Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Bcp drp


Published on

Successful leaders and managers are always keen to expect the unexpected and plan for it. the More you plan is the less you react, and the less you react, the less you make mistakes.
Disruptions to your business can result in data risk, revenue loss, and Failure to deliver services
That’s why organizations need strong business continuity planning.

Published in: Leadership & Management
  • How can I sharpen my memory? How can I improve forgetfulness? find out more... ◆◆◆
    Are you sure you want to  Yes  No
    Your message goes here

Bcp drp

  1. 1. The Importance Of Business Continuity And Disaster Recovery Planning By Aqel M. Aqel Information Systems Audit & Control Association Rolling Meadows Illinois –USA ( CISA –Coordinator / Research Director -Riyadh Chapter Dec 2014
  2. 2. Why BCP & DRP •Successful businesses expect the unexpected and plan for it. •Disruptions to your business can result in: •Data risk, •Revenue loss, •Failure to deliver services •That’s why organizations need strong business continuity planning. John Sharp, 2012,The Route Map to Business Continuity Management: Meeting the Requirements of ISO 22301’ by A Good Plan Increases Your Chances of Recovery
  3. 3. Concepts and Terminology •Business continuitydescribes the processes and procedures an organization must put in place to ensure that mission-critical functions can continue during and after a disaster. •Disaster recoveryrefers to specific steps taken to resume operations in the aftermath of a catastrophic disaster (natural or national emergency)
  4. 4. Reasons behind Disasters •Environmental Disasters •Tornado& Hurricane •Power Grid Failure •Flood •Snowstorm •Earthquake •Electrical storms •Fire •Fire •Sink Holes •Landslides Man Made Disruptions Terrorist Attack Sabotage التخريب War / Theft Arson الحريق المتعمد Labor Disputes Equipment or System Failure Internal power failure Air conditioning failure Cooling plant failure Equipment failure IT Failures and Security Breaches Cyber crime Loss of records or data Disclosure of sensitive information IT system failure
  5. 5. More Concepts and Terminology Recovery Point Objective(RPO) measures the ability to recover files by specifying a point in time restore of the backup copy. Recovery Time Objective(RTO)measures the time that it takes for a system to be completely up and running in the event of a disaster. Source: Network Servers 2011
  6. 6. More Concepts and Terminology •Recovery Point Objective(RPO) measures the ability to recover files by specifying a point in time restore of the backup copy.i.e. •Amount of data lost from failure, measured as the amount of time from a disaster event •It's determined by the amount of time between data protection events and reflects the amount of data that potentially could be lost during a disaster recovery. •The metric is an indication of the amount of data at risk of being lost. •Recovery Time Objective(RTO)measures the time that it takes for a system to be completely up and running in the event of a disaster. i.e. •Targeted amount of time to restart a business service after a disaster event. •It is related to downtime. The metric refers to the amount of time it takes to recover from a data loss event and how long it takes to return to service. •RTO refers then to the amount of time the system's data is unavailable or inaccessible preventing normal service.
  7. 7. RPO and RTO
  8. 8. RTO and RPO Source:
  9. 9. Facts •The US Chamber of Commerce reported that: •the economic losses in 2011, as a result of natural disasters, reached $380 million. •Federal Emergency Management Agency ( reports: •40-60% of businesses that close due to disaster never reopen!! (source:
  10. 10. Facts Source: FreeFormDynamics 2011 •Only 23% of Respondents said: yes, there is a formal DR plan in place.
  11. 11. Facts •Numbers Speaks!
  12. 12. Facts Source:
  13. 13. Facts Source: •Cost of downtime does not propagate linearly!
  14. 14. Facts •What part of IT infrastructures are covered by BC/DR plans Source: Howard Marks (2008)
  15. 15. Facts Source: Howard Marks (2008) •What are the barriers to adoption of a business continuity plan? •Cost and complexity are •Lack of skills is a reason as well.
