SlideShare a Scribd company logo

Exercising BCMS plan

PECB
PECB

The document discusses exercising a business continuity management system (BCMS) plan. It explains that exercising is important to ensure plans will work properly in the event of a disaster. The types of exercises are described as well as how to perform an exercise, including defining objectives and scenarios, preparing teams, and documenting results. Exercises should identify any deficiencies and help verify that critical processes can be recovered in a timely manner. Regular exercises are necessary to maintain reliable BCMS plans.

Education
1 of 37
Exercising BCMS plan
Barbro Thöyrä Owner of CeBeLOT AB Barbro Thöyrä is owner of CeBeLOT AB, BCMS consultant and trainer and a PECB Certified Trainer. Ms Thöyrä is certified for ISO 22301 Master, ISO 22301 Lead Auditor, ICT Disaster Recovery Manager, ISO 28000 Provisional Implementer, and for Outsourcing Manager from PECB. +46 (0)708794652 https://se.linkedin.com/in/barbro-thöyrä-119b0427 barbro@thoyra.eu www.cebelot.se https://www.facebook.com/barbro.thoyra
General information - About me - Content of this webinar - Duration of the webinar - Questions
Content of this webinar • Why do we need to exercise • The types of exercises • How to perform an exercise
Why do we need to exercise
 To ascertain if all escalation and notification procedures will work properly in the event of a disaster.  To ascertain if response and recovery plans and procedures are adequate for current and future (changing) needs.  Verify the information in the plan is current and accurate.  Verify that the recovery strategies incorporated in the plan will provide a satisfactory level of support in the event of a disaster.  Verify the vital records stored off-site are current and accessible for interim processing.  Verify the backup data processing hardware is adequate to handle a recovery operation. Objectives of the BCMS Exercise Program
 Verify the voice telecommunications backup network is adequate to handle response and recovery communication needs.  Verify that all personnel understand their roles and can successfully execute their responsibilities in a disaster situation.  Create awareness among the employees that management is seriously concerned with the effectiveness of the BCP Plan.  To provide a learning environment for all employees who are involved in the BCP process  Identify any deficiencies in the plan.  Ensure that all critical and/or time-sensitive processes can be recovered.  Obtain a realistic benchmark of the recovery time. Objectives of the BCMS Exercise Program
One of the key elements of the BCMS program is the periodic use of partial or complete "disaster drills" to ensure the recovery site can be rapidly and successfully put in operation. A plan which has not been successfully exercised cannot be assumed to work. The exercises are carefully evaluated and changed accordingly
Types of excersises
Exercise methods  Unannounced  Announced • Personnel are prepared in advance for the exercise • Ensure that everyone understands that it is an exercise and not an actual Emergency response and recovery operation. Types of exercise  Table Top  Structured Walk-through  Live Production  Simulation  Crisis Management
Other examples • Initial office verification • Current and historic documentation • Back-up recovery and review of recovery procedures • Second exercise • Mock disaster exercise • Relocate to recovery environment • Relocate critical data • Relocate critical documentation • Verify recovery procedures accuracy
•Initial exercises should start small •Exercises should be real and specific •Detailed procedures should verify the vital records & call trees •Exercising should involve actual data
How to perform an exercise
Business Continuity assumptions…… o Specific assumptions for each recovery strategy o General assumptions: • Vital records stored off- site storage • Back- up regime is functional • Transmission is operational • Recovery sites are preprepared, e.g. HW/SW, site location • Access to site is permitted • Voice communication possibilities • Nessecary recovery supplies are available • Recovery teams are trained in their tasks
Preparing the exercise organisation Exercise organisation: • Exercise Leader(s) • Exercise Observer(s) • Exercise Participants Exercise tools: • Exercise Scripts • Exercise Observer’s Checklist • BCMS Plan • Conference room outside office area
Develop the BCMS exercise program • Objectives of the exercise program • Review the types of exercises • Plan exercising guidelines and scripts • Develop the exercise schedule • Develop a exercise sequence checklist • Appoint a plan exercise co-ordinator • Document the exercise results • Conduct an exercise evaluation meeting • Auditing the exercises
• Scenario to develop/exercise the plan - • Provide perspective to the developers – Crisis and Emergency Management – Other BCMS teams • Should call for full implementation of the plan • Designed on the following assumptions: – Severe magnitude – Occurs at the worst possible time – Loss of all files, information & equipment • May need to be changed from time to time and as organizational / environmental changes occur The key disaster scenario
 At any time of the day or night, your business processes were unusable by a major incident.  Upon arriving at your building -- for normal work, -- you find that the building is inaccessible and all its contents unusable.  Nothing can go in or out of the environment -- no data, no telecommunications.  Only the data and information that you have identified and stored off site BEFORE the incident is available.  If your business is cyclical (e.g., New Years Evening is the worst time that you could experience a major incident) assume this is the case in answering the questions. Scenario
19 Exercise Schedule Datum Testledare Testobservatör Grupp System/ process Team Antal 4-Nov-13 Person 1 Testob 1 Voice-1 MSC/BSC ROC, NMC, FE, STE, TRS, Eng Support, MD, DN 9 Person 2 Testob 2 Voice-2 HLR, SSP ROC, NMC 6 Person 3 Testob 3 Voice-3 NMS OSS, NMC 7 Person 4 Testob 4 Voice-4 BTS, BSC-SAT Radio, FE, TRS 8 Total 30 Datum Testledare Testobservatör Grupp System/ process Team Antal 6-Nov-13 Person 2 Testob 2 Non Voice-1 VMS, IVR Topup, SMP VASM, NMC 10 Person 5 Testob 5 Non Voice-2 IVR, VoiCD NMC, IVR eng 8 Person 1 Testob 1 Non Voice-3 SMSC, SCP, SCP-VC VAS, SMS eng 8 Person 3 Testob 3 ITS-2 Data Network Network 5 Person 4 Testob 4 ITS-3 SIM System Eng. SIM 5 Total 36
Use a Planning Form to prepare written objectives, measurement criteria, procedures and post-exercise results. There should be a one-to-one correlation between objectives, measurement criteria and procedures. Information recorded on this form should detail the tasks to be performed as agreed by the Business Continuity Manager and /or Business Continuity Coordinator. BCMS Exercise
 Defining and “playing-out” appropriate disaster scenarios for each exercise  Ensuring the exercise scripts are adequately understood by team members  Must be capable of supporting any queries or misunderstandings from the exercise audience.  Perform timekeeping during exercise methods and ensure agreements to documented RTOs  Evaluation of exercise results and compare the exercise results with the required expectations  Preparation of the Exercise Result report in conjunction with the Exercise Observer  Identification of improvements to the BCMS plan  Critique the exercises  Correct the exercise errors  Re-exercise if necessary Preparing the exercise organisation
