ISO 17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

11.1 DESIGN A CONTINUITY MANAGEMENT PROCESS

Develop a business continuity management process to protect
your critical business processes during business disruptions,
security failures, and disasters.

Make sure that your business continuity management process is used
to prevent business disruptions, security failures, and disasters.

Make sure that your business continuity management process is used
to recover from business disruptions, security failures, and disasters.

Make sure that your business continuity management
process is used to identify and reduce security risks.

Make sure that your business continuity management process is used
to ensure that essential operations are restored as quickly as possible.

Make sure that your business continuity
management process is used to limit the
impact that damaging incidents could have.

Analyze the impact that disasters could
have on your critical business processes.

Analyze the impact that security failures
could have on critical business processes.

Analyze the impact that a loss of service
could have on critical business processes.

Developed contingency plans in order to
ensure that critical business processes are
restored within a reasonable period of time.

Practice implementing your contingency plans.

11.1.1 ESTABLISH YOUR CONTINUITY MANAGEMENT PROCESS

Establish a process to manage and maintain
business continuity throughout your organization.

Identify and prioritize your organization’s
most critical business processes.

Identify the risks that threaten the
security of your business processes.

Estimate the likelihood that your organization will be 
exposed to significant security risks and threats.

Analyze the impact that serious threats could have
on the security of your organization’s processes.

Analyze the impact that interruptions could
have on the viability of your business.

Find solutions to the security problems that
could undermine the viability of your business.

Find solutions for the security threats and 
problems that are smaller and less serious.

Increase your security through the
purchase of suitable insurance.

Formulate business objectives and priorities
for your information processing facilities.

Formulate a business continuity strategy
for your information processing facilities.

Document your business continuity strategy.

Make sure that your business continuity strategy is consistent
with your organization's business objectives and priorities.

Formulate business continuity plans
for your information processing facilities.

Document your business continuity plans.

Make sure that your business continuity plans are
consistent with your business continuity strategy.

Make sure that responsibility for coordinating your continuity management process has been assigned to someone at the
appropriate level within your organization.

Institutionalize continuity management.

11.1.2 PERFORM THREAT ANALYSIS AND IMPACT ANALYSIS

Carry out a threat analysis in order to identify the
events that could interrupt your business processes.

Carry out your threat analysis with the full
involvement of process and resource owners.

Make sure that your threat analysis
includes all business processes.

Carried out a risk assessment in order to identify the
impact that business process interruptions could have.

Make sure that your impact analysis identifies how much
damage your business process interruptions could cause.

Make sure that your impact analysis identifies how long it
would take to recover from business process interruptions.

Carry out your impact analysis with the full
involvement of process and resource owners.

Make sure that your impact analysis includes all business processes.

Use the results of your analyses and assessments to develop a strategy that defines your organization’s general approach to business continuity.

Make sure that your senior management endorses
your general business continuity strategy.

11.1.3 DEVELOP YOUR BUSINESS CONTINUITY PLANS

Develop plans to restore and continue business operations
after critical processes have failed or been interrupted.

Make sure that your business continuity plans
help you to achieve your business objectives.

Make sure that business continuity plans help you to restore
services to customers within a reasonable period of time.

Make sure that your business continuity plans identify the
resources that will be needed to restore business processes.

Make sure that your business continuity plans identify the
services that will be needed to restore business processes.

Make sure that your business continuity plans identify the
staffing that will be needed to restore business processes.

Make sure that your business continuity plans identify
and assign all emergency management responsibilities.

Make sure that your business continuity plans define
all necessary emergency response procedures.

Make sure that your emergency response procedures
ensure that your critical processes will be recovered
and restored within the required time limits.

Make sure that your emergency response
procedures accommodate and deal with
all external business interdependencies.

Make sure that your emergency response procedures
respect and reflect all related business contracts.

Document all emergency response procedures.

Document all critical business processes.

Make sure that your business continuity plans identify
fallback arrangements for information processing facilities.

Teach your staff members how to use
your emergency response procedures.

Teach your staff members how critical business
processes will be recovered and restored.

Teach your staff members about your crisis
management methods and procedures.

Test your business continuity plans on a regular basis.

Update your business continuity plans on a regular basis.

11.1.4 MAINTAIN A CONTINUITY PLANNING FRAMEWORK

Establish a single framework of business continuity plans
to ensure that all plans are consistent with one another.

Use your business continuity planning
framework to determine plan testing priorities.

Use your business continuity planning framework
to determine plan maintenance priorities.

Make sure that each business continuity plan includes
a maintenance schedule that explains how and
when the plan will be tested and maintained.

Amend your business continuity plans whenever
new security threats or requirements are identified.

Make sure that each business continuity plan clearly
specifies the conditions that must met before it is activated.

