The document discusses the importance of business continuity and disaster recovery planning. It outlines key concepts like business continuity, disaster recovery, recovery point objective (RPO), and recovery time objective (RTO). Statistics are provided showing that 40-60% of businesses that close due to a disaster never reopen, and the average cost of downtime is $366,363 per year. The new global standard, ISO 22301, is also summarized, outlining its key clauses related to leadership, planning, support, operation, and improvement of business continuity management systems.

1. The Importance Of Business Continuity And Disaster Recovery Planning
By Aqel M. Aqel
Information Systems Audit & Control Association
Rolling Meadows Illinois –USA (www.isaca.org)
CISA –Coordinator / Research Director -Riyadh Chapter
Dec 2014

2. Why BCP & DRP
•Successful businesses expect the unexpected and plan for it.
•Disruptions to your business can result in:
•Data risk,
•Revenue loss,
•Failure to deliver services
•That’s why organizations need strong business continuity planning.
John Sharp, 2012,The Route Map to Business Continuity Management: Meeting the Requirements of ISO 22301’ by
A Good Plan Increases Your Chances of Recovery

3. Concepts and Terminology
•Business continuitydescribes the processes and procedures an organization must put in place to ensure that mission-critical functions can continue during and after a disaster.
•Disaster recoveryrefers to specific steps taken to resume operations in the aftermath of a catastrophic disaster (natural or national emergency)

4. Reasons behind Disasters
•Environmental Disasters
•Tornado& Hurricane
•Power Grid Failure
•Flood
•Snowstorm
•Earthquake
•Electrical storms
•Fire
•Fire
•Sink Holes
•Landslides
Man Made Disruptions
Terrorist Attack
Sabotage التخريب
War / Theft
Arson الحريق المتعمد
Labor Disputes
Equipment or System Failure
Internal power failure
Air conditioning failure
Cooling plant failure
Equipment failure
IT Failures and Security Breaches
Cyber crime
Loss of records or data
Disclosure of sensitive information
IT system failure

5. More Concepts and Terminology
Recovery Point Objective(RPO) measures the ability to recover files by specifying a point in time restore of the backup copy.
Recovery Time Objective(RTO)measures the time that it takes for a system to be completely up and running in the event of a disaster.
Source: Network Servers 2011

6. More Concepts and Terminology
•Recovery Point Objective(RPO) measures the ability to recover files by specifying a point in time restore of the backup copy.i.e.
•Amount of data lost from failure, measured as the amount of time from a disaster event
•It's determined by the amount of time between data protection events and reflects the amount of data that potentially could be lost during a disaster recovery.
•The metric is an indication of the amount of data at risk of being lost.
•Recovery Time Objective(RTO)measures the time that it takes for a system to be completely up and running in the event of a disaster. i.e.
•Targeted amount of time to restart a business service after a disaster event.
•It is related to downtime. The metric refers to the amount of time it takes to recover from a data loss event and how long it takes to return to service.
•RTO refers then to the amount of time the system's data is unavailable or inaccessible preventing normal service.

7. RPO and RTO

8. RTO and RPO
Source: http://wikibon.org/w/images/0/04/RPO_RTO_Horison.jpg

9. Facts
•The US Chamber of Commerce reported that:
•the economic losses in 2011, as a result of natural disasters, reached $380 million.
•Federal Emergency Management Agency (www.fema.gov) reports:
•40-60% of businesses that close due to disaster never reopen!!
(source: https://telovations.wordpress.com/tag/revenue-lost-due-to-natural-disaster/

10. Facts
Source: FreeFormDynamics 2011
•Only 23% of Respondents said: yes, there is a formal DR plan in place.

11. Facts
•Numbers Speaks!

12. Facts
Source: http://www.e-janco.com/DRP_BCP_Audit.html

13. Facts
Source: http://powerwindows.wordpress.com/2010/10/25/windows-geoclusters-stretch-clusters-and-recoverpointce-failover/
•Cost of downtime does not propagate linearly!

14. Facts
•What part of IT infrastructures are covered by BC/DR plans
Source: Howard Marks (2008) http://www.informationweek.com/practical-disaster-recovery-for-midsize-companies/d/d-id/1075012?

15. Facts
Source: Howard Marks (2008) http://www.informationweek.com/practical-disaster-recovery-for-midsize-companies/d/d-id/1075012?
•What are the barriers to adoption of a business continuity plan?
•Cost and complexity are
•Lack of skills is a reason as well.