Who should be the exercise leader?  have a thorough knowledge of the BCMS plan  be familiar with the processes involved in escalation, notification, response and recovery  understand and appreciate the importance of exercise  appreciation of BCMS concepts  understand the importance of exercise for “Worst Case”, “Partial site damage” and “Not in Time” disaster scenarios. Preparing the exercise organisation
BCMS Exercise Leader Guideline 1. SCOPE AND OBJECTIVE 2. PLAN EXCERSISE GUIDELINES 3. DOCUMENTING THE RESULTS OF THE EXCERSISE 3.1. Prepare the Plan Exercise Form found in the BCMS documentation a) Specify the type of exercise, area to be exercised, location of the Response/Recovery site, the scheduled dates for the exercise, and the Response or Recovery Teams which will be involved. a) State the Exercise Objectives. a) List the Measurement Criteria: What elements will be used to determine the success of the exercise? a) What phase of the Plan will be exercised in this exercise? a. Which procedures, checklists, and responsibilities will be exercised? b. Which exceptions, if any, must be considered? a) Describe the Exercise Scenario; choose one of the identified incident scenarios: ‘Worst Case’, ‘Partial site damage’ or ‘Not in time’.
 Record the availability of alternate team members if required  Record the team’s acceptability of the exercise scenario presented  Record the team’s understanding of the exercise objectives  Record all discrepancies of results among teams  Record time discrepancies against expected times, RTOs  Record the team’s abilities to carry out the exercise  Record the feasibility of the exercise being performed  Record any valid arguments from team members for future exercise purposes  Record the team members commitment to BCMS  Record the members team workability Preparing the exercise organisation
BCMS Plan Exercise Observer’s Checklist ADDITIONAL COMMENTS: INDIVIDUAL EFFECTIVENESS TEAM EFFECTIVENESS PLAN EFFECTIVENESS EXERCISE EFFECTIVENESS OVERALL IMPRESSION
Did the EXERCISE begin (start) on time? Did the EXERCISE complete (end) on time? Exercise Leader identified? Alternate Exercise Leader identified? Exercise Leader & Alternate qualified/capable of leading Business Continuity Plan exercise? EXERCISE OBSERVER’S CHECKLIST ISSU Team & Issue to be Evaluated Addressed Person Comments _________________ ______ _____________ ______________ Principal Objective - To Determine the Value of the Exercise ST1.
Exercise Scripts: Escalation & Notification Response Phase Recovery Phase Preparing the exercise organisation
STEP 0: Emergency is declared and the appropriate Recovery Plan is activated. (To all) What are the criteria to do that? How is this done? Who is notified? And by whom? (BCM) What is done next? What teams are called out? (RMT Call Tree) Where do they go? (RCC) STEP 1: (RMT) You have been contacted by the person who asked you to activate the recovery plan. What information do you receive? From whom? (BCC) Where do you go? (RCC) What tools do you use? (RMT Action Plan) What kind of information do you need for recovery? And where do you find it? (Team Definition and Responsibility, Recovery Requirement) What Recovery Strategies are chosen? Are they realistic? Will they meet the need in time? If the situation is not exactly as in the BCP plan what do you do? (RMT Action Plan) STEP 2: (To all) The stricken area starts the notification. Who is called? (Recovery Team Call Tree) How is this done? (Notification Team) STEP 3: (Recovery Team) You have been contacted to recover the YYY process at the site ST2. (Name the process) Do you know why you are called? Who calls you? (Notification Team) Do you receive any instructions? (For example where to go and at which time to meet the team leader, announce to the team leader upon arrival….. STEP 4: (Recovery Team)
1. INTRODUCTION 2. BASIC INFORMATION, THE BCMS PROJECT SCOPE 3. EXERCISED BUSINESS PROCESSES 4. EXERCISE METHODOLOGY USED 5. RESULTS ACHIEVED IN GENERAL 6. CONCLUSIONS BCMS Exercis Report
Exercise results in general Exercises were a success!!! - Changing language to native language improved the understanding - Clarification of team roles and the tools (reports and forms) - Escalation & Notification was new to the audience - The teams demonstrated high understanding and competence in the recovery tasks - More exercises are needed – ‘Walk Through’- with all BCMS members - Some necessary updates to the plan discovered - Participants were very engaged in the exercises
 In general, the results achieved were according to expectations of a first time exercise. The exercises could have been better off if the participants had had the opportunity to study the plans in advance. Presentations were given just in native language by the BCMS Working Team, improvement! As a substitute for the BCC and other management one of the BCMS Working Team members was assigned to the role. As it was done in English it was not perceived as expected. That was changed for the other exercising days as well. Some of the BCCs participated and that was an improvement of the exercising. Exercise results by BCMS Exercise Team
Should include home phone numbers and other contact points. It was also recommended that at least the most significant members of the BCMS organization should have a mobile subscription of another operator – ‘Red Line’ phone. The plans should be translated to native language to gain better understanding of the content. All members impressed with their competence in their working area and the business processes. Exercise results by BCMS Excersise Team Improvements suggested by the exercised teams and the Exercise Leaders:
Company should subscribe an alternative way of voice communication, e.g. a subscription of another operator. Company should also look at the transportation issue in order to find a proper solution.  All team members assigned to the plan must read and understand the plan.  Conduct an additional exercise ( ‘Walk Through’) after the recovery strategies are implemented with all BCMS members.  Assign a person not involved in the BCMS as a Exercise Observer. Exercise results, recommendation
An organization wishing to comply with ISO 22301 shall at least: 1. Develop exercise and test scenarios with clearly defined aims and objectives; 2. Plan and conduct tests and exercises at regular interval (at least once a year); 3. Produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements.
ISO 22313, clause 8.5: Exercising and testing 8.5.1 General. A business continuity procedures and arrangements cannot be considered reliable until exercised and unless their currency is maintained. Exercising is essential to ensure that the strategies, policies, plans and procedures that have been put in place are adequate and meet the business continuity objectives. Exercising develops teamwork, competency, confidence and knowledge and should include those who may be required to use the procedures.
2016-03-01 36 Questions ? “By failing to prepare you are preparing to fail.” — Ben Franklin
? QUESTIONS THANK YOU +46 (0)708794652 https://se.linkedin.com/in/barbro-thöyrä-119b0427 barbro@thoyra.eu www.cebelot.se https://www.facebook.com/barbro.thoyra

Recommended

Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
Dipankar Ghosh
 
business-continuity-management-awareness-presentation-for-mampu2929
business-continuity-management-awareness-presentation-for-mampu2929business-continuity-management-awareness-presentation-for-mampu2929
business-continuity-management-awareness-presentation-for-mampu2929
Andy Willams
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop Final
Bill Lisse
 
Business Continuity Planning Presentation
Business Continuity Planning PresentationBusiness Continuity Planning Presentation
Business Continuity Planning Presentation
The Chamber For a Greater Chapel Hill-Carrboro
 
Awareness iso 22301 danang suryo
Awareness iso 22301 danang suryoAwareness iso 22301 danang suryo
Awareness iso 22301 danang suryo
Danang suryo Wardhono
 
Building a strong BC programme with ISO 22301
Building a strong BC programme with ISO 22301Building a strong BC programme with ISO 22301
Building a strong BC programme with ISO 22301
PECB
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management system
subbusai82
 
Bcp
BcpBcp
Bcp
madunix
 

Recommended

Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
Dipankar Ghosh
 
business-continuity-management-awareness-presentation-for-mampu2929
business-continuity-management-awareness-presentation-for-mampu2929business-continuity-management-awareness-presentation-for-mampu2929
business-continuity-management-awareness-presentation-for-mampu2929
Andy Willams
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop Final
Bill Lisse
 
Business Continuity Planning Presentation
Business Continuity Planning PresentationBusiness Continuity Planning Presentation
Business Continuity Planning Presentation
The Chamber For a Greater Chapel Hill-Carrboro
 
Awareness iso 22301 danang suryo
Awareness iso 22301 danang suryoAwareness iso 22301 danang suryo
Awareness iso 22301 danang suryo
Danang suryo Wardhono
 
Building a strong BC programme with ISO 22301
Building a strong BC programme with ISO 22301Building a strong BC programme with ISO 22301
Building a strong BC programme with ISO 22301
PECB
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management system
subbusai82
 
Bcp
BcpBcp
Bcp
madunix
 
Business Continuity Planning Presentation Overview
Business Continuity Planning Presentation OverviewBusiness Continuity Planning Presentation Overview
Business Continuity Planning Presentation Overview
Bob Winkler
 
Business impact.analysis based on ISO 22301
Business impact.analysis based on ISO 22301Business impact.analysis based on ISO 22301
Business impact.analysis based on ISO 22301
mascot4u
 
Disaster Recovery Presentation
Disaster Recovery PresentationDisaster Recovery Presentation
Disaster Recovery Presentation
TimSchaefer
 
Building a Business Continuity Capability
Building a Business Continuity CapabilityBuilding a Business Continuity Capability
Building a Business Continuity Capability
Rod Davis
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
ECC International
 
Bcp drp
Bcp drpBcp drp
Bcp drp
aqel aqel
 
Introduction to Business Continuity Management
Introduction to Business Continuity ManagementIntroduction to Business Continuity Management
Introduction to Business Continuity Management
Prof. David E. Alexander (UCL)
 
Business continuity planning
Business continuity planningBusiness continuity planning
Business continuity planning
Sandeep Kashyap
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
alanlund
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)
Narudom Roongsiriwong, CISSP
 
Business impact analysis
Business impact analysis Business impact analysis
Business impact analysis
Shashwat Shankar
 
Business Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesBusiness Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation Slides
SlideTeam
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
Bharath Rao
 
Business continuity management per ISO 22301 - a certification training cour...
Business continuity management per ISO 22301 - a certification training cour... Business continuity management per ISO 22301 - a certification training cour...
Business continuity management per ISO 22301 - a certification training cour...
Mart Rovers
 
Business Continuity & Disaster Recovery
Business Continuity & Disaster RecoveryBusiness Continuity & Disaster Recovery
Business Continuity & Disaster Recovery
EC-Council
 
How to write an IT DR plan
How to write an IT DR planHow to write an IT DR plan
How to write an IT DR plan
Databarracks
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
Business continuity for SMEs
Business continuity for SMEsBusiness continuity for SMEs
Business continuity for SMEs
reedgrace1
 
Business continuity planning and disaster recovery
Business continuity planning and disaster recoveryBusiness continuity planning and disaster recovery
Business continuity planning and disaster recovery
KrutiShah114
 
Best Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and TestingBest Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and Testing
Axcient
 
05 integrated management system telkom 2016 penanganan bencana - tanggap da...
05 integrated management system telkom 2016 penanganan bencana - tanggap da...05 integrated management system telkom 2016 penanganan bencana - tanggap da...
05 integrated management system telkom 2016 penanganan bencana - tanggap da...
wisnu wardhana, i nyoman
 
An Expert's Guide to Emergency Action Planning
An Expert's Guide to Emergency Action PlanningAn Expert's Guide to Emergency Action Planning
An Expert's Guide to Emergency Action Planning
Triumvirate Environmental
 

More Related Content

What's hot

Disaster Recovery Presentation
Disaster Recovery PresentationDisaster Recovery Presentation
Disaster Recovery Presentation
TimSchaefer
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
ECC International
 
Business continuity planning
Business continuity planningBusiness continuity planning
Business continuity planning
Sandeep Kashyap
 
Business Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesBusiness Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation Slides
SlideTeam
 
Best Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and TestingBest Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and Testing
Axcient
 

What's hot (20)

Business Continuity Planning Presentation Overview
Business Continuity Planning Presentation OverviewBusiness Continuity Planning Presentation Overview
Business Continuity Planning Presentation Overview
 
Business impact.analysis based on ISO 22301
Business impact.analysis based on ISO 22301Business impact.analysis based on ISO 22301
Business impact.analysis based on ISO 22301
 
Disaster Recovery Presentation
Disaster Recovery PresentationDisaster Recovery Presentation
Disaster Recovery Presentation
 
Building a Business Continuity Capability
Building a Business Continuity CapabilityBuilding a Business Continuity Capability
Building a Business Continuity Capability
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
 
Bcp drp
Bcp drpBcp drp
Bcp drp
 
Introduction to Business Continuity Management
Introduction to Business Continuity ManagementIntroduction to Business Continuity Management
Introduction to Business Continuity Management
 
Business continuity planning
Business continuity planningBusiness continuity planning
Business continuity planning
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)
 
Business impact analysis
Business impact analysis Business impact analysis
Business impact analysis
 
Business Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesBusiness Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation Slides
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
 
Business continuity management per ISO 22301 - a certification training cour...
Business continuity management per ISO 22301 - a certification training cour... Business continuity management per ISO 22301 - a certification training cour...
Business continuity management per ISO 22301 - a certification training cour...
 