Make sure that each business continuity plan
specifies the process that must be followed
before a plan may be activated.

Make sure that each business continuity plan
explains how a crisis situation should be
assessed before a plan is activated.

Make sure that each business continuity plan
specifies who should be contacted and involved
before a plan may be activated.

Make sure that each business continuity plan specifies
who is responsible for executing each part of the plan.

Make sure that each business continuity plan
nominates alternative personnel who would be
responsible for executing the plan if those who
are primarily responsible are unable to do so.

Make sure that each business continuity plan describes
the emergency procedures that should be followed and the
actions that should be taken to handle security incidents.

Make sure that each business continuity plan
explains how relations with the public should
be managed during an emergency.

Make sure that each business continuity plan explains
how relations with governmental agencies and authorities
should be managed during an emergency.

Make sure that each business continuity plan explains
how relations with emergency responders should be
managed during an emergency.

Make sure that each business continuity plan
describes fallback procedures that should be
followed to move essential business activities
and services to alternative locations.

Make sure that each business continuity plan describes
fallback procedures that should be followed to reactivate
your business processes within the required time limits.

Make sure that each business continuity plan describes
resumption procedures that should be followed to bring
your business processes and services back to normal.

Make sure that each business continuity plan describes the education and awareness activities that should be carried out to help ensure that staff members understand your business continuity methods and procedures.

Make sure that each business continuity plan specifies who
owns and is responsible for managing and maintaining the plan.

Make sure that owners of business processes and resources
have been given the responsibility to manage the implementation
of related fallback and business resumption plans.

Make sure that owners of business processes and resources are responsible for managing the implementation of the emergency
response procedures that effect their areas.

Make sure that technical service providers are responsible
for managing the implementation of alternative technical
services and fallback arrangements.

Make sure that information service providers are responsible
for managing the implementation of alternative information
processing facilities and fallback arrangements.

Make sure that communications service providers are responsible
for managing the implementation of alternative communications
facilities and fallback arrangements.

11.1.5 TEST AND UPDATE CONTINUITY MANAGEMENT PLANS

11.1.5.1 TEST BUSINESS CONTINUITY MANAGEMENT PLANS

Test your business continuity management plans regularly
in order to verify that they are effective and up‑to‑date.

Evaluate your planning assumptions when you
test your business continuity management plans.

Check to see that you haven’t missed anything important
when you test your business continuity management plans.

Make sure that changes in equipment haven’t compromised
the effectiveness of business continuity management plans.

Make sure that changes in personnel haven’t compromised
the effectiveness of business continuity management plans.

Make sure that the personnel who must implement
your business continuity plans understand how to do so.

Make sure that all recovery team members are aware
of your business continuity management plans.

Develop a test schedule that explains how and when each
element of each business continuity plan should be tested.

Identify examples of business interruptions and then discuss
what type of business recovery arrangements should be made
(perform table‑top tests).

Carry out simulations of business interruptions in
order to test and train the crisis management and
business recovery skills of your personnel.

Carry out technical recovery tests in order to ensure
that your information systems can be properly restored.

Carry out recovery tests at alternative backup sites.

Test the ability of suppliers to provide contracted
services and facilities during business interruptions.

Carry out complete rehearsals in order to ensure that
all personnel, equipment, facilities, and processes
can cope with business interruptions.

11.1.5.2 UPDATE BUSINESS CONTINUITY MANAGEMENT PLANS

Use regular reviews and updates to maintain the
effectiveness of business continuity management plans.

Make sure that your change management program
includes procedures to ensure that business continuity
plans are routinely updated.

Make sure that the responsibility for the regular review
of each business continuity plan has been assigned.

Make sure that your business continuity management
plans are updated whenever important changes in
business practices and arrangements occur.

Make sure that updated business continuity management
plans are distributed to all participating personnel.

Make sure that you consider updating
business continuity management plans
whenever new equipment is purchased.

Consider updating business continuity management
plans whenever you upgrade operational systems.

Consider updating business continuity management
plans whenever you change key personnel.

Consider updating business continuity management plans
whenever key addresses or telephone numbers change.

Consider updating your business continuity management
plans whenever you change your business strategy.

Consider updating your business continuity management
plans whenever you change your locations or facilities.

Consider updating your business continuity
management plans whenever resources change.

Consider updating your business continuity management
plans whenever relevant legislation or regulations change.

Consider updating your business continuity management
plans whenever you change contractors or suppliers.

Consider updating your business continuity management
plans whenever important or major customers change.

Consider updating your business continuity management
plans whenever your organization’s processes change.

Consider updating your continuity management plans
whenever you create new processes or remove old ones.

Consider updating your business continuity management
plans whenever operational or financial risk factors change.

ISO 17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD