How to Write an Effective Business Continuity Plan
By Teddy Ansink
An effective business continuity plan (BCP) is proactive and aims to avoid and mitigate risks associated with a disruption of operations, including ensuring personnel and assets are protected and able to function in the event of a disaster.
Due to the importance of this goal, the development of a BCP requires strategic thinking through the recognition of threats and risks facing a company.
Before creating a business continuity plan, it’s important to keep in mind the goals of a thorough strategy:
- Be proactive: Understand and prepare for events that may happen before they occur.
- Mitigate risks: Reduce the extent of exposure and the likelihood of its occurrence.
- Analyze the disruption of operations: Develop metrics that assess the possibility of losing specific services due to unforeseen circumstances.
It’s also helpful to look at a business continuity plan from the perspective of the three phases of the event itself in order to identify the goals to achieve as the incident unfolds:
- Before an event: Remain better positioned to recover from the business interruption that a natural disaster or man-made event may cause.
- During an event: Clearly define responses to an event to mitigate risks and reduce the time to recovery using rehearsed processes.
- After an event: Analyze documentation from an event to review the processes and improve upon established processes and procedures.
Defining the intent of your plan as outlined above is the first step to creating a business continuity plan. Once this is documented, there are six steps to moving forward with developing an effective business continuity plan. They are:
- Identify critical information and applications
- Determine the impact of loss
- Evaluate different recovery strategies
- Develop a comprehensive written plan
- Test the BCP at least once a year
- Make changes and improvements along the way
For merchants and others who must be PCI compliant, your business continuity plan must fulfill certain requirements. According to the the Payment Card Industry Data Security Standard (PCI DSS), you must ensure the plan addresses the following:
- Roles, responsibilities, and communication and contact strategies in the event of a compromise. This includes notification of the payment brands
- Specific incident response procedures
- Business recovery and continuity procedures
- Data backup processes
- Analysis of legal requirements for reporting compromises
- Coverage and responses of all critical system components
- Reference of inclusion of incident response procedures from the payment brands
In order to create an effective business continuity plan, keep the above points in mind. Be sure to tailor your action items to your organization and the way you do business, and apply lessons learned and corresponding improvements on a regular basis.
As a full-service information security and compliance firm, Sword & Shield Enterprise Security partners with our customers to provide business continuity and disaster recovery services and more in order to ensure smooth and consistent operations.
To learn how Sword & Shield can help your business create an effective business continuity plan, request a free consultation.
Teddy Ansink is an enterprise security consultant operating out of Sword & Shield’s Nashville, Tennessee, office. With nearly 10 years’ experience in the IT industry, Teddy has performed as the lead contact on many IT projects in which he provided assistance with the design, integration, implementation and troubleshooting of solutions. Teddy’s educational background includes a degree in Electrical Engineering from the University of Tennessee and an MBA from King University. His previous work experience stems from employment with Pilot Flying J, IBM, and his time serving in the United States Navy. Teddy provides project leadership and management expertise while focusing on IT security throughout diversified environments.
Sword & Shield specializes in security, risk and compliance assessment, managed security services, enterprise security consulting, security incident response and forensics, and technical solutions.