Business Continuity & Disaster Recovery
Business Continuity & Disaster RecoveryBusiness Continuity & Disaster Recovery
Business Continuity & Disaster Recovery
 
How to write an IT DR plan
How to write an IT DR planHow to write an IT DR plan
How to write an IT DR plan
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
 
Business continuity for SMEs
Business continuity for SMEsBusiness continuity for SMEs
Business continuity for SMEs
 
Business continuity planning and disaster recovery
Business continuity planning and disaster recoveryBusiness continuity planning and disaster recovery
Business continuity planning and disaster recovery
 
Best Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and TestingBest Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and Testing
 

Similar to Exercising BCMS plan

Is it Necessary to Document the BCMS plan?
Is it Necessary to Document the BCMS plan?Is it Necessary to Document the BCMS plan?
Is it Necessary to Document the BCMS plan?
PECB
 
Nurse prac
Nurse pracNurse prac
Nurse prac
EllahWatson
 
Assessment – SITXOHS004BStudent name ____________________________.docx
Assessment – SITXOHS004BStudent name ____________________________.docxAssessment – SITXOHS004BStudent name ____________________________.docx
Assessment – SITXOHS004BStudent name ____________________________.docx
fredharris32
 
Introductory PresentationGoals of .docx
Introductory PresentationGoals of .docxIntroductory PresentationGoals of .docx
Introductory PresentationGoals of .docx
bagotjesusa
 

Similar to Exercising BCMS plan (20)

05 integrated management system telkom 2016 penanganan bencana - tanggap da...
05 integrated management system telkom 2016 penanganan bencana - tanggap da...05 integrated management system telkom 2016 penanganan bencana - tanggap da...
05 integrated management system telkom 2016 penanganan bencana - tanggap da...
 
An Expert's Guide to Emergency Action Planning
An Expert's Guide to Emergency Action PlanningAn Expert's Guide to Emergency Action Planning
An Expert's Guide to Emergency Action Planning
 
Putting sprint development into operation
Putting sprint development into operationPutting sprint development into operation
Putting sprint development into operation
 
Business recovery with Smart Strategies
Business recovery with Smart StrategiesBusiness recovery with Smart Strategies
Business recovery with Smart Strategies
 
5 steps to Creating and Delivering Tabletop Exercises
5 steps to Creating and Delivering Tabletop Exercises 5 steps to Creating and Delivering Tabletop Exercises
5 steps to Creating and Delivering Tabletop Exercises
 
Is it Necessary to Document the BCMS plan?
Is it Necessary to Document the BCMS plan?Is it Necessary to Document the BCMS plan?
Is it Necessary to Document the BCMS plan?
 
Testplan final4
Testplan final4Testplan final4
Testplan final4
 
Scrum Master (SM) - Practical Approach
Scrum Master (SM) - Practical ApproachScrum Master (SM) - Practical Approach
Scrum Master (SM) - Practical Approach
 
BCS 307 Lecture 7.pdf
BCS 307 Lecture 7.pdfBCS 307 Lecture 7.pdf
BCS 307 Lecture 7.pdf
 
Nurse prac
Nurse pracNurse prac
Nurse prac
 
Nurse prac
Nurse pracNurse prac
Nurse prac
 
Exercise panning process & discussion
Exercise panning process & discussionExercise panning process & discussion
Exercise panning process & discussion
 
Maintenance Management Process
Maintenance Management ProcessMaintenance Management Process
Maintenance Management Process
 
Testing Emergency Plans
Testing Emergency PlansTesting Emergency Plans
Testing Emergency Plans
 
Assessment – SITXOHS004BStudent name ____________________________.docx
Assessment – SITXOHS004BStudent name ____________________________.docxAssessment – SITXOHS004BStudent name ____________________________.docx
Assessment – SITXOHS004BStudent name ____________________________.docx
 
Building a Milestone Plan
Building a Milestone PlanBuilding a Milestone Plan
Building a Milestone Plan
 
OnTrac_StarCertificationProgram-3Day.pptx
OnTrac_StarCertificationProgram-3Day.pptxOnTrac_StarCertificationProgram-3Day.pptx
OnTrac_StarCertificationProgram-3Day.pptx
 
Introductory PresentationGoals of .docx
Introductory PresentationGoals of .docxIntroductory PresentationGoals of .docx
Introductory PresentationGoals of .docx
 
Jump Start your PM Program
Jump Start your PM ProgramJump Start your PM Program
Jump Start your PM Program
 
