Business Impact Analysis - Clause 4 Of BS25999 In Practice

3,660 views

Published on

Business Impact Analysis -
Clause 4.1.1 Requirements
Of BS25999-2:2007

Business Impact Analysis - Clause 4 Of BS25999 In Practice

  1. 1. Business Impact Analysis Clause 4.1.1 Requirements Of BS25999-2:2007
  2. 2. Executive Summary This document attempts to Most of the content within the provide an understanding of the example tables are self- BIA process as required by the explanatory, however some of British Standard, BS25999- them have been supported with 2:2007 call outs A flow chart illustrates the flow The example does not strictly of the BIA process per Clause stick to the BS standard but 4.1.1 of the standard includes additional items which Subsequently, each step in the are believed to add value from the process has been demonstrated actionable information point of by means of an example view 02/08/2009 02/08/2009 Dipankar Ghosh Dipankar Ghosh 2 2
  3. 3. Section 4.1.1 Of BS25999-2:2007 4.1.1 Business Impact Analysis 4.1.1.1 There shall be a defined, documented and appropriate method for determining the impact of any disruption of the activities that support the organisation’s key products and services (see 3.2.1) 4.1.1.2 The organisation shall: a) Identify activities that support its key products and services b) Identify impacts resulting from the disruption to these activities, and determine how these vary over time c) Establish maximum tolerable period of disruption (MTPoD) for each activity by identifying: (1) The maximum time after the start of the disruption within which each activity needs to be resumed (2) The minimum level at which each activity needs to be performed upon resumption; and (3) The length of time within which normal levels of operation need to be resumed; d) Categorise its activities according to their priority for recovery and identify its critical activities e) Identify all dependencies relevant to the critical activities, including suppliers and outsourced partners f) For suppliers and outsource partners on whom critical activities depend determine what BCM arrangements are in place for the relevant products and services they provide g) Set recovery time objectives (RTO) for the resumption of critical activities within their maximum tolerable period of disruption; and h) Estimate the resources that each critical activity will require for resumption 02/08/2009 02/08/2009 Dipankar Ghosh Dipankar Ghosh 3 3
  4. 4. BIA Flow Chart 02/08/2009 02/08/2009 Dipankar Ghosh Dipankar Ghosh 4 4
  5. 5. Identifying Activities & Impacts Including 4.1.1.2 c 2 Impacts Over Time (4.1.1.2) 4.1.1.2 c 3 Company XYZ Building Grand HQ City Indore Department Software Development Activity/Process Company Impact Over Time On Values MTPoD RTO Minimum Time To Values (< Level Of Resume 30 min 1 8 1 1 1 MTPoD) Performance Normal 4.1.1.2 b hr hrs day wk mt Operations Identify h impacts and Software requirements Human Life L L L L L L 3 days 2 days Do paper based 5 days determine how analysis Implications requirements analysis for all they vary over Financial L L L L M H projects for time Implications which deadlines are near Reputation L L L L M H Loss Customer L L L L M H Satisfaction Software architecture Human Life L L L L L L 16 hours 12 hours Do paper based 2 days and design Implications design and architecture Financial L L L L M H activities for all Implications projects for which deadlines Reputation L L L M M H are near Loss Customer L L L M H H Satisfaction Software construction Human Life L L L L L L 16 hours 12 hours Software 1 day Implications construction work for Financial L Implications 4.1.1.2 c L L 1 M M H projects for which deadlines These are the cells which are the transition points from Low are near Reputation to Medium impact and may be used to derive theM Loss L L L M H MTPoD. 4.1.1.2 a Using one’s judgement the MTPoD can be considered as 4.1.1.2 g Customer Identify activities any time between the timeL represented by the transitioning Satisfaction L L M H H Note that RTO is mandatory only for the critical activities per the supporting key low impact time and the next medium impact time. In this standard. It can be calculated after putting a safety cushion per company 02/08/2009 services 02/08/2009 products & Dipankar Ghosh example it is a time between 8 hours and 1Ghosh Dipankar day 5 policy over the MTPoD. The safety cushion should consider the cycle time 5 to deliver product/service from the time the activity is resumed.
