Business Continuity Planning is critical to any organization. What do you do and how do you respond when a disaster hits that causes a disruption or outage of your services? This is where a business continuity plan (BCP) and disaster recovery plan (DRP), come into play. An effective business continuity plan helps to maintain normal operations during and after a disaster. In this blog, I will provide an overview of what a business continuity plan is, why it is important, the general components every BCP should have, how to test your BCP, the difference between a BCP and DR plan, and finally, what SOC 2 auditors focus on when auditing an organization’s BCP.
What is the Purpose of a Business Continuity Plan?
The purpose of a business continuity plan is to continue critical business operations functions during and after a disaster. Often, a business continuity plan is confused with a disaster recovery plan. We will discuss what a disaster recovery plan is later in this blog (since they go hand in hand). A BCP addresses the question – how can the business and its services continue operating if a disaster strikes? A BCP outlines procedures and instructions that a business must follow at the time of disaster so that the business can continue operation. Before outlining the elements of a BCP, I have added bullets below which are key points/best practices to consider when establishing and then maintaining a BCP:
- Senior management needs to approve the plan (in order to obtain buy-in from the entire organization).
- The plan needs to be reviewed and updated regularly – at least annually.
- The more detailed and up-to-date the better it is.
- Update the plan when roles change or there is turnover within the BCP team.
- Update the plan after each test and capture the lessons learned.
- Update the plan when there is a change in infrastructure, architecture, processes, policies, staff, or anything that would have an impact on the execution of the plan.
- The most important factor is people and ensuring their safety, as well as having them understand the plan!
What Are the Elements of a Business Continuity Plan & How Do You Write One?
Below I will outline the general components that every business continuity plan should have:
- Scope and purpose of the BCP
- Identifying assets and their location (includes critical systems, business functions/process), and data.
- Business impact analysis (i.e. determining the criticality of the systems identified, which support your services, and the order of importance for recovery during a disaster) which includes the following components:
- Rating order of importance for recovery for the identified critical assets.
- Identify classes of relevant threat scenarios and the impacts they may have on your critical (and noncritical) assets.
- Outlining what controls are in place to address relevant threats
- Identifying the RTO and RPO for each critical system
- RTO is the time period with which business functions must be recovered before causing severe financial loss.
- RPO is related to understanding the amount of data you can afford to lose at the time of a disaster.
- Recovery strategies and continuity development (backup locations and resources)
- Disaster recovery plan and step by step procedures
- Identifying the business continuity team
- Include contact information (name, title, email, phone, address (if relevant).
- Prioritizing emergency communications.
Importance of BCP Testing
The continuity plan team must be trained and tested on the BCP. Testing would include members of the team completing exercises that go over the plan and strategies to increase preparedness. Additionally, if the team is trained on the plan, it can be executed quickly and effectively in cases where the documented plan may be inaccessible for reference by the team during a disaster. Conducting tests can help the team understand and help create a mindset on what to do if the office is inaccessible and/or your systems are inaccessible when a disaster strikes (where your plan is stored). Overall objectives of BCP tests are to improve the response process, identify gaps or weaknesses in the plan, and develop team readiness and response as noted above. Again, tests should be conducted annually, at a minimum.
A few of the common types of BCP drills/tests are the following: Tabletop test, walkthrough, and simulated testing. I have linked where more details on each type of these noted tests can be found here from NIST and here.
How Do You Classify a Disaster?
Types of disasters that could impact critical business operations are (but not limited to) as follows:
- Massive cyber-attack on your systems (where a hacker breaks in and shuts down everything and/or removes everything).
- Natural disaster (hurricane, flood, fire, snow/ice storm) – damaging an office and/or data center causing critical infrastructure or services to become unavailable or unresponsive.
- System failures supporting critical business processes.
- Cloud services outages.
- Hardware failures.
- Network and internet disruptions.
Business Continuity Plan vs Disaster Recovery Plan
To reiterate, business continuity is the continuation of the business process during and after a disaster strikes. DRP, on the other hand, is the plan for the recovery of computer operations (and is usually a subset of the BCP). Overall, the purpose of the DRP is to get technical operations back to normal in the shortest time possible. Below is a list of key factors to consider as part of a DRP:
- DRP includes the step-by-step procedures to conduct in order to restore services.
- The DRP will also ensure that data and critical applications are restored from backup so that the business can continue regular operations.
- DRP is a short-term plan to recover systems and data.
- BCP is a long-term plan to maintain continuity of operations
- DRP takes into account the specific RTO and RPO which is determined through a BIA.
What Do SOC 2 Auditors Focus on When Auditing BCP?
Business Continuity and Disaster Recovery would be focused in a SOC 2 audit if the “Availability Criteria” is included in the scope of the examination. The availability criterion/requirements are listed below (pulled from the AICPA Trust Services Criteria).
“A1.1: The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
A1.2: The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives.
A1.3: The entity tests recovery plan procedures supporting system recovery to meet its objectives.”
- Does your organization have a documented BCP plan?
- Does your organization have a documented DR plan?
- Have you tested your BCP plan within the last year (at a minimum)?
- Have you tested your DR plan within the last year (at a minimum)?
- Your critical data backup procedures (configurations including retention of backups).
- Have you tested the recovery of your backups?
- Are you maintaining and monitoring your services and supporting infrastructure for performance, availability, and security?
- Are you alerted when services and supporting infrastructure meet certain thresholds?
- Do you have a cybersecurity and business interruption insurance policy?
Establishing a BCP for any organization is critical if you would like your organization to be prepared to maintain services during a disaster event. Once the BCP is created it is crucial it is reviewed and updated frequently to account for changes to services, processes, infrastructure, vendors, staff, etc. Updating the plan as needed will help ascertain your organization is the best prepared should a disaster hit.
Olivia Refile (CISSP, CISA, CRISC, GSEC, ISO lead Auditor) specializes in SOC examinations for Linford & Co., LLP. She completed her Bachelors of Business Administration, with a concentration in Management Information Systems from Temple University’s Fox School of Business in 2010. Olivia started her career in IT Risk Management in 2010 specializing in internal, external audits as well as IT security risk assessments. Following her time in risk management Olivia moved solely into external IT Audit and is currently dedicated to performing SOC 1 and SOC 2 examinations.