Preventive and Predictive maintenance.ppt
Preventive and Predictive maintenance.pptPreventive and Predictive maintenance.ppt
Preventive and Predictive maintenance.ppt
 

More from PECB

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
PECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
PECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
PECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
PECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
PECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
PECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 

More from PECB (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 

Recently uploaded

2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
Sandy Millin
 

Recently uploaded (20)

Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
Sectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfSectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdf
 
B.ed spl. HI pdusu exam paper-2023-24.pdf
B.ed spl. HI pdusu exam paper-2023-24.pdfB.ed spl. HI pdusu exam paper-2023-24.pdf
B.ed spl. HI pdusu exam paper-2023-24.pdf
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
 
NCERT Solutions Power Sharing Class 10 Notes pdf
NCERT Solutions Power Sharing Class 10 Notes pdfNCERT Solutions Power Sharing Class 10 Notes pdf
NCERT Solutions Power Sharing Class 10 Notes pdf
 
Basic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumersBasic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumers
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
 
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxStudents, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
 
Basic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.pptBasic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.ppt
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chips
 
Extraction Of Natural Dye From Beetroot (Beta Vulgaris) And Preparation Of He...
Extraction Of Natural Dye From Beetroot (Beta Vulgaris) And Preparation Of He...Extraction Of Natural Dye From Beetroot (Beta Vulgaris) And Preparation Of He...
Extraction Of Natural Dye From Beetroot (Beta Vulgaris) And Preparation Of He...
 
The Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonThe Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve Thomason
 