  16. 16. Facts 86% of companies experienced one or more instances of system downtime in the previous 12 months. Downtimes lasted 2.2 days on the average and cost each business an average of $366,363 a year. 33% of businesses admitted they do not back up virtual servers as often as they do their physical servers.
  17. 17. Policies Support Motivation Sponsoring & follow up Procedures Policies Tools Roles and Responsibilities Methodologies / Best Practices Training Validation Audit Programs Reports Awareness Source: Aqel M. Aqel, IT Security in your firm, what is it, & how to achieve it. (2011). Monitoring Execution Leadership Actionable model
  18. 18. ISO 22301 In 2012, BCI in partnership with BSI launch of ISO 22301, the new global standard for business continuity management.
  19. 19. ISO 22301 •Provides a comprehensive set of controls based on BCM best practice. •Covets the whole BCM lifecycle. •Defines the strategic and tactical capability of an organization to plan for and respond to incidents. •It is generic and offers organizations guidance on putting their BCM systems in place.
  20. 20. ISO 22301 –2012 key Clauses •Clause 1:Scope •Clause 2:Normative References •Clause 3:Terms and Conditions •Clause 4:Context of the organization •Clause 5:Leadership •Clause 6:Planning •Clause 7:Support •Clause 8:Operation •Clause 9:Performance evaluation •Clause 10: Improvement
  21. 21. ISO 22301 -Clause 4:Context of the organization
  22. 22. ISO 22301 –Clause 5:Leadership •Top management needs to demonstrate an ongoing commitment to the BCMS. •Integrating the BCMS requirements into the organization’s business processes •Providing the necessary resources for the BCMS •Communicating the importance of effective business continuity management •Ensuring that the BCMS achieves its expected outcomes •Directing and supporting continual improvement •Establish and communicate a business continuity policy •Ensuring that BCMS objectives and plans are established •Ensuring that the responsibilities and authorities for relevant roles are assigned
  23. 23. ISO 22301 –Clause 6:Planning •Establishing strategic objectives and guiding principles for the BCMS. •The business continuity objectives must: be consistent with the business continuity policy; •Ttakeinto account the minimum level of products and services that is acceptable to the organization to achieve its objectives; •be measurable; •take into account applicable requirements; •be monitored and updated as appropriate
  24. 24. ISO 22301 –Clause 7:Support •Using the appropriate resources for each task. •Competent staff with relevant (and demonstrable) •Training and supporting services •Awareness and communication. •Both internal and external communications of the organization must be considered in this area. •The requirements on the creation, update and control of documented information are also specified in this clause.
  25. 25. ISO 22301 –Clause 8:Operation •Business Impact Analysis (BIA): •Risk assessment •Business continuity strategy: •Business continuity procedures: •Exercising and testing
  26. 26. ISO 22301 –Clause 9:Performance evaluation •ISO 22301 requires permanent monitoring of the system as well as periodic reviews to improve its operation: •monitoring the extent to which the organization’s business continuity policy, objectives and targets are met; •measuring the performance of the processes, procedures and functions that protect its prioritized activities; •monitoring compliance with this standard and the business continuity objectives; •monitoring historical evidence of deficient BCMS’ performance •conducting internal audits at planned intervals; and •evaluating all this in the management review at planned intervals.
  27. 27. ISO 22301 –Clause 10: Improvement •Continual improvement: •all the actions taken throughout the organization to increase effectiveness (reaching objectives) and efficiency (an optimal cost/benefit ratio) of security processes and controls to bring increased benefits to the organization and its stakeholders.
  28. 28. More information •The American Institute of Certified Public Accountants (AICPA) •Information Systems Audit and Control Association (ISACA) •Association of Information Technology Professionals (AITP) •Institute of Internal Auditors (IIA) •International Association for Computer Information Systems (IACIS) •Information Systems Security Association (ISSA) •International Disaster Recovery Association (IDRA) •Business Recovery Managers Association (BRMA) •British Standards Institute (BSI) •
  29. 29. Thank you