30 minutes to maybe half a day, designed to put people through their paces and practice their anticipated activities (such as evacuating a building, standing up an emergency coordination function, or holding an urgent press briefing), then debrief.  The deliberately short timescale enhances the adrenaline rush and stress levels, much like a genuine incident, while containing the costs, disruption and risks.

  • "This is not a drill"  - genuine incidents leave the organisation no option but to depend on its resilience and recovery arrangements: these may be all-hands-to-the-pumps emergencies, or smaller scale incidents where uninvolved onlookers or auditors can observe and take notes for the debrief.

  • "That was not a drill" - where a relatively minor, constrained incident is deliberately treated as if it was more serious and expansive, either at the time of the incident (e.g. artificially up-rating the incident evaluation and categorisation rather than concluding the incident, as a way to exercise the associated plans) or subsequently (using one or more real events as the basis for follow-up exercises).
  • Blind faith - the "Let's see how it goes" laissez-faire approach involves expending no effort to check, review, test or prove the continuity arrangements. 
What have I missed?  Have you used or heard of any other approaches?

Popular posts from this blog

Pragmatic ISMS implementation guide (FREE!)

Image
Early this morning ( very  early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017 . Overall, the meeting was very productive in that we got through a  long  list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points. In summary: 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001 , 27002 and 27005 : These changes are  mostly  minor aside from the new section 6.3 on ISMS changes.
Read more

Two dozen information risks that ISO forgot

Image
Selecting the wrong controls - controls that are inappropriate, ineffective, too costly, impracticable, fragile, unnecessary, counterproductive or whatever, often as a result of blind faith in fads and fashions of the day and FOMO e.g. MFA, AI, cyber Failing to select the right controls - controls that are ideal for the particular situation, both now and in perpetuity, for whatever reason - mostly ignorance and prejudice Selecting and implementing controls at the wrong time or in the wrong way (where 'wrong' includes ineffective, inappropriate, sub-optimal e.g. bolting on controls rather than designing and building them in) Inept and inaccurate identification, analysis and quantification of risk, including reliance on p oor quality (incomplete, inaccurate, out of date, misleading, unreliable ...) information about actual risks, particularly subtle and emerging risks plus those involving deliberate concealment and misdirection e.g. fraud, misinformation, disinformation, propagan
Read more

ISMS internal audit priorities

Image
A thread on the ISO27k Forum sparked my imagination over coffee this morning. Hope had previously asked for assistance with an ISO/IEC 27001:2022 audit plan.  Bhushan offered a lengthy and generally sound response explaining how to use a spreadsheet with tabs to plan and record the audit work performed on 100% of the main body clauses and 50% of the 93 Annex A controls, day-by-day. That's OK ... except it wasn't entirely clear that he was interpreting and elaborating on the standard's actual requirements. ISO/IEC 27001 does not explicitly require, for example, that (as Bhushan stated) "ALL the management system clauses from 4 to 10 AND their sub-clauses need to be listed and audited" in an ISMS internal audit, although evidently he interprets it in that way. In clause 9.2.1, the standard states a requirement for internal audits to provide information on whether the ISMS conforms to the organization’s own requirements for the ISMS plus the requirements of the stan
Read more