Exercising BCMS plan

  • 2. Barbro Thöyrä Owner of CeBeLOT AB Barbro Thöyrä is owner of CeBeLOT AB, BCMS consultant and trainer and a PECB Certified Trainer. Ms Thöyrä is certified for ISO 22301 Master, ISO 22301 Lead Auditor, ICT Disaster Recovery Manager, ISO 28000 Provisional Implementer, and for Outsourcing Manager from PECB. +46 (0)708794652 https://se.linkedin.com/in/barbro-thöyrä-119b0427 barbro@thoyra.eu www.cebelot.se https://www.facebook.com/barbro.thoyra
  • 3. General information - About me - Content of this webinar - Duration of the webinar - Questions
  • 4. Content of this webinar • Why do we need to exercise • The types of exercises • How to perform an exercise
  • 5. Why do we need to exercise
  • 6.  To ascertain if all escalation and notification procedures will work properly in the event of a disaster.  To ascertain if response and recovery plans and procedures are adequate for current and future (changing) needs.  Verify the information in the plan is current and accurate.  Verify that the recovery strategies incorporated in the plan will provide a satisfactory level of support in the event of a disaster.  Verify the vital records stored off-site are current and accessible for interim processing.  Verify the backup data processing hardware is adequate to handle a recovery operation. Objectives of the BCMS Exercise Program
  • 7.  Verify the voice telecommunications backup network is adequate to handle response and recovery communication needs.  Verify that all personnel understand their roles and can successfully execute their responsibilities in a disaster situation.  Create awareness among the employees that management is seriously concerned with the effectiveness of the BCP Plan.  To provide a learning environment for all employees who are involved in the BCP process  Identify any deficiencies in the plan.  Ensure that all critical and/or time-sensitive processes can be recovered.  Obtain a realistic benchmark of the recovery time. Objectives of the BCMS Exercise Program
  • 8. One of the key elements of the BCMS program is the periodic use of partial or complete "disaster drills" to ensure the recovery site can be rapidly and successfully put in operation. A plan which has not been successfully exercised cannot be assumed to work. The exercises are carefully evaluated and changed accordingly
  • 10. Exercise methods  Unannounced  Announced • Personnel are prepared in advance for the exercise • Ensure that everyone understands that it is an exercise and not an actual Emergency response and recovery operation. Types of exercise  Table Top  Structured Walk-through  Live Production  Simulation  Crisis Management
  • 11. Other examples • Initial office verification • Current and historic documentation • Back-up recovery and review of recovery procedures • Second exercise • Mock disaster exercise • Relocate to recovery environment • Relocate critical data • Relocate critical documentation • Verify recovery procedures accuracy
  • 12. •Initial exercises should start small •Exercises should be real and specific •Detailed procedures should verify the vital records & call trees •Exercising should involve actual data
  • 13. How to perform an exercise
  • 14. Business Continuity assumptions…… o Specific assumptions for each recovery strategy o General assumptions: • Vital records stored off- site storage • Back- up regime is functional • Transmission is operational • Recovery sites are preprepared, e.g. HW/SW, site location • Access to site is permitted • Voice communication possibilities • Nessecary recovery supplies are available • Recovery teams are trained in their tasks
  • 15. Preparing the exercise organisation Exercise organisation: • Exercise Leader(s) • Exercise Observer(s) • Exercise Participants Exercise tools: • Exercise Scripts • Exercise Observer’s Checklist • BCMS Plan • Conference room outside office area
  • 16. Develop the BCMS exercise program • Objectives of the exercise program • Review the types of exercises • Plan exercising guidelines and scripts • Develop the exercise schedule • Develop a exercise sequence checklist • Appoint a plan exercise co-ordinator • Document the exercise results • Conduct an exercise evaluation meeting • Auditing the exercises
  • 17. • Scenario to develop/exercise the plan - • Provide perspective to the developers – Crisis and Emergency Management – Other BCMS teams • Should call for full implementation of the plan • Designed on the following assumptions: – Severe magnitude – Occurs at the worst possible time – Loss of all files, information & equipment • May need to be changed from time to time and as organizational / environmental changes occur The key disaster scenario
  • 18.  At any time of the day or night, your business processes were unusable by a major incident.  Upon arriving at your building -- for normal work, -- you find that the building is inaccessible and all its contents unusable.  Nothing can go in or out of the environment -- no data, no telecommunications.  Only the data and information that you have identified and stored off site BEFORE the incident is available.  If your business is cyclical (e.g., New Years Evening is the worst time that you could experience a major incident) assume this is the case in answering the questions. Scenario
  • 19. 19 Exercise Schedule Datum Testledare Testobservatör Grupp System/ process Team Antal 4-Nov-13 Person 1 Testob 1 Voice-1 MSC/BSC ROC, NMC, FE, STE, TRS, Eng Support, MD, DN 9 Person 2 Testob 2 Voice-2 HLR, SSP ROC, NMC 6 Person 3 Testob 3 Voice-3 NMS OSS, NMC 7 Person 4 Testob 4 Voice-4 BTS, BSC-SAT Radio, FE, TRS 8 Total 30 Datum Testledare Testobservatör Grupp System/ process Team Antal 6-Nov-13 Person 2 Testob 2 Non Voice-1 VMS, IVR Topup, SMP VASM, NMC 10 Person 5 Testob 5 Non Voice-2 IVR, VoiCD NMC, IVR eng 8 Person 1 Testob 1 Non Voice-3 SMSC, SCP, SCP-VC VAS, SMS eng 8 Person 3 Testob 3 ITS-2 Data Network Network 5 Person 4 Testob 4 ITS-3 SIM System Eng. SIM 5 Total 36
  • 20. Use a Planning Form to prepare written objectives, measurement criteria, procedures and post-exercise results. There should be a one-to-one correlation between objectives, measurement criteria and procedures. Information recorded on this form should detail the tasks to be performed as agreed by the Business Continuity Manager and /or Business Continuity Coordinator. BCMS Exercise
  • 21.  Defining and “playing-out” appropriate disaster scenarios for each exercise  Ensuring the exercise scripts are adequately understood by team members  Must be capable of supporting any queries or misunderstandings from the exercise audience.  Perform timekeeping during exercise methods and ensure agreements to documented RTOs  Evaluation of exercise results and compare the exercise results with the required expectations  Preparation of the Exercise Result report in conjunction with the Exercise Observer  Identification of improvements to the BCMS plan  Critique the exercises  Correct the exercise errors  Re-exercise if necessary Preparing the exercise organisation