  6. 6. Categorising Activities by Priorities and 4.1.1.2 d Indentify activities which are critical to the Identifying Critical Activities organisation. This may be based on the company’s policy. For Activity/Process Company Impact Over Time On Values MTPoD RTO Priority Criticality example, any activity Values (< MTPoD) whose RTO is <= 16 30 1 8 1 1 1 min hr hrs day week month Hours can be considered to be critical Software Human Life L L L L L L by the company. Requirements Implications All other activities analysis Financial L L L L M H though could become Select your time Implications 3 days 2 days 2 critical over time if they Not Critical intervals as Reputation Loss L L L L M H are not brought up appropriate for your within their respective Customer L L L L M H RTOs. function Satisfaction Software architecture Human Life L L L L L L and design Implications Financial L L L L M H Implications 16 hours 12 hours 1 Critical Reputation Loss L L L M M H Customer L L L M H H Satisfaction Software construction Human Life L L L L L L Implications Financial L L L M M H Implications 16 hours 12 hours 1 Critical Reputation Loss L L L M M H Customer L L L M H H 4.1.1.2 d Satisfaction Prioritising activities by comparing the RTOs of the activities and ensuring activities with lower RTOs are given higher priority 02/08/2009 02/08/2009 Dipankar Ghosh Dipankar Ghosh 6 6
  7. 7. Identify Dependencies for All Critical Activities – You Are Dependent On Them Activity / Process Priority Criticality Agency/Department External/Internal Description of dependency Software requirements 2 Critical Sales and Accounts Internal Receive inputs from this team on analysis Management client requirements Technology Internal Ensure that network, systems, telecom and other technical resources required are available Client External/Internal Receive inputs on software requirements Software architecture 1 Critical Technology Internal Ensure that network, systems, and design telecom and other technical resources required are available Client External/Internal Receive design review and approval Software construction 1 Critical Technology Internal Ensure that network, systems, telecom and other technical resources required are available 4.1.1.2 e Additionally, if you are dependent upon a supplier/partner you are required to ensure that the supplier/partner has 4.1.1.2 e adequate BCM arrangements. This will entail some sort of Identify internal and external dependencies. This audit of your supplier/partner BCM processes. Also includes those who are dependant on you and 02/08/2009 there are alternatives to your existing suppliers 02/08/2009 ensure that Dipankar Ghoshyou are dependant upon. Dipankar Ghosh those 7 7
  8. 8. Identify Dependencies for All Critical Activities – They Are Dependent On You Activity / Process Priority Criticality Agency/Department External/Internal Description of dependency Software requirements 2 Critical Sales and Accounts Internal Provide outputs to this team to take analysis Management these up with client Client External/Internal Provide outputs to client for their consideration/feedback/approval etc. Software Quality Internal Provide system requirements specs to produce test plans and test cases Software architecture 1 Critical Client External/Internal Provide design deliverables to client and design for approval Software Quality Internal Provide design deliverables to consider for test plans and test cases Software construction 1 Critical Client External/Internal Ensure that network, systems, telecom and other technical resources required are available 02/08/2009 02/08/2009 Dipankar Ghosh Dipankar Ghosh 8 8