16. Facts
http://www.crn.com/slide-shows/storage/240006796/8-surprising-disaster-recovery-stats.htm/pgno/0/7
86% of companies experienced one or more instances of system downtime in the previous 12 months.
Downtimes lasted 2.2 days on the average and cost each business an average of $366,363 a year.
33% of businesses admitted they do not back up virtual servers as often as they do their physical servers.

17. Policies
Support Motivation
Sponsoring & follow up
Procedures
Policies
Tools
Roles and Responsibilities
Methodologies / Best Practices
Training
Validation
Audit Programs
Reports
Awareness
Source: Aqel M. Aqel, IT Security in your firm, what is it, & how to achieve it. (2011).
Monitoring
Execution
Leadership
Actionable model

18. ISO 22301
In 2012, BCI in partnership with BSI launch of ISO 22301, the new global standard for business continuity management.

19. ISO 22301
•Provides a comprehensive set of controls based on BCM best practice.
•Covets the whole BCM lifecycle.
•Defines the strategic and tactical capability of an organization to plan for and respond to incidents.
•It is generic and offers organizations guidance on putting their BCM systems in place.

20. ISO 22301 –2012 key Clauses
•Clause 1:Scope
•Clause 2:Normative References
•Clause 3:Terms and Conditions
•Clause 4:Context of the organization
•Clause 5:Leadership
•Clause 6:Planning
•Clause 7:Support
•Clause 8:Operation
•Clause 9:Performance evaluation
•Clause 10: Improvement

21. ISO 22301 -Clause 4:Context of the organization

22. ISO 22301 –Clause 5:Leadership
•Top management needs to demonstrate an ongoing commitment to the BCMS.
•Integrating the BCMS requirements into the organization’s business processes
•Providing the necessary resources for the BCMS
•Communicating the importance of effective business continuity management
•Ensuring that the BCMS achieves its expected outcomes
•Directing and supporting continual improvement
•Establish and communicate a business continuity policy
•Ensuring that BCMS objectives and plans are established
•Ensuring that the responsibilities and authorities for relevant roles are assigned

23. ISO 22301 –Clause 6:Planning
•Establishing strategic objectives and guiding principles for the BCMS.
•The business continuity objectives must: be consistent with the business continuity policy;
•Ttakeinto account the minimum level of products and services that is acceptable to the organization to achieve its objectives;
•be measurable;
•take into account applicable requirements;
•be monitored and updated as appropriate

24. ISO 22301 –Clause 7:Support
•Using the appropriate resources for each task.
•Competent staff with relevant (and demonstrable)
•Training and supporting services
•Awareness and communication.
•Both internal and external communications of the organization must be considered in this area.
•The requirements on the creation, update and control of documented information are also specified in this clause.

25. ISO 22301 –Clause 8:Operation
•Business Impact Analysis (BIA):
•Risk assessment
•Business continuity strategy:
•Business continuity procedures:
•Exercising and testing

26. ISO 22301 –Clause 9:Performance evaluation
•ISO 22301 requires permanent monitoring of the system as well as periodic reviews to improve its operation:
•monitoring the extent to which the organization’s business continuity policy, objectives and targets are met;
•measuring the performance of the processes, procedures and functions that protect its prioritized activities;
•monitoring compliance with this standard and the business continuity objectives;
•monitoring historical evidence of deficient BCMS’ performance
•conducting internal audits at planned intervals; and
•evaluating all this in the management review at planned intervals.

27. ISO 22301 –Clause 10: Improvement
•Continual improvement:
•all the actions taken throughout the organization to increase effectiveness (reaching objectives) and efficiency (an optimal cost/benefit ratio) of security processes and controls to bring increased benefits to the organization and its stakeholders.

28. More information
•The American Institute of Certified Public Accountants (AICPA)
•Information Systems Audit and Control Association (ISACA)
•Association of Information Technology Professionals (AITP)
•Institute of Internal Auditors (IIA)
•International Association for Computer Information Systems (IACIS)
•Information Systems Security Association (ISSA)
•International Disaster Recovery Association (IDRA)
•Business Recovery Managers Association (BRMA)
•British Standards Institute (BSI)
•http://www.slideshare.net/AhmedRiad2/ss-38345026

29. Thank you