Business Continuity Plan (BCP)
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
Hello, everyone. This is instructor Gerry Roberts, and this is risk policies and security controls.
In this video, we're gonna talk about what the BCP or business continuity plan is.
Who are the actors that are involved with the plan?
The planning process,
it will wrap up.
So what exactly is the business continuity?
The BCP, or Business continuity plan, is a document that has put together by various individuals in an organization.
The idea is that they're going to be able to plan for longer term outages and disasters.
A good example of a long term Alger disaster
might be Hurricane Marie. In Puerto Rico,
they sustained 92 million US and damage
and in some places, the island. They're still no utilities,
even though this happened in 2017 which is almost two years ago.
This is different from a D. R P or disaster recovery response plan,
which is meant to cover short term disaster so the company can get back to work as soon as possible.
So who is involved with your BCP?
First of all, you're management has to start the process.
A business continuity coordinator is identified by management and that person's gonna be responsible for making sure all the different things that need to be done are done.
You also have a business Continuity committee
who management and the coordinator put together,
and this is comprised of members from management I t Security, communications and Legal.
And you want a good mix of different people from different departments and different levels of management. So you have visual and the different areas of your company, so you can better plan
now. In some cases, the entire company might be involved
if there's a training that used to be done
or, in some cases, during testing and drills the entire company night be involved.
So the BCP planning process.
So when you start to plan, the first thing you're gonna do is what's called a continuity policy.
This is a policy that's put together by management's, the committee and the coordinator. That pretty much says what we want to get out of our policy and what things we need to look at for continuity.
This will help guide the BCP document
next a B I A or business impact analysis system.
This helps us identify important functions, and resource is as Bella's identify threats.
Remember earlier when we were talking about risk management? We can't do anything unless we know what the threat is. So identifying threats along with important functions and resource is is very important.
Once those items are identified, then you can identify preventative controls.
In this stage, you're gonna identify. Implement those controls. They could help lower the overall risk to the organization.
Next, you want to develop some recovery strategies.
So that way, if an event happens, even though there are controls in place,
you'll be able to recover faster.
Now you'll create methods for bringing critical infrastructure back online quickly. First
business won't be able to run without critical infrastructure.
Next, you developed the contingency plan,
thes air procedures and guidelines for how the business can stay afloat even in a critical failure.
This is very important because businesses can't actually disappear and go out of business if they're not able to stay afloat
during a major disaster
exercise Test syndrome
test your plans
improved the players. If you find there's an issue with them,
train your employees. This is very important.
If you don't train your employees and something happens, they may not know what to do, or they may not be comfortable with what they have to do.
Also, if you can't do drills if possible
and these could be simple drills,
just help employees get ready
and last but not least maintain.
There's no reason to do all of this if you're not gonna maintain it.
Situations change equipment changes. Location changes, people change.
Threats change. Everything changes.
So have a plan
And make sure you go through with that plan and maintain
your disaster recovery
and your BCP planet
Yeah, there's some standards out there available for your BCP.
Some of these air standards some of these air frameworks,
but the important part is they help you put together your BCP with some best practices.
You may use these to help guide your organization in the process.
Some standards that are available that you might be able to use
Ernest has several
they 834 and there are multiple others available.
There's the B s 2599 which is a British Standards Institute standard.
I So I'II see 27 0 31
and I saw 22031
You also have the business continuity institutes good practice guidelines, which is just pretty much a document of best practices.
You also have the D. R i international institutes professional practices for business continuity planners, which is also another document with a bunch of best practices that might help you out.
You know, if you're part of the United States government, they're probably gonna have to comply with some of the standards, not just look at them,
most likely n'est and I. So
if you're in other countries
such as England,
you may have to do things for the British Standards Institute shut just the B s 2599
And I know quite a few other countries that do business with the U. S. Government also have to comply with some of these standards.
So that's it for our lecture time for a question. So our post assessment questions
which stage of the BCP planning process will you identify an implement controls
is that during the developed the contingency plan stage
the maintain stage,
the continuity policy stage
or the identified preventative control stage.
I'll give you a moment to see if he could figure that out.
As always, you can pause and we'll come back to the answer in a moment.
The answer's de identified preventative controls.
During that particular stage, you're gonna identify preventative controls that can help you address the issues that you found in the previous stage where you were going through an identifying threats.
And you will also implement these controls during this stage if he can do so.