  • 22. Who should be the exercise leader?  have a thorough knowledge of the BCMS plan  be familiar with the processes involved in escalation, notification, response and recovery  understand and appreciate the importance of exercise  appreciation of BCMS concepts  understand the importance of exercise for “Worst Case”, “Partial site damage” and “Not in Time” disaster scenarios. Preparing the exercise organisation
  • 23. BCMS Exercise Leader Guideline 1. SCOPE AND OBJECTIVE 2. PLAN EXCERSISE GUIDELINES 3. DOCUMENTING THE RESULTS OF THE EXCERSISE 3.1. Prepare the Plan Exercise Form found in the BCMS documentation a) Specify the type of exercise, area to be exercised, location of the Response/Recovery site, the scheduled dates for the exercise, and the Response or Recovery Teams which will be involved. a) State the Exercise Objectives. a) List the Measurement Criteria: What elements will be used to determine the success of the exercise? a) What phase of the Plan will be exercised in this exercise? a. Which procedures, checklists, and responsibilities will be exercised? b. Which exceptions, if any, must be considered? a) Describe the Exercise Scenario; choose one of the identified incident scenarios: ‘Worst Case’, ‘Partial site damage’ or ‘Not in time’.
  • 24.  Record the availability of alternate team members if required  Record the team’s acceptability of the exercise scenario presented  Record the team’s understanding of the exercise objectives  Record all discrepancies of results among teams  Record time discrepancies against expected times, RTOs  Record the team’s abilities to carry out the exercise  Record the feasibility of the exercise being performed  Record any valid arguments from team members for future exercise purposes  Record the team members commitment to BCMS  Record the members team workability Preparing the exercise organisation
  • 25. BCMS Plan Exercise Observer’s Checklist ADDITIONAL COMMENTS: INDIVIDUAL EFFECTIVENESS TEAM EFFECTIVENESS PLAN EFFECTIVENESS EXERCISE EFFECTIVENESS OVERALL IMPRESSION
  • 26. Did the EXERCISE begin (start) on time? Did the EXERCISE complete (end) on time? Exercise Leader identified? Alternate Exercise Leader identified? Exercise Leader & Alternate qualified/capable of leading Business Continuity Plan exercise? EXERCISE OBSERVER’S CHECKLIST ISSU Team & Issue to be Evaluated Addressed Person Comments _________________ ______ _____________ ______________ Principal Objective - To Determine the Value of the Exercise ST1.
  • 27. Exercise Scripts: Escalation & Notification Response Phase Recovery Phase Preparing the exercise organisation
  • 28. STEP 0: Emergency is declared and the appropriate Recovery Plan is activated. (To all) What are the criteria to do that? How is this done? Who is notified? And by whom? (BCM) What is done next? What teams are called out? (RMT Call Tree) Where do they go? (RCC) STEP 1: (RMT) You have been contacted by the person who asked you to activate the recovery plan. What information do you receive? From whom? (BCC) Where do you go? (RCC) What tools do you use? (RMT Action Plan) What kind of information do you need for recovery? And where do you find it? (Team Definition and Responsibility, Recovery Requirement) What Recovery Strategies are chosen? Are they realistic? Will they meet the need in time? If the situation is not exactly as in the BCP plan what do you do? (RMT Action Plan) STEP 2: (To all) The stricken area starts the notification. Who is called? (Recovery Team Call Tree) How is this done? (Notification Team) STEP 3: (Recovery Team) You have been contacted to recover the YYY process at the site ST2. (Name the process) Do you know why you are called? Who calls you? (Notification Team) Do you receive any instructions? (For example where to go and at which time to meet the team leader, announce to the team leader upon arrival….. STEP 4: (Recovery Team)
  • 29. 1. INTRODUCTION 2. BASIC INFORMATION, THE BCMS PROJECT SCOPE 3. EXERCISED BUSINESS PROCESSES 4. EXERCISE METHODOLOGY USED 5. RESULTS ACHIEVED IN GENERAL 6. CONCLUSIONS BCMS Exercis Report
  • 30. Exercise results in general Exercises were a success!!! - Changing language to native language improved the understanding - Clarification of team roles and the tools (reports and forms) - Escalation & Notification was new to the audience - The teams demonstrated high understanding and competence in the recovery tasks - More exercises are needed – ‘Walk Through’- with all BCMS members - Some necessary updates to the plan discovered - Participants were very engaged in the exercises
  • 31.  In general, the results achieved were according to expectations of a first time exercise. The exercises could have been better off if the participants had had the opportunity to study the plans in advance. Presentations were given just in native language by the BCMS Working Team, improvement! As a substitute for the BCC and other management one of the BCMS Working Team members was assigned to the role. As it was done in English it was not perceived as expected. That was changed for the other exercising days as well. Some of the BCCs participated and that was an improvement of the exercising. Exercise results by BCMS Exercise Team
  • 32. Should include home phone numbers and other contact points. It was also recommended that at least the most significant members of the BCMS organization should have a mobile subscription of another operator – ‘Red Line’ phone. The plans should be translated to native language to gain better understanding of the content. All members impressed with their competence in their working area and the business processes. Exercise results by BCMS Excersise Team Improvements suggested by the exercised teams and the Exercise Leaders:
  • 33. Company should subscribe an alternative way of voice communication, e.g. a subscription of another operator. Company should also look at the transportation issue in order to find a proper solution.  All team members assigned to the plan must read and understand the plan.  Conduct an additional exercise ( ‘Walk Through’) after the recovery strategies are implemented with all BCMS members.  Assign a person not involved in the BCMS as a Exercise Observer. Exercise results, recommendation
  • 34. An organization wishing to comply with ISO 22301 shall at least: 1. Develop exercise and test scenarios with clearly defined aims and objectives; 2. Plan and conduct tests and exercises at regular interval (at least once a year); 3. Produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements.
  • 35. ISO 22313, clause 8.5: Exercising and testing 8.5.1 General. A business continuity procedures and arrangements cannot be considered reliable until exercised and unless their currency is maintained. Exercising is essential to ensure that the strategies, policies, plans and procedures that have been put in place are adequate and meet the business continuity objectives. Exercising develops teamwork, competency, confidence and knowledge and should include those who may be required to use the procedures.
  • 36. 2016-03-01 36 Questions ? “By failing to prepare you are preparing to fail.” — Ben Franklin
  • 37. ? QUESTIONS THANK YOU +46 (0)708794652 https://se.linkedin.com/in/barbro-thöyrä-119b0427 barbro@thoyra.eu www.cebelot.se https://www.facebook.com/barbro.thoyra