  9. 9. Estimating Resources for Critical Activities for Resumption Not Critical Critical Activity/Process Resources Elapsed Time 12 1 2 Work Alternative Action Who/When hrs day days from Arrangement Home Requir ed? Software Staff requirements analysis (RTO – 2 Business Analyst 0 0 1 √ In absence of business - - days) analyst the architect and the senior programmer will do the job. Select your time S/w Architect 0 0 1 √ In absence of architect - - intervals as the senior programmer appropriate for your will do the job. If function as well the required, another type of resource. senior programmer will be utilised. E.g. Staff may have different intervals Senior Programmer 0 0 3 √ In absence of the - - than say IT senior programmer the architect will do the Applications, which job. If required, While some would like to put in turn may have another senior a MTPoD and/or RTO to the programmer will be different time resources this paper provides utilised. frames for Utilities the alternative approach of recording the actual requirements against elapsed 4.1.1.2 h time. This takes care of the Estimate resources for each critical activity for resumption. Add as much MTPoD/RTO information information you want on these resources. For example, for staff members it for the resources and at the can be whether working from home is required or not. It is also prudent to same time provides additional have alternative (backup) arrangements for the resources required and identify information such as numbers any gaps that may exist and have a plan for the same. reqd. and alternative 02/08/2009 02/08/2009 arrangements. Dipankar Ghosh Dipankar Ghosh 9 9
  10. 10. Estimating Resources for Critical Activities for Resumption Activity/ Resources Elapsed Time Alternative Not Critical Action Who/When Critical Process Arrangements 1 12 1 2 hr hours day days Software Premises Requirements analysis PM Towers X X X √ None 1. Arrangement for 1. BX (RTO – 2 home working to 14/08/09 days) be made. To ensure that each person has a PC/laptop, telephone/mobile and internet 2. ZC 2. Finalise contract 31/08/09 with 3rd party for making alternate premises available with 3-5 desk positions within an hour of notice. To include Telephone with STD/ISD and broadband internet Software Desk Positions 0 0 0 5 None As in premises above - Requirements Analysis (RTO – 2 days) Software Software MS Office 0 0 0 3 Utilise paper - - Requirements Analysis (RTO – 2 days) Visio 0 0 0 1 Utilise paper - - 02/08/2009 02/08/2009 Dipankar Ghosh Dipankar Ghosh 10 10
  11. 11. Estimating Resources for Critical Activities for Resumption Not Critical Critical Activity/ Resources Elapsed Time Alternative Action Who/When Process Arrangements 1 12 1 2 hr hours day days Software Hardware Requirements analysis PC/Laptop 0 0 1 3 None 1. Make arrangements with TD (RTO – 2 current PC/Laptop suppliers / 31/08/09 days) alternate suppliers to provide spare PC/Laptops within 4 hours of request 2. Finalise contract with 3rd party for making alternate premises available with 3-5 desk positions within an hour of notice. To include Telephone with STD/ISD and broadband internet Storage (pen 0 0 1 1 Spare pen - - drive/disc) drives/discs available Speaker/Mic 0 0 1 1 Spare - - speakers/mic available 02/08/2009 02/08/2009 Dipankar Ghosh Dipankar Ghosh 11 11
  12. 12. Estimating Resources for Critical Activities for Resumption Not Critical Critical Activity/ Resources Elapsed Time Alternative Action Who/When Process Arrangements 1 12 1 2 hr hours day days Software Telecom &Internet Requirements analysis Telephone/Mobile 0 0 1 1 1. Use facility at - - (RTO – 2 with STD/ISD facility alternate days) recovery location (ref Premises section above) 2. Use facility available at home (ref Premises section above) Internet 0 0 1 1 As above - - 02/08/2009 02/08/2009 Dipankar Ghosh Dipankar Ghosh 12 12
  13. 13. Estimating Resources for Critical Activities for Resumption Not Critical Critical Activity/ Resources Elapsed Time Alternative Action Who/When Process Arrangements 1 12 1 2 hr hours day days Software Utilities/Other Requirements analysis Water Supply X X √ √ None Arrange with at least 2 local water KK (RTO – 2 suppliers to provide 10,000 litres 09/01/10 days) (2 days supply) at a notice of 4 hours. Power Supply X X √ √ Standby - - Genset of 100 KVA available within 10 minutes of power outage Air conditioning X X √ √ None Procure and install wall / pedestal KK System fans 19/01/10 Fuel Supply X X √ √ 20,000 KL - - (equivalent of3 days‘ requirement) diesel always available in store 02/08/2009 02/08/2009 Dipankar Ghosh Dipankar Ghosh 13 13

×